Portswigger 188
- SQLI
- Stealing OAuth access tokens via an open redirect
- OAuth account hijacking via redirect_uri
- Forced OAuth profile linking
- SSRF via OpenID dynamic client registration
- Authentication bypass via OAuth implicit flow
- CORS vulnerability with trusted insecure protocols
- CORS vulnerability with trusted null origin
- CORS vulnerability with basic origin reflection
- Multistep clickjacking
- Exploiting clickjacking vulnerability to trigger DOM-based XSS
- Clickjacking with a frame buster script
- Clickjacking with form input data prefilled from a URL parameter
- Basic clickjacking with CSRF token protection
- Exploiting time-sensitive vulnerabilities
- Single-endpoint race conditions
- Multi-endpoint race conditions
- Bypassing rate limits via race conditions
- Limit overrun race conditions
- Performing CSRF exploits over GraphQL
- CSRF with broken Referer validation
- CSRF where Referer validation depends on header being present
- SameSite Lax bypass via cookie refresh
- SameSite Strict bypass via sibling domain
- SameSite Strict bypass via client-side redirect
- SameSite Lax bypass via method override
- CSRF where token is duplicated in cookie
- CSRF where token is tied to non-session cookie
- CSRF where token is not tied to user session
- CSRF where token validation depends on token being present
- CSRF where token validation depends on request method
- CSRF vulnerability with no defenses
- Exploiting NoSQL operator injection to extract unknown fields
- Exploiting NoSQL injection to extract data
- Exploiting NoSQL operator injection to bypass authentication
- Detecting NoSQL injection
- Bypassing GraphQL brute force protections
- Finding a hidden GraphQL endpoint
- Accidental exposure of private GraphQL fields
- Accessing private GraphQL posts
- Authentication bypass via encryption oracle
- Infinite money logic flaw
- Authentication bypass via flawed state machine
- Insufficient workflow validation
- Weak isolation on dual-use endpoint
- Inconsistent handling of exceptional input
- Low-level logic flaw
- Manipulating the WebSocket handshake to exploit vulnerabilities
- Cross-site WebSocket hijacking
- Manipulating WebSocket messages to exploit vulnerabilities
- Indirect prompt injection
- Exploiting vulnerabilities in LLM APIs
- Exploiting LLM APIs with excessive agency
- Exploiting a mass assignment vulnerability
- Finding and exploiting an unused API endpoint
- Exploiting server-side parameter pollution in a query string
- Exploiting an API endpoint using documentation
- SQL injection with filter bypass via XML encoding
- Blind SQL injection with out-of-band data exfiltration
- Blind SQL injection with out-of-band interaction
- Blind SQL injection with time delays and information retrieval
- Blind SQL injection with time delays
- Visible error-based SQL injection
- Blind SQL injection with conditional errors
- Password brute-force via password change
- Password reset poisoning via middleware
- Offline password cracking
- Brute-forcing a stay-logged-in cookie
- 2FA broken logic
- Username enumeration via account lock
- Broken brute-force protection, IP block
- Username enumeration via response timing
- Username enumeration via subtly different responses
- Password reset broken logic
- 2FA simple bypass
- Username enumeration via different responses
- DOM-based cookie manipulation
- DOM-based open redirection
- DOM XSS using web messages and JSON.parse
- DOM XSS using web messages and a JavaScript URL
- DOM XSS using web messages
- Exploiting XSS to bypass CSRF defenses
- Exploiting cross-site scripting to capture passwords
- Exploiting cross-site scripting to steal cookies
- Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped
- Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped
- Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped
- Reflected XSS into a JavaScript string with single quote and backslash escaped
- Reflected XSS in canonical link tag
- Reflected XSS with some SVG markup allowed
- Reflected XSS into HTML context with all tags blocked except custom ones
- Reflected XSS into HTML context with most tags and attributes blocked
- Stored DOM XSS
- Reflected DOM XSS
- DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded
- DOM XSS in document.write sink using source location.search inside a select element
- Reflected XSS into a JavaScript string with angle brackets HTML encoded
- Stored XSS into anchor href attribute with double quotes HTML-encoded
- Reflected XSS into attribute with angle brackets HTML-encoded
- DOM XSS in jQuery selector sink using a hashchange event
- DOM XSS in jQuery anchor href attribute sink using location.search source
