1. INJECTION ATTACKS (21)
Attacks where untrusted data is sent to an interpreter as part of a command or query
- SQL Injection (Classic)
- SQL Injection (Union-based)
- SQL Injection (Error-based)
- SQL Injection (Blind/Boolean-based)
- SQL Injection (Time-based)
- Second-Order SQL Injection
- NoSQL Injection (MongoDB)
- NoSQL Injection (JavaScript-based)
- Command Injection
- Blind Command Injection
- LDAP Injection
- Email Header Injection
- SMTP Injection
- XPath Injection
- XQuery Injection
- GraphQL Query Injection
- HTML Injection
- CRLF Injection (HTTP Response Splitting)
- Expression Language Injection (EL/OGNL)
- Template Injection (Server-Side)
- Log Injection/Log Forging
2. CROSS-SITE SCRIPTING (XSS) & CLIENT-SIDE (19)
Flaws allowing malicious script injection into web pages viewed by other users
- Reflected XSS
- Stored XSS
- DOM-Based XSS
- Blind XSS
- Mutation XSS (mXSS)
- Self-XSS
- Universal XSS (UXSS)
- XSS via SVG/Vector Images
- XSS via PDF/File Uploads
- XSS via WebSockets
- Cross-Site Request Forgery (CSRF)
- JSONP Injection/Callback Hijacking
- Clickjacking (UI Redressing)
- Open Redirect
- Cross-Origin Resource Sharing (CORS) Misconfiguration
- Cross-Origin Opener Policy (COOP) Bypass
- DOM Clobbering
- Tabnabbing/Reverse Tabnabbing
- PostMessage Vulnerabilities
3. BROKEN ACCESS CONTROL (22)
Failures in restrictions on what authenticated users are allowed to do
- Insecure Direct Object References (IDOR)
- Blind IDOR
- Horizontal Privilege Escalation
- Vertical Privilege Escalation
- Mass Assignment/Vulnerable Parameter Binding
- Directory Traversal/Path Traversal
- Local File Inclusion (LFI)
- Remote File Inclusion (RFI)
- Forced Browsing/Directory Enumeration
- Insecure API Endpoint Exposure
- Missing Function Level Access Control
- JWT None Algorithm Attack
- JWT Algorithm Confusion (RS256 to HS256)
- JWT Kid Parameter Injection
- JWT Weak Secret Bruteforce
- OAuth Misconfiguration
- OAuth State Parameter Leakage
- OAuth Redirect URI Bypass
- Single Sign-On (SSO) Bypass
- SAML Assertion Injection
- SAML Signature Wrapping
- Insecure Direct Object References via GraphQL
4. SECURITY MISCONFIGURATION (21)
Resulting from insecure default configurations, incomplete or ad-hoc configurations
- XML External Entity (XXE) Injection
- Blind XXE
- XXE via SVG Upload
- Default Credentials
- Exposed Admin Panels
- Directory Listing Enabled
- Information Disclosure via Headers (Server, X-Powered-By)
- Debug Mode Enabled in Production
- Stack Trace/Verbose Error Messages
- Weak Password Policy
- No Account Lockout Policy
- Missing Security Headers (HSTS, CSP, X-Frame-Options)
- Content Security Policy (CSP) Bypass
- Insecure Cryptographic Storage
- Hardcoded API Keys/Credentials in Source Code
- Hardcoded Secrets in Mobile Apps
- Hardcoded Secrets in JavaScript Files
- Exposed S3 Buckets/Cloud Storage
- Exposed Git Repository (.git/config)
- Exposed Environment Files (.env)
- Outdated Software with Known Vulnerabilities
5. SERVER-SIDE & BUSINESS LOGIC (27)
Flaws in the design and flow of an application that can be exploited
- Server-Side Request Forgery (SSRF) – Basic
- Blind SSRF
- SSRF via Webhooks
- SSRF via PDF Generators
- SSRF via Image Processing
- Business Logic Flaw – Price Manipulation
- Business Logic Flaw – Quantity Manipulation (Negative Numbers)
