Common Vulnerabilities
Smart Contracts/Blockchain
- Re-entrancy
- Logic errors
- including user authentication errors
- Solidity/EVM details not considered
- including integer over-/under-flow
- including unhandled exceptions
- Trusting trust/dependency vulnerabilities
- including composability vulnerabilities
- Oracle failure/manipulation
- Novel governance attacks
- Economic/financial attacks
- including flash loan attacks
- Congestion and scalability
- including running out of gas
- including block stuffing
- including susceptibility to frontrunning
- Consensus failures
- Cryptography problems
- Signature malleability
- Susceptibility to replay attacks
- Weak randomness
- Weak encryption
- Susceptibility to block timestamp manipulation
- Missing access controls / unprotected internal or debugging interfaces
Websites and Apps
- Remote Code Execution
- Trusting trust/dependency vulnerabilities
- Vertical Privilege Escalation
- XML External Entities Injection
- SQL Injection
- LFI/RFI
- Horizontal Privilege Escalation
- Stored XSS
- Reflective XSS with impact
- CSRF with impact
- Internal SSRF
- Session fixation
- Insecure Deserialization
- Direct object reference
- DOM XSS
- SSL misconfigurations
- SSL/TLS issues (weak crypto, improper setup)
- URL redirect
- Clickjacking
- Misleading Unicode text (e.g. using right to left override characters)