- Session management: logout mechanisms, session timeout, possibility of improper intrusion into a session via unverified access points, session hijacking, CSRF, etc.
- Data validation : XML Injection, SQL Injection, XPATH Injection, etc.
- Command Injection: Incorrect or unauthorized interactions with the operating system (for example, “shell escapes”).
- Cross-Site Scripting (XSS): Vulnerabilities that allow uncontrolled code to run in the security context of the application user, allowing the acquisition of sensitive information and causing, for example, session hijacking, launching of attacks of phishing, etc.
- Access control vulnerabilities implemented by the application: for example, escalation of horizontal or vertical privileges or access to unauthorized features, security of data in transit, etc.
These listed above are just some of the vulnerabilities analyzed and identified during our Web Application Penetration Testing activity.