36 essential penetration testing and web security terms explained in plain language, with links to generators and cheat sheets.
API abuse encompasses attacks that exploit API design flaws, including mass assignment (modifying fields the client shouldn't control), broken object-level authorization (accessing other users' objects via ID manipulation), excessive data exposure (APIs returning more data than the client needs), and lack of rate limiting. The OWASP API Security Top 10 specifically addresses these patterns.
Broken access control occurs when an application fails to enforce authorization policies, allowing users to act outside their intended permissions. This includes accessing other users' data via IDOR, bypassing role-based checks, manipulating JWT claims, or accessing admin endpoints without proper authorization. It is the #1 vulnerability in the OWASP Top 10 (2021).
CORS is a browser security mechanism that controls which external domains can access resources on a web server. A CORS misconfiguration occurs when the server improperly reflects the Origin header or allows credentials from arbitrary domains, enabling attackers to steal sensitive data via a victim's browser. Testing involves checking whether the server blindly reflects origins or allows null origins with credentials.
Command injection occurs when an application passes unsanitized user input to a system shell. Attackers can append OS commands using separators like semicolons, pipes, or backticks to execute arbitrary code on the server. It is one of the most critical vulnerabilities because it often leads to full system compromise.
CRLF injection exploits the carriage return (\r) and line feed (\n) characters to inject arbitrary HTTP headers or split HTTP responses. Attackers can use it to set malicious cookies, perform XSS via injected headers, or poison web caches. It targets applications that include user input in HTTP response headers without proper sanitization.
CSRF is an attack that tricks an authenticated user into performing unintended actions on a web application. The attacker crafts a malicious page that submits requests to the target site using the victim's session cookies. Defenses include anti-CSRF tokens, SameSite cookie attributes, and requiring re-authentication for sensitive actions.
Credential stuffing is an automated attack where stolen username/password pairs from data breaches are tested against other services, exploiting password reuse. Unlike brute force, it uses known-valid credentials. Attackers use tools like Burp Intruder or custom scripts to test thousands of combinations. Mitigations include rate limiting, MFA, breached password detection, and CAPTCHA.
Insecure deserialization occurs when an application deserializes untrusted data without validation, allowing attackers to manipulate serialized objects. In languages like Java, PHP, and .NET, this can lead to remote code execution, privilege escalation, or denial of service. Tools like ysoserial generate exploitation gadget chains for common frameworks.
DNS rebinding is an attack that manipulates DNS resolution to bypass same-origin policy restrictions. The attacker controls a domain that initially resolves to their server but later resolves to an internal IP address (like 127.0.0.1), allowing their JavaScript to interact with internal services. It is commonly used to exploit SSRF protections that only validate the hostname at request time.
File upload bypass techniques exploit weak server-side validation of uploaded files to achieve remote code execution. Attackers use double extensions (.php.jpg), null bytes, MIME type spoofing, and polyglot files to bypass filters. A successful bypass can allow uploading web shells or overwriting critical server files.
GraphQL injection targets applications using the GraphQL query language. Attackers exploit introspection queries to discover the entire schema, use batching attacks for brute-forcing, and craft nested queries for denial-of-service. Unlike REST APIs, a single GraphQL endpoint exposes the full attack surface, making thorough testing essential.
HTTP request smuggling exploits discrepancies in how front-end and back-end servers parse HTTP requests. By manipulating Content-Length and Transfer-Encoding headers, attackers can "smuggle" a second request inside the first. This can lead to cache poisoning, session hijacking, and bypassing security controls. Common variants include CL.TE, TE.CL, and HTTP/2 downgrade attacks.
Horizontal privilege escalation occurs when a user accesses resources belonging to another user at the same privilege level. Unlike vertical escalation (user → admin), horizontal escalation involves accessing peer accounts — viewing another user's profile, orders, or messages by manipulating IDs or tokens. It is closely related to IDOR and broken access control.
IDOR occurs when an application exposes internal object references (like database IDs or file paths) in URLs or parameters without proper authorization checks. Attackers can manipulate these references to access other users' data, modify records, or delete resources. It is one of the most common vulnerabilities found in bug bounty programs.
JWT (JSON Web Token) attacks exploit weaknesses in how applications generate, sign, and validate tokens. Common techniques include the "none" algorithm bypass, HMAC/RSA confusion (changing RS256 to HS256), brute-forcing weak secrets, and injecting via the "kid" or "jku" header parameters. Successful exploitation can grant unauthorized access or privilege escalation.
LDAP injection targets applications that construct LDAP queries from user input. Attackers inject special characters like parentheses, asterisks, and logical operators to modify query logic, bypass authentication, or extract directory information. It is similar to SQL injection but targets LDAP directory services instead of databases.
Local File Inclusion (LFI) and path traversal attacks allow reading arbitrary files from the server by manipulating file path parameters. Attackers use sequences like "../" to escape the intended directory, often targeting /etc/passwd, configuration files, or application source code. Advanced techniques include PHP wrappers, null byte injection, and log file poisoning for remote code execution.
Log injection is an attack where user-controlled data is written to application logs without sanitization, allowing attackers to forge log entries, inject ANSI escape codes, or exploit log parsing tools. Log4Shell (CVE-2021-44228) was a critical RCE vulnerability in Apache Log4j that allowed attackers to trigger JNDI lookups via crafted log messages, leading to remote code execution.
NoSQL injection exploits applications that use NoSQL databases (like MongoDB or CouchDB) by injecting operators such as $gt, $ne, or $regex into queries. Unlike SQL injection, it targets JSON-based query syntax. Attackers can bypass authentication, extract data, or achieve denial of service through regular expression attacks.
