Web Application Vulnerabilities Index

This page lists X vulnerabilities classified as WASC-15 that can be detected by Invicti.

Select Category
Critical
High
Medium
Low
Best Practice
Information
Select Vulnerability
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Select Vulnerability
Vulnerability Name
Classification
Severity
An Unsafe Content Security Policy (CSP) Directive in Use
An Unsafe Content Security Policy (CSP) Directive in Use
CWE-16
, 
ISO27001-A.14.2.5
, 
WASC-15
, 
Information
Autocomplete Enabled (Password Field)
Autocomplete Enabled (Password Field)
CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
, 
CWE-16
, 
ISO27001-A.14.1.2
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Information
Autocomplete is Enabled
Autocomplete is Enabled
CWE-16
, 
ISO27001-A.14.1.2
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Low
Content Security Policy (CSP) Keywords Not Used Within Single Quotes
Content Security Policy (CSP) Keywords Not Used Within Single Quotes
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Information
Content Security Policy (CSP) Nonce Value Not Used Within Single Quotes
Content Security Policy (CSP) Nonce Value Not Used Within Single Quotes
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Information
Content Security Policy (CSP) Nonce Without Matching Script Block
Content Security Policy (CSP) Nonce Without Matching Script Block
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Information
Content Security Policy (CSP) Not Implemented
Content Security Policy (CSP) Not Implemented
CWE-16
, 
ISO27001-A.14.2.5
, 
WASC-15
, 
Best Practice
Content-Security-Policy-Report-Only Cannot Be Declared Between META Tags
Content-Security-Policy-Report-Only Cannot Be Declared Between META Tags
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Information
Content-Security-Policy-Report-Only Cannot Be Declared Without report-uri Directive
Content-Security-Policy-Report-Only Cannot Be Declared Without report-uri Directive
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Information
Cookie Not Marked as HttpOnly
Cookie Not Marked as HttpOnly
CAPEC-107
, 
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Low
Cookie Not Marked as Secure
Cookie Not Marked as Secure
CAPEC-102
, 
CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
, 
CWE-614
, 
ISO27001-A.14.1.2
, 
OWASP 2013-A6
, 
OWASP 2017-A3
, 
PCI v3.2-6.5.10
, 
WASC-15
, 
Low
Database Connection String Detected
Database Connection String Detected
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
, 
CWE-16
, 
HIPAA-164.306(a)
, 
ISO27001-A.18.1.3
, 
OWASP 2013-A5
, 
OWASP 2017-A3
, 
WASC-15
, 
Information
Deprecated Header Instruction Used to Implement Content Security Policy (CSP)
Deprecated Header Instruction Used to Implement Content Security Policy (CSP)
CWE-16
, 
ISO27001-A.14.2.5
, 
WASC-15
, 
Information
Disabled X-XSS-Protection Header
Disabled X-XSS-Protection Header
CWE-693
, 
ISO27001-A.14.1.2
, 
WASC-15
, 
Information
Elmah.axd / Errorlog.axd Detected
Elmah.axd / Errorlog.axd Detected
CAPEC-347
, 
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
, 
CWE-16
, 
HIPAA-164.306(a)
, 
HIPAA-164.308(a)
, 
ISO27001-A.18.1.3
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
PCI v3.2-6.5.6
, 
WASC-15
, 
High
Expect-CT Header via HTTP
Expect-CT Header via HTTP
CWE-16
, 
ISO27001-A.14.1.2
, 
WASC-15
, 
Information
Expect-CT Not Enabled
Expect-CT Not Enabled
CWE-16
, 
ISO27001-A.14.1.2
, 
WASC-15
, 
Best Practice
Expect-CT Security Header Errors and Warnings
Expect-CT Security Header Errors and Warnings
CWE-16
, 
ISO27001-A.14.1.2
, 
WASC-15
, 
Information
HTTP Strict Transport Security (HSTS) Errors and Warnings
HTTP Strict Transport Security (HSTS) Errors and Warnings
CWE-16
, 
ISO27001-A.14.1.2
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Medium
