DiscordSign up
SKILLS.SH

top-100-web-vulnerabilities-reference

This skill should be used when the user asks to "identify web application vulnerabilities", "explain common security flaws", "understand vulnerability…

INSTALLATION
npx skills add https://github.com/davila7/claude-code-templates --skill top-100-web-vulnerabilities-reference
Run in your project or agent environment. Adjust flags if your CLI version differs.

SKILL.md

Top 100 Web Vulnerabilities Reference

Purpose

Provide a comprehensive, structured reference for the 100 most critical web application vulnerabilities organized by category. This skill enables systematic vulnerability identification, impact assessment, and remediation guidance across the full spectrum of web security threats. Content organized into 15 major vulnerability categories aligned with industry standards and real-world attack patterns.

Prerequisites

  • Basic understanding of web application architecture (client-server model, HTTP protocol)
  • Familiarity with common web technologies (HTML, JavaScript, SQL, XML, APIs)
  • Understanding of authentication and authorization concepts
  • Access to web application security testing tools (Burp Suite, OWASP ZAP)
  • Knowledge of secure coding principles recommended

Outputs and Deliverables

  • Complete vulnerability catalog with definitions, root causes, impacts, and mitigations
  • Category-based vulnerability groupings for systematic assessment
  • Quick reference for security testing and remediation
  • Foundation for vulnerability assessment checklists and security policies

Core Workflow

Phase 1: Injection Vulnerabilities Assessment

Evaluate injection attack vectors targeting data processing components:

SQL Injection (1)

  • Definition: Malicious SQL code inserted into input fields to manipulate database queries
  • Root Cause: Lack of input validation, improper use of parameterized queries
  • Impact: Unauthorized data access, data manipulation, database compromise
  • Mitigation: Use parameterized queries/prepared statements, input validation, least privilege database accounts

Cross-Site Scripting - XSS (2)

  • Definition: Injection of malicious scripts into web pages viewed by other users
  • Root Cause: Insufficient output encoding, lack of input sanitization
  • Impact: Session hijacking, credential theft, website defacement
  • Mitigation: Output encoding, Content Security Policy (CSP), input sanitization

Command Injection (5, 11)

  • Definition: Execution of arbitrary system commands through vulnerable applications
  • Root Cause: Unsanitized user input passed to system shells
  • Impact: Full system compromise, data exfiltration, lateral movement
  • Mitigation: Avoid shell execution, whitelist valid commands, strict input validation

XML Injection (6), LDAP Injection (7), XPath Injection (8)

  • Definition: Manipulation of XML/LDAP/XPath queries through malicious input
  • Root Cause: Improper input handling in query construction
  • Impact: Data exposure, authentication bypass, information disclosure
  • Mitigation: Input validation, parameterized queries, escape special characters

Server-Side Template Injection - SSTI (13)

  • Definition: Injection of malicious code into template engines
  • Root Cause: User input embedded directly in template expressions
  • Impact: Remote code execution, server compromise
  • Mitigation: Sandbox template engines, avoid user input in templates, strict input validation

Phase 2: Authentication and Session Security

Assess authentication mechanism weaknesses:

Session Fixation (14)

  • Definition: Attacker sets victim's session ID before authentication
  • Root Cause: Session ID not regenerated after login
  • Impact: Session hijacking, unauthorized account access
  • Mitigation: Regenerate session ID on authentication, use secure session management

Brute Force Attack (15)

  • Definition: Systematic password guessing using automated tools
  • Root Cause: Lack of account lockout, rate limiting, or CAPTCHA
  • Impact: Unauthorized access, credential compromise
  • Mitigation: Account lockout policies, rate limiting, MFA, CAPTCHA

Session Hijacking (16)

  • Definition: Attacker steals or predicts valid session tokens
  • Root Cause: Weak session token generation, insecure transmission
  • Impact: Account takeover, unauthorized access
  • Mitigation: Secure random token generation, HTTPS, HttpOnly/Secure cookie flags

Credential Stuffing and Reuse (22)

  • Definition: Using leaked credentials to access accounts across services
  • Root Cause: Users reusing passwords, no breach detection
  • Impact: Mass account compromise, data breaches
  • Mitigation: MFA, breach password checks, unique credential requirements