- Business Logic Flaw – Coupon/Discount Abuse
- Business Logic Flaw – Unlimited Usage of Single-Use Items
- Business Logic Flaw – Step/Workflow Bypass
- Business Logic Flaw – Parameter Tampering
- Race Condition – Concurrent Requests
- Race Condition – Time-of-Check to Time-of-Use (TOCTOU)
- Race Condition – Payment/Limit Bypass
- Insecure Deserialization (PHP)
- Insecure Deserialization (Java)
- Insecure Deserialization (Python/Node.js)
- HTTP Request Smuggling (CL.TE)
- HTTP Request Smuggling (TE.CL)
- HTTP Request Smuggling (TE.TE)
- HTTP/2 Request Smuggling
- Unrestricted File Upload
- File Upload – MIME Type Bypass
- File Upload – Double Extensions
- File Upload – Polyglot Files
- Server-Side Template Injection (SSTI)
- Web Cache Poisoning
6. AUTHENTICATION & SESSION MANAGEMENT (22)
Flaws in functions related to user identity, login, and session handling
- Authentication Bypass
- Brute Force – Login Endpoint
- Brute Force – OTP/2FA Endpoint
- Weak Captcha Implementation
- Captcha Bypass via Response Manipulation
- Session Fixation
- Session Hijacking
- Session Token in URL
- Predictable Session Tokens
- Insufficient Session Expiry
- Password Reset Token Leakage via Referrer
- Password Reset Token Hijacking
- Password Reset Poisoning (Host Header)
- 2FA Bypass – Backup Code Abuse
- 2FA Bypass – Response Manipulation
- 2FA Bypass – Missing Rate Limiting
- 2FA Bypass – OAuth Integration Flaw
- Account Takeover (ATO) via CSRF
- Account Takeover via IDOR
- Account Takeover via Password Reset
- OTP Leakage in Response Body
- Replay Attacks
7. INFORMATION DISCLOSURE (17)
Exposure of sensitive information to unauthorized parties
- Sensitive Data Exposure (PII)
- Information Disclosure via Error Messages
- Information Disclosure via Debug Endpoints
- Information Disclosure via Source Code Comments
- Information Disclosure via JavaScript Files
- Information Disclosure via Backup Files (.bak, .old)
- Internal IP Address Disclosure
- Internal Path Disclosure
- Internal Email Disclosure
- API Key Leakage in JavaScript
- API Key Leakage in Mobile Traffic
- Cloud Metadata Exposure via SSRF
- AWS Keys via Instance Metadata
- Google Hacking/Dorking Vulnerabilities
- GitHub Secrets Exposure
- Wayback Machine/Hidden Endpoint Discovery
- Information Disclosure via Response Timing
8. API-SPECIFIC VULNERABILITIES (20)
Flaws particularly common or impactful in Application Programming Interfaces
- Broken Object Level Authorization (BOLA/IDOR in APIs)
- Broken Function Level Authorization (BFLA)
- Broken User Authentication
- Mass Assignment in APIs
- Excessive Data Exposure
- Lack of Resources/Rate Limiting
- API Key Leakage
- GraphQL Introspection Enabled
- GraphQL Query Depth Attacks
- GraphQL Alias-Based Attacks
- GraphQL Batching Attacks
- GraphQL Field Duplication Abuse
- Improper Assets Management (Stale/Shadow APIs)
- Webhooks Exploitation
- Hidden Parameters in API Requests
- Improper Error Messaging (Verbose Errors)
- API Versioning Bypass
- Shadow APIs from Mobile Apps
- Shadow APIs from JavaScript
- JSON Parameter Pollution
9. INFRASTRUCTURE & CRYPTOGRAPHIC FAILURES (18)
Failures related to the supporting infrastructure or cryptography
- Subdomain Takeover
- Subdomain Hijacking via Expired CNAME
- Subdomain Takeover via Azure/AWS/GCP Services
- DNS Cache Poisoning
- DNS Zone Transfer
