0 |
Directory Browsing |
release |
Medium |
Active |
2 |
Private IP Disclosure |
release |
Low |
Passive |
3 |
Session ID in URL Rewrite |
release |
|
Passive |
3-1 |
Session ID in URL Rewrite |
release |
Medium |
Passive |
3-2 |
Session ID in URL Rewrite |
release |
Medium |
Passive |
3-3 |
Referer Exposes Session ID |
release |
Medium |
Passive |
6 |
Path Traversal |
release |
|
Active |
6-1 |
Path Traversal |
release |
High |
Active |
6-2 |
Path Traversal |
release |
High |
Active |
6-3 |
Path Traversal |
release |
High |
Active |
6-4 |
Path Traversal |
release |
High |
Active |
6-5 |
Path Traversal |
release |
High |
Active |
7 |
Remote File Inclusion |
release |
High |
Active |
41 |
Source Code Disclosure - Git |
beta |
High |
Active |
42 |
Source Code Disclosure - SVN |
beta |
Medium |
Active |
43 |
Source Code Disclosure - File Inclusion |
beta |
High |
Active |
10003 |
Vulnerable JS Library |
release |
Medium |
Passive |
10009 |
In Page Banner Information Leak |
beta |
Low |
Passive |
10010 |
Cookie No HttpOnly Flag |
release |
Low |
Passive |
10011 |
Cookie Without Secure Flag |
release |
Low |
Passive |
10015 |
Re-examine Cache-control Directives |
release |
Informational |
Passive |
10016 |
Web Browser XSS Protection Not Enabled |
deprecated |
|
Passive |
10017 |
Cross-Domain JavaScript Source File Inclusion |
release |
Low |
Passive |
10019 |
Content-Type Header Missing |
release |
Informational |
Passive |
10020 |
Anti-clickjacking Header |
release |
|
Passive |
10020-1 |
Missing Anti-clickjacking Header |
release |
Medium |
Passive |
10020-2 |
Multiple X-Frame-Options Header Entries |
release |
Medium |
Passive |
10020-3 |
X-Frame-Options Defined via META (Non-compliant with Spec) |
release |
Medium |
Passive |
10020-4 |
X-Frame-Options Setting Malformed |
release |
Medium |
Passive |
10021 |
X-Content-Type-Options Header Missing |
release |
Low |
Passive |
10023 |
Information Disclosure - Debug Error Messages |
release |
Low |
Passive |
10024 |
Information Disclosure - Sensitive Information in URL |
release |
Informational |
Passive |
10025 |
Information Disclosure - Sensitive Information in HTTP Referrer Header |
release |
Informational |
Passive |
10026 |
HTTP Parameter Override |
beta |
Medium |
Passive |
10027 |
Information Disclosure - Suspicious Comments |
release |
Informational |
Passive |
10028 |
Open Redirect |
release |
|
Passive |
10029 |
Cookie Poisoning |
release |
|
Passive |
10030 |
User Controllable Charset |
release |
|
Passive |
10031 |
User Controllable HTML Element Attribute (Potential XSS) |
release |
|
Passive |
10032 |
Viewstate |
release |
|
Passive |
10032-1 |
Potential IP Addresses Found in the Viewstate |
release |
Medium |
Passive |
10032-2 |
Emails Found in the Viewstate |
release |
Medium |
Passive |
10032-3 |
Old Asp.Net Version in Use |
release |
Low |
Passive |
10032-4 |
Viewstate without MAC Signature (Unsure) |
release |
High |
Passive |
10032-5 |
Viewstate without MAC Signature (Sure) |
release |
High |
Passive |
10032-6 |
Split Viewstate in Use |
release |
Informational |
Passive |
10033 |
Directory Browsing |
release |
Medium |
Passive |
10034 |
Heartbleed OpenSSL Vulnerability (Indicative) |
release |
|
Passive |
10035 |
Strict-Transport-Security Header |
release |
|
Passive |
10036 |
HTTP Server Response Header |
release |
|
Passive |
10036-1 |
Server Leaks its Webserver Application via 'Server' HTTP Response Header Field |
release |
Informational |
Passive |
10036-2 |
Server Leaks Version Information via 'Server' HTTP Response Header Field |
release |
Low |
Passive |
10037 |
Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s) |
release |
Low |
Passive |
10038 |
Content Security Policy (CSP) Header Not Set |
release |
|
Passive |
10038-1 |
Content Security Policy (CSP) Header Not Set |
release |
Medium |
Passive |
10038-2 |
Obsolete Content Security Policy (CSP) Header Found |
release |
Informational |
Passive |
10038-3 |
Content Security Policy (CSP) Report-Only Header Found |
release |
Informational |
Passive |
10039 |
X-Backend-Server Header Information Leak |
release |
|
Passive |
10040 |
Secure Pages Include Mixed Content |
release |
|
Passive |
10041 |
HTTP to HTTPS Insecure Transition in Form Post |
release |
|
Passive |
10042 |
HTTPS to HTTP Insecure Transition in Form Post |
release |
|
Passive |
10043 |
User Controllable JavaScript Event (XSS) |
release |
|
Passive |
10044 |
Big Redirect Detected (Potential Sensitive Information Leak) |
release |
|
Passive |
10045 |
Source Code Disclosure - /WEB-INF folder |
release |
High |
Active |
10046 |
Insecure Component |
deprecated |
|
Passive |
10047 |
HTTPS Content Available via HTTP |
beta |
Low |
Active |
10048 |
Remote Code Execution - Shell Shock |
beta |
High |
Active |
10049 |
Content Cacheability |
beta |
|
Passive |
10049-1 |
Non-Storable Content |
beta |
Informational |
Passive |
10049-2 |
Storable but Non-Cacheable Content |
beta |
Informational |
Passive |
10049-3 |
Storable and Cacheable Content |
beta |
Informational |
Passive |
10050 |
Retrieved from Cache |
release |
|
Passive |
10051 |
Relative Path Confusion |
beta |
Medium |
Active |
10052 |
X-ChromeLogger-Data (XCOLD) Header Information Leak |
release |
|
Passive |
10053 |
Apache Range Header DoS (CVE-2011-3192) |
deprecated |
Medium |
Active |
10054 |
Cookie without SameSite Attribute |
release |
Low |
Passive |
10055 |
CSP |
release |
|
Passive |
10055-1 |
CSP: X-Content-Security-Policy |
release |
Low |
Passive |
10055-2 |
CSP: X-WebKit-CSP |
release |
Low |
Passive |
10055-3 |
CSP: Notices |
release |
Low |
Passive |
10055-4 |
CSP: Wildcard Directive |
release |
Medium |
Passive |
10055-5 |
CSP: script-src unsafe-inline |
release |
Medium |
Passive |
10055-6 |
CSP: style-src unsafe-inline |
release |
Medium |
Passive |
10055-7 |
CSP: script-src unsafe-hashes |
release |
Medium |
Passive |
10055-8 |
CSP: style-src unsafe-hashes |
release |
Medium |
Passive |
10055-9 |
CSP: Malformed Policy (Non-ASCII) |
release |
Medium |
Passive |
10055-10 |
CSP: script-src unsafe-eval |
release |
Medium |
Passive |
10055-11 |
CSP: Meta Policy Invalid Directive |
release |
Medium |
Passive |
10055-12 |
CSP: Header & Meta |
release |
Informational |
Passive |
10056 |
X-Debug-Token Information Leak |
release |
Low |
Passive |
10057 |
Username Hash Found |
release |
Informational |
Passive |
10058 |
GET for POST |
release |
Informational |
Active |
10061 |
X-AspNet-Version Response Header |
release |
Low |
Passive |
10062 |
PII Disclosure |
release |
High |
Passive |
10063 |
Permissions Policy Header Not Set |
beta |
|
Passive |
10063-1 |
Permissions Policy Header Not Set |
beta |
Low |
Passive |
10063-2 |
Deprecated Feature Policy Header Set |
beta |
Low |
Passive |
10070 |
Use of SAML |
alpha |
|
Passive |
10094 |
Base64 Disclosure |
alpha |
|
Passive |
10094-1 |
ASP.NET ViewState Disclosure |
alpha |
Informational |
Passive |
10094-2 |
ASP.NET ViewState Integrity |
alpha |
High |
Passive |
10094-3 |
Base64 Disclosure |
alpha |
Informational |
Passive |
10095 |
Backup File Disclosure |
