A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating ...

Password spraying is a type of brute force attack. In this attack, an attacker will brute force logins based on list of usernames with default passwords on the ...

This attack is based on the manipulation of parameter delimiters used by web application input vectors in order to cause unexpected behaviors like access ...

This attack consists of a technique to create objects without constructors’ methods by taking advantage of the clone() method of Java-based applications. If a ...

This attack aims to manipulate non-final public variables used in mobile code, by injecting malicious values on it, mostly in Java and C++ applications. When ...

This attack consists of a manipulation of a mobile code in order to execute malicious operations at the client side. By intercepting client traffic using ...

The Manipulator-in-the middle attack (MITM) intercepts a communication between two systems. For example, in an http transaction the target is the TCP ...

The Man-in-the-Browser attack is the same approach as Manipulator-in-the-middle attack, but in this case a Trojan Horse is used to intercept and manipulate ...

Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature ...

LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly ...

HTTP response splitting occurs when: Data enters a web application through an untrusted source, most frequently an HTTP request. The data is included ...

A Function Injection attack consists of insertion or "injection" of a function name from client to the application. A successful function injection exploit can ...

Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such ...

The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application. In this way, the attacker could ...

Form action hijacking allows an attacker to specify the action URL of a form via a paramter. An attacker can construct a URL that will modify the action URL of ...

Forced browsing is an attack where the aim is to enumerate and access resources that are not referenced by the application, but are still accessible. An ...

Execution After Redirect (EAR) is an attack where an attacker ignores redirects and retrieves sensitive content intended for authenticated users. A successful ...

The Embedding NULL Bytes/characters technique exploits applications that don’t properly handle postfix NULL terminators. This technique can be used to perform ...

This attack consists of a script that does not properly validate user inputs in the page parameter. A remote user can supply a specially crafted URL to pass ...

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways ...