This listing contains the definitions of all issues that can be detected by ZOFixer.
Vuln Cat | Specific Vulnerability Name | Affected Function | References |
---|---|---|---|
Very High | Server Security Misconfiguration | Using Default Credentials | Click here |
Very High | Server-Side Injection | File Inclusion | Click here |
Very High | Server-Side Injection | Remote Code Execution (RCE) | Click here |
Very High | Server-Side Injection | SQL Injection | Click here |
Very High | Server-Side Injection | XML External Entity Injection (XXE) | Click here |
Very High | Broken Authentication and Session Management | Authentication Bypass | Click here |
Very High | Sensitive Data Exposure | Disclosure of Secrets | Click here |
Very High | Insecure OS/Firmware | Command Injection | Click here |
Very High | Insecure OS/Firmware | Hardcoded Password | Click here |
Very High | Broken Cryptography | Cryptographic Flaw | Click here |
High | Server Security Misconfiguration | Misconfigured DNS - High Impact Subdomain Takeover | Click here |
High | Server Security Misconfiguration | OAuth Misconfiguration - Account Takeover | Click here |
High | Sensitive Data Exposure | Weak Password Reset Implementation - Token Leakage via Host Header Poisoning | Click here |
High | Cross-Site Scripting (XSS) | Stored - Non-Privileged User to Anyone | Click here |
High | Broken Access Control (BAC) | Server-Side Request Forgery (SSRF) - Internal High Impact | Click here |
High | Cross-Site Request Forgery (CSRF) | Application-Wide | Click here |
High | Application-Level Denial-of-Service (DoS) | Critical Impact and/or Easy Difficulty | Click here |
High | Insecure OS/Firmware | Hardcoded Password - Non-Privileged User | Click here |
Medium | Server Security Misconfiguration | Misconfigured DNS - Basic Subdomain Takeover | Click here |
Medium | Server Security Misconfiguration | Mail Server Misconfiguration - No Spoofing Protection on Email Domain | Click here |
Medium | Server-Side Injection | HTTP Response Manipulation - Response Splitting (CRLF) | Click here |
Medium | Server-Side Injection | Content Spoofing - iframe Injection | Click here |
Medium | Broken Authentication and Session Management | Second Factor Authentication (2FA) Bypass | Click here |
Medium | Broken Authentication and Session Management | Session Fixation - Remote Attack Vector | Click here |
Medium | Sensitive Data Exposure | Disclosure of Secrets - For Internal Asset | Click here |
Medium | Sensitive Data Exposure | EXIF Geolocation Data Not Stripped From Uploaded Images - Automatic User Enumeration | Click here |
Medium | Cross-Site Scripting (XSS) | Stored - Privileged User to Privilege Elevation | Click here |
Medium | Cross-Site Scripting (XSS) | Stored - CSRF/URL-Based | Click here |
Medium | Cross-Site Scripting (XSS) | Reflected | Click here |
Medium | Broken Access Control (BAC) | Server-Side Request Forgery (SSRF) | Click here |
Medium | Application-Level Denial-of-Service (DoS) | High Impact and/or Medium Difficulty | Click here |
Medium | Client-Side Injection | Binary Planting - Default Folder Privilege Escalation | Click here |
Low | Server Security Misconfiguration | Misconfigured DNS - Zone Transfer | Click here |
Low | Server Security Misconfiguration | Mail Server Misconfiguration - Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain | Click here |
Low | Server Security Misconfiguration | Database Management System (DBMS) Misconfiguration - Excessively Privileged User / DBA | Click here |
Low | Server Security Misconfiguration | Lack of Password Confirmation - Delete Account | Click here |
Low | Server Security Misconfiguration | No Rate Limiting on Form - Registration | Click here |
Low | Server Security Misconfiguration | No Rate Limiting on Form - Login | Click here |
Low | Server Security Misconfiguration | No Rate Limiting on Form - Email-Triggering | Click here |
Low | Server Security Misconfiguration | No Rate Limiting on Form - SMS-Triggering | Click here |
Low | Server Security Misconfiguration | Missing Secure or HTTPOnly Cookie Flag - Session Token | Click here |
Low | Server Security Misconfiguration | Clickjacking - Sensitive Click-Based Action | Click here |
Low | Server Security Misconfiguration | OAuth Misconfiguration - Account Squatting | Click here |
