Reference
Attack Types
Vulnerability classes that CodeWall tests for during penetration testing.
CodeWall tests for a wide range of vulnerability classes across the OWASP Top 10 and beyond.
| Attack Type | Description |
|---|
| SQL Injection | Injecting SQL queries through user input to read, modify, or delete database data |
| Cross-site Scripting (XSS) | Injecting scripts that execute in other users' browsers (reflected, stored, DOM-based) |
| Command Injection | Executing arbitrary OS commands through application inputs |
| LDAP Injection | Manipulating LDAP queries through unsanitized input |
| NoSQL Injection | Exploiting NoSQL databases through query manipulation |
| Template Injection (SSTI) | Injecting code into server-side template engines |
| Header Injection | Injecting malicious content via HTTP headers |
| Attack Type | Description |
|---|
| Authentication Bypass | Circumventing login mechanisms to gain unauthorized access |
| Broken Object-Level Authorization (BOLA/IDOR) | Accessing resources belonging to other users by manipulating identifiers |
| Privilege Escalation | Gaining higher-level permissions than intended |
| Session Fixation | Forcing a user to use a known session ID |
| JWT Vulnerabilities | Exploiting weak JWT signing, algorithm confusion, or missing validation |
| Default Credentials | Testing for unchanged default passwords on services and admin interfaces |
| Attack Type | Description |
|---|
| Server-Side Request Forgery (SSRF) | Making the server send requests to unintended destinations |
| Remote Code Execution (RCE) | Executing arbitrary code on the target server |
| Local File Inclusion (LFI) | Reading arbitrary files from the server's filesystem |
| Remote File Inclusion (RFI) | Including and executing remote files on the server |
| XML External Entity (XXE) | Exploiting XML parsers to read files or perform SSRF |
| Attack Type | Description |
|---|
| Security Misconfiguration | Identifying insecure defaults, open cloud storage, verbose errors |
| Information Disclosure | Exposed config files, stack traces, source code, internal IPs |
| SSL/TLS Weaknesses | Weak ciphers, expired certificates, missing HSTS |
| CORS Misconfiguration | Overly permissive cross-origin resource sharing policies |
| Open Redirect | Redirecting users to attacker-controlled sites via URL parameters |
| Cache Poisoning | Manipulating caches to serve malicious content to other users |
| Attack Type | Description |
|---|
| Cross-Site Request Forgery (CSRF) | Tricking users into performing unintended actions |
| Clickjacking | Framing pages to trick users into clicking hidden elements |
| DOM-based vulnerabilities | Client-side JavaScript flaws exploitable without server interaction |
| Attack Type | Description |
|---|
| Public CVEs | Known vulnerabilities in identified software versions |
| Outdated dependencies | Libraries and frameworks with known security issues |
| Exposed tokens and secrets | API keys, credentials, or secrets leaked in source code or responses |
