Vulnerability in which unintended system commands are executed when user input values that have not been properly validated are run with some or all of the operating system commands.Ī vulnerability that exploits important system information or sensitive information exposed by direct access to important tables or objects of Windows and Unix Web servers in known locations and commercial DBMS servers.Ī vulnerability that could lead to system information leaks, service failures, etc., because it is possible to construct a path string for an unexpected access restriction area if the characters that can be used for the path manipulation are not filtered for external input values.Ī vulnerability that allows an attacker to upload malicious files or to delete important files by allowing unnecessary methods (PUT, DELETE, OPTIONS, etc.) when providing Web services.Ī vulnerability that if a file such as an internal document, a backup file, a log file, or a compressed file exists under the web root, the file name can be obtained by inferring, then the service information necessary for hacking can be obtained by directly requesting these file name. Vulnerability due to inadequate system configuration, such as the presense of installation files and temporary files created during the installation of the application (Apache, etc.), or the windows login window being exposed on the Web.Ī vulnerability that can be used as an intermediary for homepage tampering and hacking due to various vulnerability information of a public application that is open to the Internet due to financial and time burden in building a web server.Ī vulnerability in which inappropriate scripting is performed with the privileges of the visitor viewing the transmitted dynamic web page when the external input is used to generate the dynamic web page.Ī vulnerability that the attacker can execute the system internal command or control the system if a script file (asp, jsp, php file, etc.) that can be executed on the server-side can be uploaded and the attacker can execute this file directly through the web.Ī comprehensive attack mechanism for accessing a web server by manipulating traffic with contradictory standard rules such as multiple spaces, multiple slashes, newline characters, null character insertion, specific header deletion or modulation for security system bypass purposes.Ī vulnerability that exposes attack information such as server data information through an error message when a separate error page is not set in the web server.Ī vulnerability that could potentially expose sensitive file information by enabling indexing of all directories within the server or directories containing sensitive information. Domain Certificate Conversion/RegistrationĪ vulnerability that could allow an attacker to view (or manipulate) information from the DB by inserting SQL statements into the input form and URL fields in a web application that is interfaced with the database(DB).Ī vulnerability that could allow an attacker to execute an inappropriate script with the privileges of a visitor who views a Web page by including a malicious script on the page.Ĭrawling, Scraping, Scanner, Web Attack Toolkit, etc., to generate comprehensive attack traffic to detect direct vulnerabilities or collect indirect information to identify vulnerabilities.