Low | Server Security Misconfiguration | CAPTCHA - Implementation Vulnerability | Click here |
Low | Server Security Misconfiguration | Lack of Security Headers - Cache-Control for a Sensitive Page | Click here |
Low | Server Security Misconfiguration | Web Application Firewall (WAF) Bypass - Direct Server Access | Click here |
Low | Server-Side Injection | Content Spoofing - Impersonation via Broken Link Hijacking | Click here |
Low | Server-Side Injection | Content Spoofing - External Authentication Injection | Click here |
Low | Server-Side Injection | Server-Side Template Injection (SSTI) - Basic | Click here |
Low | Broken Authentication and Session Management | Cleartext Transmission of Session Token | Click here |
Low | Broken Authentication and Session Management | Weak Login Function - Other Plaintext Protocol with no Secure Alternative | Click here |
Low | Broken Authentication and Session Management | Weak Login Function - Over HTTP | Click here |
Low | Broken Authentication and Session Management | Failure to Invalidate Session - On Logout (Client and Server-Side) | Click here |
Low | Broken Authentication and Session Management | Failure to Invalidate Session - On Password Reset and/or Change | Click here |
Low | Sensitive Data Exposure | EXIF Geolocation Data Not Stripped From Uploaded Images - Manual User Enumeration | Click here |
Low | Sensitive Data Exposure | Visible Detailed Error/Debug Page - Detailed Server Configuration | Click here |
Low | Sensitive Data Exposure | Token Leakage via Referer - Untrusted 3rd Party | Click here |
Low | Sensitive Data Exposure | Sensitive Token in URL - User Facing | Click here |
Low | Sensitive Data Exposure | Via localStorage/sessionStorage - Sensitive Token | Click here |
Low | Cross-Site Scripting (XSS) | Stored- Privileged User to No Privilege Elevation | Click here |
Low | Cross-Site Scripting (XSS) | Universal (UXSS) | Click here |
Low | Cross-Site Scripting (XSS) | Off-Domain - Data URI | Click here |
Low | Broken Access Control (BAC) | Server-Side Request Forgery (SSRF) - External | Click here |
Low | Broken Access Control (BAC) | Username/Email Enumeration - Non-Brute Force | Click here |
Low | Unvalidated Redirects and Forwards | Open Redirect - GET-Based | Click here |
Low | Insufficient Security Configurability | No Password Policy | Click here |
Low | Insufficient Security Configurability | Weak Password Reset Implementation - Token is Not Invalidated After Use | Click here |
Low | Insufficient Security Configurability | Weak 2FA Implementation - 2FA Secret Cannot be Rotated | Click here |
Low | Insecure Data Storage | Sensitive Application Data Stored Unencrypted - On External Storage | Click here |
Low | Insecure Data Storage | Server-Side Credentials Storage - Plaintext | Click here |
Low | Insecure Data Transport | Executable Download - No Secure Integrity Check | Click here |
Informational | Server Security Misconfiguration | Directory Listing Enabled Non-Sensitive Data Exposure | Click here |
Informational | Server Security Misconfiguration | Same-Site Scripting | Click here |
Informational | Server Security Misconfiguration | Misconfigured DNS Missing Certification Authority Authorization (CAA) Record | Click here |
Informational | Server Security Misconfiguration | Mail Server Misconfiguration Email Spoofing to Spam Folder | Click here |
Informational | Server Security Misconfiguration | Lack of Password Confirmation Change Email Address | Click here |
Informational | Server Security Misconfiguration | No Rate Limiting on Form Change Password | Click here |
Informational | Server Security Misconfiguration | Unsafe File Upload No Antivirus | Click here |
Informational | Server Security Misconfiguration | Unsafe File Upload File Extension Filter Bypass | Click here |
Informational | Server Security Misconfiguration | Cookie Scoped to Parent Domain | Click here |
Informational | Server Security Misconfiguration | Missing Secure or HTTPOnly Cookie Flag Non-Session Cookie | Click here |
Informational | Server Security Misconfiguration | Clickjacking Form Input | Click here |
Informational | Server Security Misconfiguration | Exposed Admin Portal To Internet | Click here |
Informational | Server Security Misconfiguration | Missing DNSSEC | Click here |