- DOM XSS in innerHTML sink using source location.search
- DOM XSS in document.write sink using source location.search
- Stored XSS into HTML context with nothing encoded
- Reflected XSS into HTML context with nothing encoded
- Exploiting Ruby deserialization using a documented gadget chain
- Exploiting PHP deserialization with a pre-built gadget chain
- Exploiting Java deserialization with Apache Commons
- Arbitrary object injection in PHP
- Using application functionality to exploit insecure deserialization
- Modifying serialized objects
- Modifying serialized objects
- JWT authentication bypass via kid header path traversal
- JWT authentication bypass via jku header injection
- Scanning non-standard data structures
- Discovering vulnerabilities quickly with targeted scanning
- Flawed enforcement of business rules
- Inconsistent security controls
- High-level logic vulnerability
- Excessive trust in client-side controls
- JWT authentication bypass via jwk header injection
- JWT authentication bypass via weak signing key
- JWT authentication bypass via flawed signature verification
- JWT authentication bypass via unverified signature
- Referer-based access control
- Multi-step process with no access control on one step
- Method-based access control can be circumvented
- URL-based access control can be circumvented
- Insecure direct object references
- User ID controlled by request parameter with password disclosure
- User ID controlled by request parameter with data leakage in redirect
- User ID controlled by request parameter, with unpredictable user IDs
- User ID controlled by request parameter
- User role can be modified in user profile
- User role controlled by request parameter
- Unprotected admin functionality with unpredictable URL
- Unprotected admin functionality
- Information disclosure in version control history
- Authentication bypass via information disclosure
- Source code disclosure via backup files
- Information disclosure on debug page
- Information disclosure in error messages
- Blind OS command injection with out-of-band data exfiltration
- Blind OS command injection with out-of-band interaction
- Blind OS command injection with output redirection
- Blind OS command injection with time delays
- OS command injection, simple case
- SSRF with filter bypass via open redirection vulnerability
- Blind SSRF with out-of-band detection
- Blind SSRF with out-of-band detection
- Basic SSRF against another back-end system
- Basic SSRF against the local server
- Exploiting XXE via image file upload
- Exploiting XInclude to retrieve files
- Exploiting blind XXE to retrieve data via error messages
- Exploiting blind XXE to exfiltrate data using a malicious external DTD
- Blind XXE with out-of-band interaction via XML parameter entities
- Blind XXE with out-of-band interaction
- Exploiting XXE to perform SSRF attacks
- Exploiting XXE using external entities to retrieve files
- Remote code execution via polyglot web shell upload
- Web shell upload via obfuscated file extension
- Web shell upload via extension blacklist bypass
- Web shell upload via path traversal
- File path traversal, validation of file extension with null byte bypass
- File path traversal, validation of start of path
- File path traversal, traversal sequences stripped with superfluous URL-decode
- File path traversal, traversal sequences stripped non-recursively
- File path traversal, traversal sequences blocked with absolute path bypass
- File path traversal, simple case
- Web shell upload via Content-Type restriction bypass
- Remote code execution via web shell upload
- Server-side template injection with information disclosure via user-supplied objects
- Server-side template injection in an unknown language with a documented exploit
- Server-side template injection using documentation
- Basic server-side template injection (code context)
- Basic server-side template injection
- Blind SQL injection with conditional responses
- SQL injection UNION attack, retrieving multiple values in a single column
- SQL injection UNION attack, retrieving data from other tables
- SQL injection UNION attack, finding a column containing text
- SQL injection UNION attack, determining the number of columns returned by the query
- SQL injection attack, listing the database contents on Oracle
- SQL injection attack, listing the database contents on non-Oracle databases
- SQL injection attack, querying the database type and version on MySQL and Microsoft
- SQL injection attack, querying the database type and version on Oracle
- SQL injection vulnerability allowing login bypass
- SQL injection vulnerability in WHERE clause allowing retrieval of hidden data