beta |
Medium |
Active |
10096 |
Timestamp Disclosure |
release |
Low |
Passive |
10097 |
Hash Disclosure |
release |
|
Passive |
10098 |
Cross-Domain Misconfiguration |
release |
Medium |
Passive |
10099 |
Source Code Disclosure - PHP |
alpha |
Medium |
Passive |
10103 |
Image Exposes Location or Privacy Data |
beta |
Informational |
Passive |
10104 |
User Agent Fuzzer |
release |
Informational |
Active |
10105 |
Weak Authentication Method |
release |
|
Passive |
10106 |
HTTP Only Site |
beta |
Medium |
Active |
10107 |
Httpoxy - Proxy Header Misuse |
beta |
High |
Active |
10108 |
Reverse Tabnabbing |
release |
|
Passive |
10109 |
Modern Web Application |
release |
|
Passive |
10110 |
Dangerous JS Functions |
beta |
Low |
Passive |
10111 |
Authentication Request Identified |
beta |
Informational |
Passive |
10112 |
Session Management Response Identified |
beta |
Informational |
Passive |
10113 |
Verification Request Identified |
beta |
Informational |
Passive |
10202 |
Absence of Anti-CSRF Tokens |
release |
|
Passive |
20012 |
Anti-CSRF Tokens Check |
beta |
Medium |
Active |
20014 |
HTTP Parameter Pollution |
beta |
Informational |
Active |
20015 |
Heartbleed OpenSSL Vulnerability |
release |
High |
Active |
20016 |
Cross-Domain Misconfiguration |
beta |
High |
Active |
20017 |
Source Code Disclosure - CVE-2012-1823 |
release |
High |
Active |
20018 |
Remote Code Execution - CVE-2012-1823 |
release |
High |
Active |
20019 |
External Redirect |
release |
|
Active |
20019-1 |
External Redirect |
release |
High |
Active |
20019-2 |
External Redirect |
release |
High |
Active |
20019-3 |
External Redirect |
release |
High |
Active |
20019-4 |
External Redirect |
release |
High |
Active |
30001 |
Buffer Overflow |
release |
Medium |
Active |
30002 |
Format String Error |
release |
Medium |
Active |
30003 |
Integer Overflow Error |
beta |
Medium |
Active |
40003 |
CRLF Injection |
release |
Medium |
Active |
40008 |
Parameter Tampering |
release |
Medium |
Active |
40009 |
Server Side Include |
release |
High |
Active |
40012 |
Cross Site Scripting (Reflected) |
release |
High |
Active |
40013 |
Session Fixation |
beta |
High |
Active |
40014 |
Cross Site Scripting (Persistent) |
release |
High |
Active |
40015 |
LDAP Injection |
alpha |
High |
Active |
40016 |
Cross Site Scripting (Persistent) - Prime |
release |
Informational |
Active |
40017 |
Cross Site Scripting (Persistent) - Spider |
release |
Informational |
Active |
40018 |
SQL Injection |
release |
High |
Active |
40019 |
SQL Injection - MySQL |
release |
High |
Active |
40020 |
SQL Injection - Hypersonic SQL |
release |
High |
Active |
40021 |
SQL Injection - Oracle |
release |
High |
Active |
40022 |
SQL Injection - PostgreSQL |
release |
High |
Active |
40023 |
Possible Username Enumeration |
beta |
Informational |
Active |
40024 |
SQL Injection - SQLite |
release |
High |
Active |
40025 |
Proxy Disclosure |
beta |
Medium |
Active |
40026 |
Cross Site Scripting (DOM Based) |
release |
High |
Active |
40027 |
SQL Injection - MsSQL |
release |
High |
Active |
40028 |
ELMAH Information Leak |
release |
Medium |
Active |
40029 |
Trace.axd Information Leak |
release |
Medium |
Active |
40031 |
Out of Band XSS |
beta |
High |
Active |
40032 |
.htaccess Information Leak |
release |
Medium |
Active |
40033 |
NoSQL Injection - MongoDB |
alpha |
High |
Active |
40034 |
.env Information Leak |
release |
Medium |
Active |
40035 |
Hidden File Found |
release |
Medium |
Active |
40036 |
JWT Scan Rule |
alpha |
Medium |
Active |