- Buffer Overflow
- Integer Overflow
- Memory Leak
- Use-After-Free
- Insecure Communication (HTTP instead of HTTPS)
- Weak SSL/TLS Ciphers
- SSL/TLS Certificate Validation Bypass
- Open Ports Exposure
- Exposed Database (MongoDB, Elasticsearch, Redis)
- Exposed Development Services (Jenkins, Kibana)
- Exposed Kubernetes Dashboard
- Weak Cryptographic Key Generation
- Predictable Random Number Generation
10. MODERN & EMERGING ATTACKS (25)
Newer vulnerability classes and advanced attack chains
- LLM Prompt Injection – Direct
- LLM Prompt Injection – Indirect
- LLM Training Data Poisoning
- LLM Sensitive Data Leakage
- LLM Plugin/Tool Abuse
- Dependency Confusion (Supply Chain)
- Typosquatting Package Attacks
- CI/CD Pipeline Injection
- WebAssembly (WASM) – Hardcoded Secrets
- WebAssembly (WASM) – Logic Bypass via Modification
- Prototype Pollution – Client-Side
- Prototype Pollution – Server-Side (via JSON)
- Web Cache Deception
- Cache Poisoning via HTTP/2
- Dangling JSONP Endpoints
- Feature Flag Manipulation
- SaaS Token Reuse
- Zip Slip (Archive Extraction Vulnerability)
- HTML-to-PDF Injection/SSRF
- ImageTragick/ImageMagick Exploits
- Exiftool RCE (CVE-2021-22204)
- Log4Shell (CVE-2021-44228)
- WebSocket Hijacking
- Server-Side JavaScript Injection
- Web Cache Poisoning via Unkeyed Headers
11. KNOWN CVEs & CRITICAL VULNERABILITIES (14)
High-profile, real-world vulnerabilities frequently hunted in bug bounties
- Heartbleed (CVE-2014-0160) – OpenSSL Memory Leak
- Shellshock (CVE-2014-6271) – Bash RCE
- POODLE (CVE-2014-3566) – SSL 3.0 Fallback
- GHOST (CVE-2015-0235) – glibc RCE
- DROWN (CVE-2016-0800) – SSLv2 Decryption
- Apache Struts2 S2-045 (CVE-2017-5638) – RCE
- Apache Struts2 S2-057 (CVE-2018-11776) – RCE
- BlueKeep (CVE-2019-0708) – RDP RCE
- Citrix ADC RCE (CVE-2019-19781)
- F5 BIG-IP RCE (CVE-2020-5902)
- ZeroLogon (CVE-2020-1472) – Netlogon Privilege Escalation
- Windows CryptoAPI Spoofing (CVE-2020-0601)
- ProxyLogon (CVE-2021-26855) – Exchange Server RCE
- Confluence OGNL Injection (CVE-2021-26084)
12. MISCELLANEOUS & NICHÉ (13)
Specialized or less common but valid vulnerabilities
- Captcha Bypass via OCR
- Captcha Bypass via Replay
- Referer Leakage
- User Enumeration via Response Timing
- User Enumeration via Forgot Password
- User Enumeration via Registration
- Host Header Injection
- X-Forwarded-For Spoofing
- HTTP Parameter Pollution (HPP)
- Cacheable HTTPS Responses with Sensitive Data
- Mixed Content Warnings
- Autocomplete on Sensitive Fields
- Missing Anti-Clickjacking Headers
BUG CATEGORY SUMMARY
| Category | Number of Bugs |
|---|---|
| Injection Attacks | 21 |
| XSS & Client-Side | 19 |
| Broken Access Control | 22 |
| Security Misconfiguration | 21 |
| Server-Side & Business Logic | 27 |
| Authentication & Session | 22 |
| Information Disclosure | 17 |
| API-Specific | 20 |
| Infrastructure & Crypto | 18 |
| Modern & Emerging Attacks | 25 |
| Known CVEs | 14 |
| Miscellaneous & Niché | 13 |
| TOTAL | 239 |
HOW TO USE THIS LIST
- Checklist Methodology: Use this as a comprehensive checklist when testing a target
- Prioritize by Impact: Focus on critical categories like Access Control, SSRF, and Authentication flaws
- Combine Techniques: Chain lower-severity bugs for critical impact
- Stay Updated: New vulnerability classes emerge regularly—keep learning!