HTTP Strict Transport Security (HSTS) Max-Age Value Too Low
HTTP Strict Transport Security (HSTS) Max-Age Value Too Low
CWE-16
, 
ISO27001-A.14.1.2
, 
WASC-15
, 
Information
HTTP Strict Transport Security (HSTS) via HTTP
HTTP Strict Transport Security (HSTS) via HTTP
CWE-16
, 
ISO27001-A.14.1.2
, 
OWASP 2017-A6
, 
WASC-15
, 
Information
Incorrect Content Security Policy (CSP) Implementation
Incorrect Content Security Policy (CSP) Implementation
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Information
Insecure Frame (External)
Insecure Frame (External)
CWE-16
, 
ISO27001-A.14.1.2
, 
OWASP 2017-A6
, 
WASC-15
, 
Low
Insecure JSONP Endpoint
Insecure JSONP Endpoint
CWE-20
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A1
, 
WASC-15
, 
Low
Insecure Reflected Content
Insecure Reflected Content
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A1
, 
WASC-15
, 
Low
Invalid Content Security Policy (CSP) Directive Identified in meta Elements
Invalid Content Security Policy (CSP) Directive Identified in meta Elements
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Information
Laravel Environment Configuration File Detected
Laravel Environment Configuration File Detected
CWE-285
, 
ISO27001-A.9.4.1
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Low
Misconfigured Access-Control-Allow-Origin Header
Misconfigured Access-Control-Allow-Origin Header
CWE-16
, 
ISO27001-A.14.1.2
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
PCI v3.2-6.5.8
, 
WASC-15
, 
Low
Misconfigured Frame
Misconfigured Frame
CWE-16
, 
ISO27001-A.14.1.2
, 
OWASP 2017-A6
, 
WASC-15
, 
Low
Missing Content-Type Header
Missing Content-Type Header
CWE-16
, 
ISO27001-A.14.1.2
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
PCI v3.2-6.5.7
, 
WASC-15
, 
Low
Missing frame-ancestors in CSP Declaration
Missing frame-ancestors in CSP Declaration
CWE-16
, 
ISO27001-A.14.2.5
, 
WASC-15
, 
Information
Missing object-src in CSP Declaration
Missing object-src in CSP Declaration
CWE-16
, 
ISO27001-A.14.2.5
, 
WASC-15
, 
Information
Missing X-Content-Type-Options Header
Missing X-Content-Type-Options Header
CWE-16
, 
ISO27001-A.14.1.2
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Low
Missing X-XSS-Protection Header
Missing X-XSS-Protection Header
CWE-16
, 
HIPAA-164.308(a)
, 
ISO27001-A.14.2.5
, 
WASC-15
, 
Best Practice
Multiple Content Security Policy (CSP) Implementation Detected
Multiple Content Security Policy (CSP) Implementation Detected
CWE-16
, 
ISO27001-A.14.2.5
, 
WASC-15
, 
Information
No SAML Response Signature Check
No SAML Response Signature Check
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
, 
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
High
Open Policy Crossdomain.xml Detected
Open Policy Crossdomain.xml Detected
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
, 
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Medium
Open Silverlight Client Access Policy
Open Silverlight Client Access Policy
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
, 
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Medium
Phishing by Navigating Browser Tabs
Phishing by Navigating Browser Tabs
CWE-16
, 
ISO27001-A.14.1.2
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Low
RoR Database Configuration File Detected
RoR Database Configuration File Detected
CWE-285
, 
ISO27001-A.9.4.1
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Low
SameSite Cookie Not Implemented
SameSite Cookie Not Implemented
CWE-16
, 
ISO27001-A.14.2.5
, 
WASC-15
, 
Best Practice
SameSite None Cookie Not Marked as Secure
SameSite None Cookie Not Marked as Secure
CWE-16
, 
ISO27001-A.14.2.5
, 
WASC-15
, 
Best Practice
SAML Response Signature Exclusion
SAML Response Signature Exclusion
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
