| 0 |
Directory Browsing |
release |
Medium |
Active |
| 2 |
Private IP Disclosure |
release |
Low |
Passive |
| 3-1 |
Session ID in URL Rewrite |
release |
Medium |
Passive |
| 3-2 |
Session ID in URL Rewrite |
release |
Medium |
Passive |
| 3-3 |
Referer Exposes Session ID |
release |
Medium |
Passive |
| 6-1 |
Path Traversal |
release |
High |
Active |
| 6-2 |
Path Traversal |
release |
High |
Active |
| 6-3 |
Path Traversal |
release |
High |
Active |
| 6-4 |
Path Traversal |
release |
High |
Active |
| 6-5 |
Path Traversal |
release |
High |
Active |
| 7 |
Remote File Inclusion |
release |
High |
Active |
| 10003 |
Vulnerable JS Library |
release |
Medium |
Passive |
| 10009 |
In Page Banner Information Leak |
release |
Low |
Passive |
| 10010 |
Cookie No HttpOnly Flag |
release |
Low |
Passive |
| 10011 |
Cookie Without Secure Flag |
release |
Low |
Passive |
| 10017 |
Cross-Domain JavaScript Source File Inclusion |
release |
Low |
Passive |
| 10019-1 |
Content-Type Header Missing |
release |
Informational |
Passive |
| 10019-2 |
Content-Type Header Empty |
release |
Informational |
Passive |
| 10020-1 |
Missing Anti-clickjacking Header |
release |
Medium |
Passive |
| 10020-2 |
Multiple X-Frame-Options Header Entries |
release |
Medium |
Passive |
| 10020-3 |
X-Frame-Options Defined via META (Non-compliant with Spec) |
release |
Medium |
Passive |
| 10020-4 |
X-Frame-Options Setting Malformed |
release |
Medium |
Passive |
| 10021 |
X-Content-Type-Options Header Missing |
release |
Low |
Passive |
| 10024 |
Information Disclosure - Sensitive Information in URL |
release |
Informational |
Passive |
| 10025 |
Information Disclosure - Sensitive Information in HTTP Referrer Header |
release |
Informational |
Passive |
| 10026 |
HTTP Parameter Override |
beta |
Medium |
Passive |
| 10028 |
Off-site Redirect |
release |
High |
Passive |
| 10029 |
Cookie Poisoning |
release |
Informational |
Passive |
| 10033 |
Directory Browsing |
release |
Medium |
Passive |
| 10035-1 |
Strict-Transport-Security Header Not Set |
release |
Low |
Passive |
| 10035-2 |
Strict-Transport-Security Disabled |
release |
Low |
Passive |
| 10035-3 |
Strict-Transport-Security Multiple Header Entries (Non-compliant with Spec) |
release |
Low |
Passive |
| 10035-4 |
Strict-Transport-Security Header on Plain HTTP Response |
release |
Informational |
Passive |
| 10035-5 |
Strict-Transport-Security Missing Max-Age (Non-compliant with Spec) |
release |
Low |
Passive |
| 10035-6 |
Strict-Transport-Security Defined via META (Non-compliant with Spec) |
release |
Low |
Passive |
| 10035-7 |
Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) |
release |
Low |
Passive |
| 10035-8 |
Strict-Transport-Security Malformed Content (Non-compliant with Spec) |
release |
Low |
Passive |
| 10036-1 |
Server Leaks its Webserver Application via "Server" HTTP Response Header Field |
release |
Informational |
Passive |
| 10036-2 |
Server Leaks Version Information via "Server" HTTP Response Header Field |
release |
Low |
Passive |
| 10037 |
Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) |
release |
Low |
Passive |
| 10038-1 |
Content Security Policy (CSP) Header Not Set |
release |
Medium |