Insecure "Remember Me" Functionality (85)

  • Definition: Weak persistent authentication token implementation
  • Root Cause: Predictable tokens, inadequate expiration controls
  • Impact: Unauthorized persistent access, session compromise
  • Mitigation: Strong token generation, proper expiration, secure storage

CAPTCHA Bypass (86)

  • Definition: Circumventing bot detection mechanisms
  • Root Cause: Weak CAPTCHA algorithms, improper validation
  • Impact: Automated attacks, credential stuffing, spam
  • Mitigation: reCAPTCHA v3, layered bot detection, rate limiting

Phase 3: Sensitive Data Exposure

Identify data protection failures:

IDOR - Insecure Direct Object References (23, 42)

  • Definition: Direct access to internal objects via user-supplied references
  • Root Cause: Missing authorization checks on object access
  • Impact: Unauthorized data access, privacy breaches
  • Mitigation: Access control validation, indirect reference maps, authorization checks

Data Leakage (24)

  • Definition: Inadvertent disclosure of sensitive information
  • Root Cause: Inadequate data protection, weak access controls
  • Impact: Privacy breaches, regulatory penalties, reputation damage
  • Mitigation: DLP solutions, encryption, access controls, security training

Unencrypted Data Storage (25)

  • Definition: Storing sensitive data without encryption
  • Root Cause: Failure to implement encryption at rest
  • Impact: Data breaches if storage compromised
  • Mitigation: Full-disk encryption, database encryption, secure key management

Information Disclosure (33)

  • Definition: Exposure of system details through error messages or responses
  • Root Cause: Verbose error handling, debug information in production
  • Impact: Reconnaissance for further attacks, credential exposure
  • Mitigation: Generic error messages, disable debug mode, secure logging

Phase 4: Security Misconfiguration

Assess configuration weaknesses:

Missing Security Headers (26)

  • Definition: Absence of protective HTTP headers (CSP, X-Frame-Options, HSTS)
  • Root Cause: Inadequate server configuration
  • Impact: XSS attacks, clickjacking, protocol downgrade
  • Mitigation: Implement CSP, X-Content-Type-Options, X-Frame-Options, HSTS

Default Passwords (28)

  • Definition: Unchanged default credentials on systems/applications
  • Root Cause: Failure to change vendor defaults
  • Impact: Unauthorized access, system compromise
  • Mitigation: Mandatory password changes, strong password policies

Directory Listing (29)

  • Definition: Web server exposes directory contents
  • Root Cause: Improper server configuration
  • Impact: Information disclosure, sensitive file exposure
  • Mitigation: Disable directory indexing, use default index files

Unprotected API Endpoints (30)

  • Definition: APIs lacking authentication or authorization
  • Root Cause: Missing security controls on API routes
  • Impact: Unauthorized data access, API abuse
  • Mitigation: OAuth/API keys, access controls, rate limiting

Open Ports and Services (31)

  • Definition: Unnecessary network services exposed
  • Root Cause: Failure to minimize attack surface
  • Impact: Exploitation of vulnerable services
  • Mitigation: Port scanning audits, firewall rules, service minimization

Misconfigured CORS (35)

  • Definition: Overly permissive Cross-Origin Resource Sharing policies
  • Root Cause: Wildcard origins, improper CORS configuration
  • Impact: Cross-site request attacks, data theft
  • Mitigation: Whitelist trusted origins, validate CORS headers

Unpatched Software (34)

  • Definition: Systems running outdated vulnerable software
  • Root Cause: Neglected patch management
  • Impact: Exploitation of known vulnerabilities
  • Mitigation: Patch management program, vulnerability scanning, automated updates

Phase 5: XML-Related Vulnerabilities

Evaluate XML processing security:

XXE - XML External Entity Injection (37)

  • Definition: Exploitation of XML parsers to access files or internal systems
  • Root Cause: External entity processing enabled
  • Impact: File disclosure, SSRF, denial of service
  • Mitigation: Disable external entities, use safe XML parsers

XEE - XML Entity Expansion (38)

