Core Concepts

Vulnerability Encyclopedia

Security Encyclopedia

A complete reference guide for 50 common security vulnerabilities, including detailed explanations and manual remediation code.

1. Transport Layer Security

1. HSTS Missing

Explanation: The server accepts HTTP connections, allowing SSL Stripping attacks.

Nginx: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
2. Weak SSL/TLS Ciphers

Explanation: Support for deprecated protocols like TLS 1.0/1.1.

Nginx: ssl_protocols TLSv1.2 TLSv1.3;
3. Mixed Content

Explanation: HTTPS page loads scripts/images over HTTP.

HTML: <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
4. SSL Compression Enabled

Explanation: Compression makes HTTPS vulnerable to CRIME attack.

Nginx: gzip off; (or ensure SSL compression is disabled in OpenSSL)
5. OCSP Stapling Disabled

Explanation: Slows down SSL handshake and exposes user privacy.

Nginx: ssl_stapling on; ssl_stapling_verify on;

2. Security Headers

6. Missing X-Frame-Options

Explanation: Vulnerable to Clickjacking (UI Redressing).

Header: X-Frame-Options: SAMEORIGIN
7. Missing CSP

Explanation: Allows loading malicious scripts (XSS).

Header: Content-Security-Policy: default-src 'self';
8. Missing X-Content-Type-Options

Explanation: Browser may sniff MIME type and execute text as JS.

Header: X-Content-Type-Options: nosniff
9. Weak Referrer Policy

Explanation: Leaks full URL paths to external sites.

Header: Referrer-Policy: strict-origin-when-cross-origin
10. Missing Permissions-Policy

Explanation: Allows unrestricted access to Camera/Mic/Geo.

Header: Permissions-Policy: geolocation=(), camera=()

3. Cookies & Sessions

11. Cookie without HttpOnly

Explanation: Accessible via JavaScript, vulnerable to XSS theft.

Set-Cookie: session_id=xyz; HttpOnly
12. Cookie without Secure Flag

Explanation: Cookie sent over plain HTTP.

Set-Cookie: session_id=xyz; Secure
13. Cookie without SameSite

Explanation: Vulnerable to CSRF attacks.

Set-Cookie: session_id=xyz; SameSite=Strict
14. Session Fixation

Explanation: Session ID does not rotate after login.

Node: req.session.regenerate(function(err) { ... })
15. Missing Session Timeout

Explanation: Sessions remain valid indefinitely.

Set-Cookie: ...; Max-Age=3600

4. Information Leakage

16. Server Banner Disclosure

Explanation: Response header `Server: Apache/2.4.1` reveals version.

Nginx: server_tokens off;
17. X-Powered-By Header

Explanation: Reveals tech stack (e.g., Express, PHP).

Node: app.disable('x-powered-by');
18. Stack Trace Exposure

Explanation: Detailed error messages in production leak file paths.

Node: process.env.NODE_ENV = 'production';
19. .git Directory Exposure

Explanation: Allows downloading entire source code history.

Nginx: location ~ /\.git { deny all; }
20. .env File Exposure

Explanation: Leaks API keys and database credentials.

Nginx: location ~ /\.env { deny all; }

5. Injection Flaws

21. SQL Injection

Explanation: User input concatenated into SQL queries.

Fix: Use Prepared Statements / Parameterized Queries.
22. Reflected XSS

Explanation: Input from URL reflected in HTML.

Fix: Escape HTML entities (e.g., < to &lt;) before rendering.
23. Stored XSS

Explanation: Malicious script saved to DB and shown to others.

Fix: Use a sanitization library (e.g., DOMPurify) on output.
24. Command Injection

Explanation: User input passed to system shell (e.g., exec(), system()).

Fix: Use execFile() or spawn() with non-shell execution.
25. NoSQL Injection

Explanation: Passing JSON objects to MongoDB queries (e.g., `{"$ne": null}`).

Fix: Sanitize inputs to ensure they are strings, not objects.

6. Authentication

26. Weak Password Policy

Explanation: Allowing short/simple passwords.

Fix: Enforce complexity (min 10 chars, mixed case, numbers).
27. Default Credentials

Explanation: Using admin/admin for services (Tomcat, Jenkins).

Fix: Change all default passwords immediately.
28. Missing Rate Limiting

Explanation: Allows brute-force attacks on login.

Node: app.use(rateLimit({ windowMs: 15*60*1000, max: 100 }));
29. User Enumeration

Explanation: "User not found" vs "Incorrect password" reveals valid emails.

Fix: Always return generic message: "Invalid email or password".
30. JWT None Algorithm

Explanation: JWT libraries may accept tokens with "alg": "none".

Fix: Explicitly verify JWT algorithm is HS256/RS256.

7. Access Control

31. IDOR (Insecure Direct Object Reference)

Explanation: Accessing /users/100 without verifying ownership.

Fix: Check `if (resource.owner_id === current_user.id)`.
32. CORS Wildcard Origin (*)

Explanation: Allows any site to read your API data.

Fix: Specify allowed domains (e.g., `https://trusted.com`).
33. CSRF (Cross-Site Request Forgery)

Explanation: Attacker forces user to perform action (e.g., transfer money).

Fix: Use Anti-CSRF tokens or SameSite=Strict cookies.
34. Open Redirect

Explanation: Redirecting to `?url=evil.com` for phishing.

Fix: Validate redirect URL against an allowlist.
35. Directory Traversal

Explanation: Accessing `../../etc/passwd` via file inputs.

Fix: Use `path.basename()` to strip directory paths.

8. Server Hardening

36. SSRF (Server-Side Request Forgery)

Explanation: Server fetches internal resources (e.g., AWS Metadata) via user URL.

Fix: Disable HTTP redirects and block private IP ranges.
37. XML External Entities (XXE)

Explanation: XML parser reads local files via entities.

Fix: Disable DTD processing in your XML parser config.
38. Unrestricted File Upload

Explanation: Uploading `.php` shell files.

Fix: Validate MIME type, rename file, store outside webroot.
39. Insecure Deserialization

Explanation: Malicious object state triggers RCE.

Fix: Use safe formats like JSON instead of serialization.
40. Debug Mode Enabled

Explanation: Django/Laravel debug pages leak environment vars.

Fix: Set `DEBUG=False` in production.

9. Business Logic

41. Mass Assignment

Explanation: Sending `{"role":"admin"}` in registration update.

Fix: Whitelist allowed fields in your controller.
42. Race Condition

Explanation: Exploiting timing to redeem a coupon twice.

Fix: Use database transactions with locking.
43. Excessive Data Exposure

Explanation: API returns full object including private data.

Fix: Return specific DTOs, not raw DB models.
44. Price Manipulation

Explanation: Changing price in hidden form field.

Fix: Recalculate price on server side.
45. 2FA Bypass

Explanation: Accessing protected pages directly without 2FA check.

Fix: Verify 2FA session token on every request.

10. Client Side

46. DOM Clobbering

Explanation: Overwriting global variables via HTML IDs.

Fix: Sanitize HTML IDs and avoid global var usage.
47. Prototype Pollution

Explanation: Merging objects recursively allows modifying Object.prototype.

Fix: Freeze prototype or use Map instead of Object.
48. Reverse Tabnabbing

Explanation: External links can hijack the parent tab via `window.opener`.

HTML: rel="noopener noreferrer"
49. CSS Injection

Explanation: Stealing data via background images in injected CSS.

Fix: Sanitize user input even inside <style> tags.
50. Missing Subresource Integrity (SRI)

Explanation: CDN compromise can inject malware into your site.

HTML: integrity="sha384-..." crossorigin="anonymous"