Passive |
| 10038-2 |
Obsolete Content Security Policy (CSP) Header Found |
release |
Informational |
Passive |
| 10038-3 |
Content Security Policy (CSP) Report-Only Header Found |
release |
Informational |
Passive |
| 10040 |
Secure Pages Include Mixed Content |
release |
Low |
Passive |
| 10041 |
HTTP to HTTPS Insecure Transition in Form Post |
release |
Medium |
Passive |
| 10042 |
HTTPS to HTTP Insecure Transition in Form Post |
release |
Medium |
Passive |
| 10052 |
X-ChromeLogger-Data (XCOLD) Header Information Leak |
release |
Medium |
Passive |
| 10054-1 |
Cookie without SameSite Attribute |
release |
Low |
Passive |
| 10054-2 |
Cookie with SameSite Attribute None |
release |
Low |
Passive |
| 10054-3 |
Cookie with Invalid SameSite Attribute |
release |
Low |
Passive |
| 10055-1 |
CSP: X-Content-Security-Policy |
release |
Low |
Passive |
| 10055-2 |
CSP: X-WebKit-CSP |
release |
Low |
Passive |
| 10055-3 |
CSP: Notices |
release |
Low |
Passive |
| 10055-4 |
CSP: Wildcard Directive |
release |
Medium |
Passive |
| 10055-5 |
CSP: script-src unsafe-inline |
release |
Medium |
Passive |
| 10055-6 |
CSP: style-src unsafe-inline |
release |
Medium |
Passive |
| 10055-7 |
CSP: script-src unsafe-hashes |
release |
Medium |
Passive |
| 10055-8 |
CSP: style-src unsafe-hashes |
release |
Medium |
Passive |
| 10055-9 |
CSP: Malformed Policy (Non-ASCII) |
release |
Medium |
Passive |
| 10055-10 |
CSP: script-src unsafe-eval |
release |
Medium |
Passive |
| 10055-11 |
CSP: Meta Policy Invalid Directive |
release |
Medium |
Passive |
| 10055-12 |
CSP: Header & Meta |
release |
Informational |
Passive |
| 10055-13 |
CSP: Failure to Define Directive with No Fallback |
release |
Medium |
Passive |
| 10056 |
X-Debug-Token Information Leak |
release |
Low |
Passive |
| 10058 |
GET for POST |
release |
Informational |
Active |
| 10062 |
PII Disclosure |
release |
High |
Passive |
| 10063-1 |
Permissions Policy Header Not Set |
beta |
Low |
Passive |
| 10063-2 |
Deprecated Feature Policy Header Set |
beta |
Low |
Passive |
| 10098 |
Cross-Domain Misconfiguration |
release |
Medium |
Passive |
| 10099 |
Source Code Disclosure - PHP |
beta |
Medium |
Passive |
| 10103 |
Image Exposes Location or Privacy Data |
beta |
Informational |
Passive |
| 10105-1 |
Authentication Credentials Captured |
release |
Medium |
Passive |
| 10105-2 |
Weak Authentication Method |
release |
Medium |
Passive |
| 10108 |
Reverse Tabnabbing |
release |
Medium |
Passive |
| 10109 |
Modern Web Application |
release |
Informational |
Passive |
| 10115-1 |
Script Served From Malicious Domain (polyfill) |
release |
High |
Passive |
| 10115-2 |
Script Served From Malicious Domain (polyfill) |
release |
High |
Passive |
| 10202 |
Absence of Anti-CSRF Tokens |
release |
Medium |
Passive |
| 10205-1 |
HTTPS Configuration |
alpha |
Informational |
Active |
| 10205-2 |
HTTPS Security Configuration Issues |
alpha |
High |
Active |
| 20012 |
Anti-CSRF Tokens Check |
beta |
Medium |
Active |
| 20019-1 |
External Redirect |
release |
High |
Active |
| 20019-2 |
External Redirect |
release |
High |
Active |
| 20019-3 |
External Redirect |
release |
High |
Active |
| 20019-4 |
External Redirect |
release |