  • Definition: Excessive entity expansion causing resource exhaustion
  • Root Cause: Unlimited entity expansion allowed
  • Impact: Denial of service, parser crashes
  • Mitigation: Limit entity expansion, configure parser restrictions

XML Bomb (Billion Laughs) (39)

  • Definition: Crafted XML with nested entities consuming resources
  • Root Cause: Recursive entity definitions
  • Impact: Memory exhaustion, denial of service
  • Mitigation: Entity expansion limits, input size restrictions

XML Denial of Service (65)

  • Definition: Specially crafted XML causing excessive processing
  • Root Cause: Complex document structures without limits
  • Impact: CPU/memory exhaustion, service unavailability
  • Mitigation: Schema validation, size limits, processing timeouts

Phase 6: Broken Access Control

Assess authorization enforcement:

Inadequate Authorization (40)

  • Definition: Failure to properly enforce access controls
  • Root Cause: Weak authorization policies, missing checks
  • Impact: Unauthorized access to sensitive resources
  • Mitigation: RBAC, centralized IAM, regular access reviews

Privilege Escalation (41)

  • Definition: Gaining elevated access beyond intended permissions
  • Root Cause: Misconfigured permissions, system vulnerabilities
  • Impact: Full system compromise, data manipulation
  • Mitigation: Least privilege, regular patching, privilege monitoring

Forceful Browsing (43)

  • Definition: Direct URL manipulation to access restricted resources
  • Root Cause: Weak access controls, predictable URLs
  • Impact: Unauthorized file/directory access
  • Mitigation: Server-side access controls, unpredictable resource paths

Missing Function-Level Access Control (44)

  • Definition: Unprotected administrative or privileged functions
  • Root Cause: Authorization only at UI level
  • Impact: Unauthorized function execution
  • Mitigation: Server-side authorization for all functions, RBAC

Phase 7: Insecure Deserialization

Evaluate object serialization security:

Remote Code Execution via Deserialization (45)

  • Definition: Arbitrary code execution through malicious serialized objects
  • Root Cause: Untrusted data deserialized without validation
  • Impact: Complete system compromise, code execution
  • Mitigation: Avoid deserializing untrusted data, integrity checks, type validation

Data Tampering (46)

  • Definition: Unauthorized modification of serialized data
  • Root Cause: Missing integrity verification
  • Impact: Data corruption, privilege manipulation
  • Mitigation: Digital signatures, HMAC validation, encryption

Object Injection (47)

  • Definition: Malicious object instantiation during deserialization
  • Root Cause: Unsafe deserialization practices
  • Impact: Code execution, unauthorized access
  • Mitigation: Type restrictions, class whitelisting, secure libraries

Phase 8: API Security Assessment

Evaluate API-specific vulnerabilities:

Insecure API Endpoints (48)

  • Definition: APIs without proper security controls
  • Root Cause: Poor API design, missing authentication
  • Impact: Data breaches, unauthorized access
  • Mitigation: OAuth/JWT, HTTPS, input validation, rate limiting

API Key Exposure (49)

  • Definition: Leaked or exposed API credentials
  • Root Cause: Hardcoded keys, insecure storage
  • Impact: Unauthorized API access, abuse
  • Mitigation: Secure key storage, rotation, environment variables

Lack of Rate Limiting (50)

  • Definition: No controls on API request frequency
  • Root Cause: Missing throttling mechanisms
  • Impact: DoS, API abuse, resource exhaustion
  • Mitigation: Rate limits per user/IP, throttling, DDoS protection

Inadequate Input Validation (51)

  • Definition: APIs accepting unvalidated user input
  • Root Cause: Missing server-side validation
  • Impact: Injection attacks, data corruption
  • Mitigation: Strict validation, parameterized queries, WAF

API Abuse (75)

  • Definition: Exploiting API functionality for malicious purposes
  • Root Cause: Excessive trust in client input
  • Impact: Data theft, account takeover, service abuse
  • Mitigation: Strong authentication, behavior analysis, anomaly detection

Phase 9: Communication Security

Assess transport layer protections:

Man-in-the-Middle Attack (52)