, 
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
High
SAML Response Without Signature
SAML Response Without Signature
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
, 
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
High
Server-Side Request Forgery (elmah)
Server-Side Request Forgery (elmah)
CAPEC-347
, 
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
, 
CWE-918
, 
HIPAA-164.306(a)
, 
HIPAA-164.308(a)
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
PCI v3.2-6.5.6
, 
WASC-15
, 
High
Server-Side Request Forgery (elmah MVC)
Server-Side Request Forgery (elmah MVC)
CAPEC-347
, 
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
, 
CWE-918
, 
HIPAA-164.306(a)
, 
HIPAA-164.308(a)
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
PCI v3.2-6.5.6
, 
WASC-15
, 
High
Server-Side Request Forgery (trace.axd)
Server-Side Request Forgery (trace.axd)
CAPEC-347
, 
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
, 
CWE-918
, 
HIPAA-164.306(a)
, 
HIPAA-164.308(a)
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
PCI v3.2-6.5.6
, 
WASC-15
, 
Critical
Session Cookie Not Marked as Secure
Session Cookie Not Marked as Secure
CAPEC-102
, 
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
, 
CWE-614
, 
ISO27001-A.14.1.2
, 
OWASP 2013-A6
, 
OWASP 2017-A3
, 
PCI v3.2-6.5.10
, 
WASC-15
, 
Medium
Static Nonce Identified in Content Security Policy (CSP)
Static Nonce Identified in Content Security Policy (CSP)
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Information
Sublime SFTP Config File Detected
Sublime SFTP Config File Detected
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
, 
CWE-16
, 
ISO27001-A.18.1.3
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Medium
Subresource Integrity (SRI) Hash Invalid
Subresource Integrity (SRI) Hash Invalid
CWE-16
, 
ISO27001-A.14.2.5
, 
WASC-15
, 
Low
Subresource Integrity (SRI) Not Implemented
Subresource Integrity (SRI) Not Implemented
CWE-16
, 
ISO27001-A.14.2.5
, 
WASC-15
, 
Best Practice
Trace.axd Detected
Trace.axd Detected
CAPEC-347
, 
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
, 
CWE-16
, 
HIPAA-164.306(a)
, 
HIPAA-164.308(a)
, 
ISO27001-A.18.1.3
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
PCI v3.2-6.5.6
, 
WASC-15
, 
High
Travis CI Configuration File Detected
Travis CI Configuration File Detected
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
, 
CWE-16
, 
ISO27001-A.9.4.1
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Information
UNC Server and Share Disclosure
UNC Server and Share Disclosure
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
, 
CWE-16
, 
ISO27001-A.18.1.3
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Information
Unsupported Hash Detected in Content Security Policy (CSP)
Unsupported Hash Detected in Content Security Policy (CSP)
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Information
ViewState is not Encrypted
ViewState is not Encrypted
CWE-16
, 
HIPAA-164.306(a)
, 
HIPAA-164.308(a)
, 
ISO27001-A.14.2.5
, 
OWASP 2017-A6
, 
WASC-15
, 
Low
ViewState MAC Disabled
ViewState MAC Disabled
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
, 
CWE-16
, 
HIPAA-164.306(a)
, 
HIPAA-164.308(a)
, 
ISO27001-A.14.2.5
, 
OWASP 2017-A6
, 
WASC-15
, 
Medium
Weak Basic Authentication Credentials
Weak Basic Authentication Credentials
CAPEC-16
, 
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
, 
CWE-521
, 
ISO27001-A.9.4.3
, 
OWASP 2013-A6
, 
OWASP 2017-A3
, 
PCI v3.2-6.5.10
, 
WASC-15
, 
High
WebDAV Enabled
WebDAV Enabled
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C
, 
CWE-16
, 
ISO27001-A.9.4.4
, 
WASC-15
, 
Information
WP Engine Configuration File Detected
WP Engine Configuration File Detected
CWE-285
, 
ISO27001-A.9.4.1
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Low