High |
Active |
| 40009 |
Server Side Include |
release |
High |
Active |
| 40012 |
Cross Site Scripting (Reflected) |
release |
High |
Active |
| 40014-1 |
Cross Site Scripting (Persistent) |
release |
High |
Active |
| 40014-2 |
Cross Site Scripting Weakness (Persistent in JSON Response) |
release |
Low |
Active |
| 40014-3 |
Cross Site Scripting (Persistent) |
release |
High |
Active |
| 40016 |
Cross Site Scripting (Persistent) - Prime |
release |
Informational |
Active |
| 40017 |
Cross Site Scripting (Persistent) - Spider |
release |
Informational |
Active |
| 40018 |
SQL Injection |
release |
High |
Active |
| 40019 |
SQL Injection - MySQL (Time Based) |
release |
High |
Active |
| 40020 |
SQL Injection - Hypersonic SQL (Time Based) |
release |
High |
Active |
| 40021 |
SQL Injection - Oracle (Time Based) |
release |
High |
Active |
| 40022 |
SQL Injection - PostgreSQL (Time Based) |
release |
High |
Active |
| 40026 |
Cross Site Scripting (DOM Based) |
release |
High |
Active |
| 40027 |
SQL Injection - MsSQL (Time Based) |
release |
High |
Active |
| 40040-1 |
CORS Header |
beta |
Informational |
Active |
| 40040-2 |
CORS Misconfiguration |
beta |
Medium |
Active |
| 40040-3 |
CORS Misconfiguration |
beta |
High |
Active |
| 40044 |
Exponential Entity Expansion (Billion Laughs Attack) |
release |
Medium |
Active |
| 40048 |
Remote Code Execution (React2Shell) |
release |
High |
Active |
| 90001 |
Insecure JSF ViewState |
release |
Medium |
Passive |
| 90003 |
Sub Resource Integrity Attribute Missing |
release |
Medium |
Passive |
| 90004-1 |
Cross-Origin-Resource-Policy Header Missing or Invalid |
beta |
Low |
Passive |
| 90004-2 |
Cross-Origin-Embedder-Policy Header Missing or Invalid |
beta |
Low |
Passive |
| 90004-3 |
Cross-Origin-Opener-Policy Header Missing or Invalid |
beta |
Low |
Passive |
| 90011-1 |
Charset Mismatch (Header Versus Meta Content-Type Charset) |
release |
Informational |
Passive |
| 90011-2 |
Charset Mismatch (Header Versus Meta Charset) |
release |
Informational |
Passive |
| 90011-3 |
Charset Mismatch (Meta Charset Versus Meta Content-Type Charset) |
release |
Informational |
Passive |
| 90011-4 |
Charset Mismatch |
release |
Informational |
Passive |
| 90017 |
XSLT Injection |
release |
Medium |
Active |
| 90019-1 |
Server Side Code Injection - PHP Code Injection |
release |
High |
Active |
| 90019-2 |
Server Side Code Injection - ASP Code Injection |
release |
High |
Active |
| 90020 |
Remote OS Command Injection |
release |
High |
Active |
| 90021 |
XPath Injection |
release |
High |
Active |
| 90022 |
Application Error Disclosure |
release |
Medium |
Passive |
| 90023 |
XML External Entity Attack |
release |
High |
Active |
| 90025 |
Expression Language Injection |
beta |
High |
Active |
| 90026 |
SOAP Action Spoofing |
beta |
High |
Active |
| 90029 |
SOAP XML Injection |
beta |
High |
Active |
| 90030 |
WSDL File Detection |
beta |
|
Passive |
| 90033 |
Loosely Scoped Cookie |
release |
Informational |
Passive |
| 90035 |
Server Side Template Injection |
release |
High |
Active |
| 90037 |
Remote OS Command Injection (Time Based) |
release |
High |
Active |
| 110009 |
Full Path Disclosure |
alpha |
Low |
Passive |