  • Definition: Interception of communication between parties
  • Root Cause: Unencrypted channels, compromised networks
  • Impact: Data theft, session hijacking, impersonation
  • Mitigation: TLS/SSL, certificate pinning, mutual authentication

Insufficient Transport Layer Security (53)

  • Definition: Weak or outdated encryption for data in transit
  • Root Cause: Outdated protocols (SSLv2/3), weak ciphers
  • Impact: Traffic interception, credential theft
  • Mitigation: TLS 1.2+, strong cipher suites, HSTS

Insecure SSL/TLS Configuration (54)

  • Definition: Improperly configured encryption settings
  • Root Cause: Weak ciphers, missing forward secrecy
  • Impact: Traffic decryption, MITM attacks
  • Mitigation: Modern cipher suites, PFS, certificate validation

Insecure Communication Protocols (55)

  • Definition: Use of unencrypted protocols (HTTP, Telnet, FTP)
  • Root Cause: Legacy systems, security unawareness
  • Impact: Traffic sniffing, credential exposure
  • Mitigation: HTTPS, SSH, SFTP, VPN tunnels

Phase 10: Client-Side Vulnerabilities

Evaluate browser-side security:

DOM-based XSS (56)

  • Definition: XSS through client-side JavaScript manipulation
  • Root Cause: Unsafe DOM manipulation with user input
  • Impact: Session theft, credential harvesting
  • Mitigation: Safe DOM APIs, CSP, input sanitization

Insecure Cross-Origin Communication (57)

  • Definition: Improper handling of cross-origin requests
  • Root Cause: Relaxed CORS/SOP policies
  • Impact: Data leakage, CSRF attacks
  • Mitigation: Strict CORS, CSRF tokens, origin validation

Browser Cache Poisoning (58)

  • Definition: Manipulation of cached content
  • Root Cause: Weak cache validation
  • Impact: Malicious content delivery
  • Mitigation: Cache-Control headers, HTTPS, integrity checks

Clickjacking (59, 71)

  • Definition: UI redress attack tricking users into clicking hidden elements
  • Root Cause: Missing frame protection
  • Impact: Unintended actions, credential theft
  • Mitigation: X-Frame-Options, CSP frame-ancestors, frame-busting

HTML5 Security Issues (60)

  • Definition: Vulnerabilities in HTML5 APIs (WebSockets, Storage, Geolocation)
  • Root Cause: Improper API usage, insufficient validation
  • Impact: Data leakage, XSS, privacy violations
  • Mitigation: Secure API usage, input validation, sandboxing

Phase 11: Denial of Service Assessment

Evaluate availability threats:

DDoS - Distributed Denial of Service (61)

  • Definition: Overwhelming systems with traffic from multiple sources
  • Root Cause: Botnets, amplification attacks
  • Impact: Service unavailability, revenue loss
  • Mitigation: DDoS protection services, rate limiting, CDN

Application Layer DoS (62)

  • Definition: Targeting application logic to exhaust resources
  • Root Cause: Inefficient code, resource-intensive operations
  • Impact: Application unavailability, degraded performance
  • Mitigation: Rate limiting, caching, WAF, code optimization

Resource Exhaustion (63)

  • Definition: Depleting CPU, memory, disk, or network resources
  • Root Cause: Inefficient resource management
  • Impact: System crashes, service degradation
  • Mitigation: Resource quotas, monitoring, load balancing

Slowloris Attack (64)

  • Definition: Keeping connections open with partial HTTP requests
  • Root Cause: No connection timeouts
  • Impact: Web server resource exhaustion
  • Mitigation: Connection timeouts, request limits, reverse proxy

Phase 12: Server-Side Request Forgery

Assess SSRF vulnerabilities:

SSRF - Server-Side Request Forgery (66)

  • Definition: Manipulating server to make requests to internal resources
  • Root Cause: Unvalidated user-controlled URLs
  • Impact: Internal network access, data theft, cloud metadata access
  • Mitigation: URL whitelisting, network segmentation, egress filtering

Blind SSRF (87)

  • Definition: SSRF without direct response visibility
  • Root Cause: Similar to SSRF, harder to detect
  • Impact: Data exfiltration, internal reconnaissance
  • Mitigation: Allowlists, WAF, network restrictions

