Injection Attacks

• SQL Injection (SQLi)

• OS Command Injection (RCE)

• XML External Entity (XXE)

• Server-Side Template Injection (SSTI)

• LDAP Injection

• Expression Language Injection (EL Injection)

Cross-Site Attacks

• Cross-Site Scripting (XSS) – Reflected, Stored, DOM

• Cross-Site Request Forgery (CSRF)

• Clickjacking

• HTML Injection

Path & File Attacks

• Directory Traversal / Path Traversal

• Local File Inclusion (LFI)

• Remote File Inclusion (RFI)

• Predictable Resource Location

• File Upload Abuse

• Null Byte Injection

Protocol/Format Manipulation

• HTTP Request Smuggling

• HTTP Response Splitting

• CRLF Injection

• Format String Injection

• JSON/HTTP Structure Abuse

Information Disclosure

• Stack Trace Leakage

• Verb Tampering

• Debug Info Exposure

• Misconfigured Error Pages

• Fingerprinting Attacks (e.g., header-based)

Session & Authentication Attacks

• Session Fixation

• Session Prediction

• Insecure Cookie Attributes (non-HttpOnly, persistent)

• Insecure Password Reset Flows

• Brute Force Detection Bypass (evasion)

Web Logic Abuse

• Business Logic Manipulation

• Method Override Abuse (e.g., X-HTTP-Method-Override)

• Hidden Parameter Tampering

Miscellaneous Exploits

• WebShell Upload Patterns

• PHP Code Injection

• Java Deserialization Exploits

• SSRF (when matched by known patterns)

• Malware Payloads (e.g., known malware signature)