40038 |
Bypassing 403 |
beta |
Medium |
Active |
40039 |
Web Cache Deception |
alpha |
Medium |
Active |
40040 |
CORS Header |
beta |
|
Active |
40040-1 |
CORS Header |
beta |
Informational |
Active |
40040-2 |
CORS Misconfiguration |
beta |
Medium |
Active |
40040-3 |
CORS Misconfiguration |
beta |
High |
Active |
40041 |
File Upload |
alpha |
Medium |
Active |
40042 |
Spring Actuator Information Leak |
beta |
Medium |
Active |
40043 |
Log4Shell |
beta |
|
Active |
40043-1 |
Log4Shell (CVE-2021-44228) |
beta |
High |
Active |
40043-2 |
Log4Shell (CVE-2021-45046) |
beta |
High |
Active |
40044 |
Exponential Entity Expansion (Billion Laughs Attack) |
beta |
Medium |
Active |
40045 |
Spring4Shell |
beta |
High |
Active |
40046 |
Server Side Request Forgery |
alpha |
High |
Active |
40047 |
Text4shell (CVE-2022-42889) |
alpha |
High |
Active |
90001 |
Insecure JSF ViewState |
release |
Medium |
Passive |
90002 |
Java Serialization Object |
beta |
Medium |
Passive |
90003 |
Sub Resource Integrity Attribute Missing |
beta |
Medium |
Passive |
90004 |
Insufficient Site Isolation Against Spectre Vulnerability |
alpha |
|
Passive |
90004-1 |
Insufficient Site Isolation Against Spectre Vulnerability |
alpha |
Low |
Passive |
90004-2 |
Insufficient Site Isolation Against Spectre Vulnerability |
alpha |
Low |
Passive |
90004-3 |
Insufficient Site Isolation Against Spectre Vulnerability |
alpha |
Low |
Passive |
90011 |
Charset Mismatch |
release |
Informational |
Passive |
90017 |
XSLT Injection |
release |
Medium |
Active |
90018 |
Advanced SQL Injection |
beta |
High |
Active |
90019 |
Server Side Code Injection |
release |
|
Active |
90019-1 |
Server Side Code Injection - PHP Code Injection |
release |
High |
Active |
90019-2 |
Server Side Code Injection - ASP Code Injection |
release |
High |
Active |
90020 |
Remote OS Command Injection |
release |
High |
Active |
90021 |
XPath Injection |
beta |
High |
Active |
90022 |
Application Error Disclosure |
release |
Medium |
Passive |
90023 |
XML External Entity Attack |
release |
High |
Active |
90024 |
Generic Padding Oracle |
release |
High |
Active |
90025 |
Expression Language Injection |
beta |
High |
Active |
90026 |
SOAP Action Spoofing |
beta |
High |
Active |
90027 |
Cookie Slack Detector |
beta |
Informational |
Active |
90028 |
Insecure HTTP Method |
beta |
Medium |
Active |
90029 |
SOAP XML Injection |
beta |
High |
Active |
90030 |
WSDL File Detection |
beta |
|
Passive |
90033 |
Loosely Scoped Cookie |
release |
Informational |
Passive |
90034 |
Cloud Metadata Potentially Exposed |
release |
High |
Active |
90035 |
Server Side Template Injection |
beta |
High |
Active |
90036 |
Server Side Template Injection (Blind) |
beta |
High |
Active |
110001 |
Application Error Disclosure via WebSockets |
release |
Medium |
WebSocket Passive |
110002 |
Base64 Disclosure in WebSocket message |
release |
Informational |
WebSocket Passive |
110003 |
Information Disclosure - Debug Error Messages via WebSocket |
release |
Low |
WebSocket Passive |
110004 |
Email address found in WebSocket message |
release |
Informational |
WebSocket Passive |
110005 |
Personally Identifiable Information via WebSocket |
release |
High |
WebSocket Passive |
110006 |
Private IP Disclosure via WebSocket |
release |
Low |
WebSocket Passive |
110007 |
Username Hash Found in WebSocket message |
release |
Informational |
WebSocket Passive |
110008 |
Information Disclosure - Suspicious Comments in XML via WebSocket |
release |
Informational |
WebSocket Passive |