Time-Based Blind SSRF (88)

  • Definition: Inferring SSRF success through response timing
  • Root Cause: Processing delays indicating request outcomes
  • Impact: Prolonged exploitation, detection evasion
  • Mitigation: Request timeouts, anomaly detection, timing monitoring

Phase 13: Additional Web Vulnerabilities

#

Vulnerability

Root Cause

Impact

Mitigation

67

HTTP Parameter Pollution

Inconsistent parsing

Injection, ACL bypass

Strict parsing, validation

68

Insecure Redirects

Unvalidated targets

Phishing, malware

Whitelist destinations

69

File Inclusion (LFI/RFI)

Unvalidated paths

Code exec, disclosure

Whitelist files, disable RFI

70

Security Header Bypass

Misconfigured headers

XSS, clickjacking

Proper headers, audits

72

Inadequate Session Timeout

Excessive timeouts

Session hijacking

Idle termination, timeouts

73

Insufficient Logging

Missing infrastructure

Detection gaps

SIEM, alerting

74

Business Logic Flaws

Insecure design

Fraud, unauthorized ops

Threat modeling, testing

Phase 14: Mobile and IoT Security

#

Vulnerability

Root Cause

Impact

Mitigation

76

Insecure Mobile Storage

Plain text, weak crypto

Data theft

Keychain/Keystore, encrypt

77

Insecure Mobile Transmission

HTTP, cert failures

Traffic interception

TLS, cert pinning

78

Insecure Mobile APIs

Missing auth/validation

Data exposure

OAuth/JWT, validation

79

App Reverse Engineering

Hardcoded creds

Credential theft

Obfuscation, RASP

80

IoT Management Issues

Weak auth, no TLS

Device takeover

Strong auth, TLS

81

Weak IoT Authentication

Default passwords

Unauthorized access

Unique creds, MFA

82

IoT Vulnerabilities

Design flaws, old firmware

Botnet recruitment

Updates, segmentation

83

Smart Home Access

Insecure defaults

Privacy invasion

MFA, segmentation

84

IoT Privacy Issues

Excessive collection

Surveillance

Data minimization

Phase 15: Advanced and Zero-Day Threats

#

Vulnerability

Root Cause

Impact

Mitigation

89

MIME Sniffing

Missing headers

XSS, spoofing

X-Content-Type-Options

91

CSP Bypass

Weak config

XSS despite CSP

Strict CSP, nonces

92

Inconsistent Validation

Decentralized logic

Control bypass

Centralized validation

93

Race Conditions

Missing sync

Privilege escalation

Proper locking

94-95

Business Logic Flaws

Missing validation

Financial fraud

Server-side validation

96

Account Enumeration

Different responses

Targeted attacks

Uniform responses

98-99

Unpatched Vulnerabilities

Patch delays

Zero-day exploitation

Patch management

100

Zero-Day Exploits

Unknown vulns

Unmitigated attacks

Defense in depth

Quick Reference

Vulnerability Categories Summary

Category

Vulnerability Numbers

Key Controls

Injection

1-13

Parameterized queries, input validation, output encoding

Authentication

14-23, 85-86

MFA, session management, account lockout

Data Exposure

24-27

Encryption at rest/transit, access controls, DLP

Misconfiguration

28-36

Secure defaults, hardening, patching

XML

37-39, 65

Disable external entities, limit expansion

Access Control

40-44

RBAC, least privilege, authorization checks

Deserialization

45-47

Avoid untrusted data, integrity validation

API Security

48-51, 75

OAuth, rate limiting, input validation

Communication

52-55

TLS 1.2+, certificate validation, HTTPS

Client-Side

56-60

CSP, X-Frame-Options, safe DOM

DoS

61-65

Rate limiting, DDoS protection, resource limits

SSRF

66, 87-88

URL whitelisting, egress filtering

Mobile/IoT

76-84

Encryption, authentication, secure storage

Business Logic

74, 92-97

Threat modeling, logic testing

Zero-Day

98-100

Defense in depth, threat intelligence

Critical Security Headers

Content-Security-Policy: default-src 'self'; script-src 'self'