Informational | Server Security Misconfiguration | Fingerprinting/Banner Disclosure | Click here |
Informational | Server Security Misconfiguration | Potentially Unsafe HTTP Method Enabled OPTIONS | Click here |
Informational | Server Security Misconfiguration | Potentially Unsafe HTTP Method Enabled TRACE | Click here |
Informational | Server Security Misconfiguration | Insecure SSL Lack of Forward Secrecy | Click here |
Informational | Server Security Misconfiguration | Insecure SSL Insecure Cipher Suite | Click here |
Informational | Server Security Misconfiguration | Insecure SSL Certificate Error | Click here |
Informational | Server Security Misconfiguration | Reflected File Download (RFD) | Click here |
Informational | Server Security Misconfiguration | Lack of Security Headers X-Frame-Options | Click here |
Informational | Server Security Misconfiguration | Lack of Security Headers Cache-Control for a Non-Sensitive Page | Click here |
Informational | Server Security Misconfiguration | Lack of Security Headers X-XSS-Protection | Click here |
Informational | Server Security Misconfiguration | Lack of Security Headers Strict-Transport-Security | Click here |
Informational | Server Security Misconfiguration | Lack of Security Headers X-Content-Type-Options | Click here |
Informational | Server Security Misconfiguration | Lack of Security Headers Content-Security-Policy | Click here |
Informational | Server Security Misconfiguration | Bitsquatting | Click here |
Informational | Server-Side Injection | Parameter Pollution Social Media Sharing Buttons | Click here |
Informational | Server-Side Injection | Content Spoofing Flash Based External Authentication Injection | Click here |
Informational | Server-Side Injection | Content Spoofing Text Injection | Click here |
Informational | Server-Side Injection | Content Spoofing Homograph/IDN-Based | Click here |
Informational | Server-Side Injection | Content Spoofing Right-to-Left Override (RTLO) | Click here |
Informational | Broken Authentication and Session Management | Session Fixation Local Attack Vector | Click here |
Informational | Broken Authentication and Session Management | Failure to Invalidate Session On Logout (Server-Side Only) | Click here |
Informational | Broken Authentication and Session Management | Concurrent Logins | Click here |
Informational | Sensitive Data Exposure | Visible Detailed Error/Debug Page Full Path Disclosure | Click here |
Informational | Sensitive Data Exposure | Sensitive Token in URL In the Background | Click here |
Informational | Sensitive Data Exposure | Mixed Content (HTTPS Sourcing HTTP) | Click here |
Informational | Sensitive Data Exposure | Sensitive Data Hardcoded OAuth Secret | Click here |
Informational | Sensitive Data Exposure | JSON Hijacking | Click here |
Informational | Cross-Site Scripting (XSS) | Stored Self | Click here |
Informational | Cross-Site Scripting (XSS) | Reflected Self | Click here |
Informational | Cross-Site Scripting (XSS) | Flash-Based | Click here |
Informational | Cross-Site Scripting (XSS) | Cookie-Based | Click here |
Informational | Cross-Site Scripting (XSS) | TRACE Method | Click here |
Informational | Application-Level Denial-of-Service (DoS) | App Crash Malformed Android Intents | Click here |
Informational | Unvalidated Redirects and Forwards | Open Redirect | Click here |
Informational | Unvalidated Redirects and Forwards | Reverse Tabnabbing | Click here |
Informational | Unvalidated Redirects and Forwards | Lack of Security Speed Bump Page | Click here |
Informational | External Behavior | Browser Feature Plaintext Password Field | # |
Informational | External Behavior | Browser Feature Save Password | # |
Informational | External Behavior | Browser Feature Autocomplete Enabled | # |
Informational | External Behavior | Browser Feature Autocorrect Enabled | # |
Informational | External Behavior | Browser Feature Aggressive Offline Caching | # |
Informational | External Behavior | CSV Injection | Click here |
Informational | External Behavior | Captcha Bypass Crowdsourcing | Click here |
Informational | External Behavior | System Clipboard Leak Shared Links | Click here |
Informational | External Behavior | User Password Persisted in Memory | Click here |