An open redirect vulnerability occurs when an application redirects users to a URL specified in a parameter without proper validation. Attackers use it for phishing (redirecting to look-alike domains), token theft via the Referer header, and chaining with other vulnerabilities like SSRF or OAuth flows. Bypass techniques include protocol-relative URLs, URL encoding, and domain confusion.
Privilege escalation is when an attacker gains higher-level permissions than originally granted, either vertically (user to admin) or horizontally (accessing another user's data). Web application privilege escalation often involves manipulating role parameters, exploiting IDOR vulnerabilities, or abusing JWT claims. System-level privilege escalation targets misconfigurations, SUID binaries, or kernel vulnerabilities.
Prototype pollution is a JavaScript-specific vulnerability where an attacker modifies the prototype of a base object (Object.prototype) via __proto__, constructor, or prototype properties. This can lead to property injection across all objects, denial of service, or even remote code execution in server-side JavaScript. It typically occurs through insecure object merging or deep cloning functions.
A race condition vulnerability occurs when the outcome of a process depends on the timing of concurrent operations. In web applications, attackers send simultaneous requests to exploit time-of-check-to-time-of-use (TOCTOU) gaps, potentially redeeming coupons multiple times, bypassing rate limits, or creating duplicate transactions. Modern techniques use single-packet attacks for precise timing.
A reverse shell is a type of shell connection where the target machine initiates a connection back to the attacker's listener. It is the most common post-exploitation technique because it bypasses firewall rules that block inbound connections. Reverse shells can be created in virtually any language including Bash, Python, PowerShell, PHP, and Netcat.
SQL injection (SQLi) is a code injection technique that exploits applications constructing SQL queries from user input. Attackers insert malicious SQL statements to bypass authentication, extract database contents, modify data, or execute commands on the database server. Variants include UNION-based, error-based, blind boolean, and time-based blind injection.
SSRF occurs when an attacker can make a server-side application send HTTP requests to an arbitrary destination. It is commonly used to access internal services, cloud metadata endpoints (like AWS 169.254.169.254), and internal APIs that are not exposed to the internet. SSRF can be blind (no response returned) or full (response is reflected to the attacker).
SSTI occurs when user input is embedded into a server-side template engine (like Jinja2, Twig, or Freemarker) without sanitization. Attackers inject template syntax to execute arbitrary code on the server. Detection involves submitting mathematical expressions like {{7*7}} and checking if the result (49) is rendered. Successful exploitation typically leads to remote code execution.
Security misconfiguration refers to insecure default settings, incomplete configurations, open cloud storage, unnecessary features enabled, verbose error messages, or missing security headers. Common examples include exposed debug endpoints (/actuator, /__debug__), default credentials on admin panels, directory listing enabled, and missing HSTS or CSP headers.
Subdomain takeover occurs when a DNS record (typically a CNAME) points to an external service that no longer has an active resource behind it. An attacker can register the unclaimed resource on the service and serve arbitrary content on the victim's subdomain. This enables phishing, cookie theft, and reputation damage. Common targets include dangling CNAMEs to S3 buckets, Azure, Heroku, and GitHub Pages.
A supply chain attack targets the software development or distribution pipeline rather than the application itself. This includes compromising third-party libraries (typosquatting, dependency confusion), tampering with build systems, injecting malicious code into CI/CD pipelines, or compromising package registries. Notable examples include the SolarWinds attack and various npm/PyPI package compromises.
Sensitive data exposure occurs when an application inadequately protects information such as credentials, tokens, financial data, or PII. This includes transmitting data in cleartext (no HTTPS), using weak cryptographic algorithms, hardcoding API keys in client-side JavaScript, caching sensitive responses, including tokens in URLs, or leaking internal details via verbose error messages.
SSRF chaining is a technique where an initial SSRF vulnerability is combined with internal services to escalate impact. Common chains include SSRF → cloud metadata (169.254.169.254) for credential theft, SSRF → internal admin panels, SSRF → internal APIs without authentication, and SSRF → Redis/Memcached for RCE. The IP Calculator tool can generate bypass formats for SSRF filter evasion.
WAF (Web Application Firewall) bypass techniques are methods used to evade security filters that block malicious requests. Common approaches include encoding payloads (URL, HTML, Unicode), using alternative syntax or keywords, exploiting parser differentials between the WAF and the application, and chunked transfer encoding. WAF bypass is not a vulnerability itself but a technique to exploit other vulnerabilities despite protective measures.
XPath injection targets applications that use XPath queries to navigate XML data. By injecting XPath syntax, attackers can bypass authentication (using always-true conditions like ' or 1=1), extract data from XML documents, and enumerate the document structure. It is the XML equivalent of SQL injection and often found in legacy systems that use XML for data storage.
XSS is a client-side code injection attack where malicious scripts are injected into trusted websites. There are three main types: reflected (payload in the URL), stored (payload saved in the database), and DOM-based (payload processed by client-side JavaScript). XSS can steal session cookies, redirect users, deface pages, or capture keystrokes. It remains one of the most common web vulnerabilities.
XXE is an attack against applications that parse XML input. By defining an external entity in the XML document type definition (DTD), attackers can read local files, perform SSRF, or exfiltrate data via out-of-band channels. XXE is particularly dangerous in SOAP-based web services, document upload features, and any endpoint that accepts XML input.
Payload Playground provides 36+ payload generators and cheat sheets for hands-on security testing.