X-Content-Type-Options: nosniff

X-Frame-Options: DENY

X-XSS-Protection: 1; mode=block

Strict-Transport-Security: max-age=31536000; includeSubDomains

Referrer-Policy: strict-origin-when-cross-origin

Permissions-Policy: geolocation=(), microphone=()

OWASP Top 10 Mapping

OWASP 2021

Related Vulnerabilities

A01: Broken Access Control

40-44, 23, 74

A02: Cryptographic Failures

24-25, 53-55

A03: Injection

1-13, 37-39

A04: Insecure Design

74, 92-97

A05: Security Misconfiguration

26-36

A06: Vulnerable Components

34, 98-100

A07: Auth Failures

14-23, 85-86

A08: Data Integrity

45-47

A09: Logging Failures

73

A10: SSRF

66, 87-88

Constraints and Limitations

  • Vulnerability definitions represent common patterns; specific implementations vary
  • Mitigations must be adapted to technology stack and architecture
  • New vulnerabilities emerge continuously; reference should be updated
  • Some vulnerabilities overlap across categories (e.g., IDOR appears in multiple contexts)
  • Effectiveness of mitigations depends on proper implementation
  • Automated scanners cannot detect all vulnerability types (especially business logic)

Troubleshooting

Common Assessment Challenges

Challenge

Solution

False positives in scanning

Manual verification, contextual analysis

Business logic flaws missed

Manual testing, threat modeling, abuse case analysis

Encrypted traffic analysis

Proxy configuration, certificate installation

WAF blocking tests

Rate adjustment, IP rotation, payload encoding

Session handling issues

Cookie management, authentication state tracking

API discovery

Swagger/OpenAPI enumeration, traffic analysis

Vulnerability Verification Techniques

Vulnerability Type

Verification Approach

Injection

Payload testing with encoded variants

XSS

Alert boxes, cookie access, DOM inspection

CSRF

Cross-origin form submission testing

SSRF

Out-of-band DNS/HTTP callbacks

XXE

External entity with controlled server

Access Control

Horizontal/vertical privilege testing

Authentication

Credential rotation, session analysis

References

  • OWASP Top 10 Web Application Security Risks
  • CWE/SANS Top 25 Most Dangerous Software Errors
  • OWASP Testing Guide
  • OWASP Application Security Verification Standard (ASVS)
  • NIST Cybersecurity Framework
  • Source: Kumar MS - Top 100 Web Vulnerabilities
BrowserAct

Let your agent run on any real-world website

Bypass CAPTCHA & anti-bot for free. Start local, scale to cloud.

Explore BrowserAct Skills →

Related skills

azure-compliance
3/3

Azure compliance scanning, Key Vault expiration auditing, and resource configuration validation. Runs azqr (Azure Quick Review) for comprehensive compliance assessment against best practices across subscriptions and resource groups Monitors Key Vault keys, secrets, and certificates for expiration dates and identifies items without expiration policies Detects orphaned, misconfigured, and non-compliant resources using Resource Graph queries Classifies findings by priority (Critical, High, Medium, Low) with remediation guidance for each issue

Verified authormicrosoft
SKILLS.SH
293K1.1K
2026-05-22
openclaw-secure-linux-cloud
1/3

Use when self-hosting OpenClaw on a cloud server, hardening a remote OpenClaw gateway, choosing between SSH tunneling, Tailscale, or reverse-proxy exposure, or…

xixu-me
SKILLS.SH
150K53
2026-05-22
entra-agent-id
3/3

Provision Microsoft Entra Agent Identity Blueprints, BlueprintPrincipals, and per-instance Agent Identities via Microsoft Graph, and configure OAuth 2.0 token…

Verified authormicrosoft
SKILLS.SH
59.1K1.1K
2026-05-21
firebase-security-rules-auditor
3/3

A skill to evaluate how secure Firestore security rules are. Use this when Firestore security rules are updated to ensure that the generated rules are…

firebase
SKILLS.SH
23.5K292
2026-05-21

Stop writing automation&scrapers

Install the CLI. Run your first Skill in 30 seconds. Scale when you're ready.

Start free
free · no credit card