This is the list of weakness types on HackerOne that you can choose from when submitting a report:
Note: While we try to keep this list as up-to-date as possible, it may not include all weakness types.
External ID | Weakness Type | Description |
Phishing | Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or "fishing" for information. | |
UI Redressing (Clickjacking) | In a clickjacking attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from a seemingly completely different system. | |
Cache Poisoning | An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value. | |
XSS Using MIME Type Mismatch | An adversary creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected. The adversary tricks the victim into accessing a URL that responds with the script file. Some browsers will detect that the specified MIME type of the file does not match the actual type of its content and will automatically switch to using an interpreter for the real content type. If the browser does not invoke script filters before doing this, the adversary's script may run on the target unsanitized, possibly revealing the victim's cookies or executing arbitrary script in their browser. | |
Privilege Escalation | An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform. | |
Local File Inclusion | The attacker loads and executes an arbitrary local PHP file on a target machine. The attacker could use this to try to load old versions of PHP files that have known vulnerabilities, to load PHP files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways. | |
DNS Zone Transfers | An attacker exploits a DNS misconfiguration that permits a ZONE transfer. Some external DNS servers will return a list of IP addresses and valid hostnames. Under certain conditions, it may even be possible to obtain Zone data about the organization's internal network. When successful the attacker learns valuable information about the topology of the target organization, including information about particular servers, their role within the IT structure, and possibly information about the operating systems running upon the network. This is configuration dependent behavior so it may also be required to search out multiple DNS servers while attempting to find one with ZONE transfers allowed. | |
Search Order Hijacking | An adversary exploits a weakness in an application's specification of external libraries to exploit the functionality of the loader where the process loading the library searches first in the same directory in which the process binary resides and then in other directories. Exploitation of this preferential search order can allow an attacker to make the loading process load the adversary's rogue library rather than the legitimate library. This attack can be leveraged with many different libraries and with many different loading processes. No forensic trails are left in the system's registry or file system that an incorrect library had been loaded. | |
Malware | An adversary installs and executes malicious code on the target system in an effort to achieve a negative technical impact. | |
DLL Side-Loading | An adversary places a malicious version of a Dynamic-Link Library (DLL) in the Windows Side-by-Side (WinSxS) directory to trick the operating system into loading this malicious DLL instead of a legitimate DLL. Programs specify the location of the DLLs to load via the use of WinSxS manifests or DLL redirection and if they aren't used then Windows searches in a predefined set of directories to locate the file. If the applications improperly specify a required DLL or WinSxS manifests aren't explicit about the characteristics of the DLL to be loaded, they can be vulnerable to side-loading. | |
Improper Input Validation | The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program. | |
Path Traversal | The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. | |
Relative Path Traversal | The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. | |
Path Traversal: '.../...//' | The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. | |
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) | The software does not adequately filter user-controlled input for special elements with control implications. | |
Command Injection - Generic | The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. | |
OS Command Injection | The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. | |
Cross-site Scripting (XSS) - DOM | In DOM-based XSS, the client performs the injection of XSS into the page; in the other types, the server performs the injection. DOM-based XSS generally involves server-controlled, trusted script that is sent to the client, such as Javascript that performs sanity checks on a form before the user submits it. If the server-supplied script processes user-supplied data and then injects it back into the web page (such as with dynamic HTML), then DOM-based XSS is possible. | |
Cross-site Scripting (XSS) - Generic | The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. | |
Cross-site Scripting (XSS) - Reflected | The server reads data directly from the HTTP request and reflects it back in the HTTP response. Reflected XSS exploits occur when an attacker causes a victim to supply dangerous content to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to the victim. URLs constructed in this manner constitute the core of many phishing schemes, whereby an attacker convinces a victim to visit a URL that refers to a vulnerable site. After the site reflects the attacker's content back to the victim, the content is executed by the victim's browser. | |
Cross-site Scripting (XSS) - Stored | The application stores dangerous data in a database, message forum, visitor log, or other trusted data store. At a later time, the dangerous data is subsequently read back into the application and included in dynamic content. From an attacker's perspective, the optimal place to inject malicious content is in an area that is displayed to either many users or particularly interesting users. Interesting users typically have elevated privileges in the application or interact with sensitive data that is valuable to the attacker. If one of these users executes malicious content, the attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user. For example, the attacker might inject XSS into a log message, which might not be handled properly when an administrator views the logs. | |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. | |
SQL Injection | The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. | |
LDAP Injection | The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component. | |
XML Injection | The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. | |
CRLF Injection | The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. | |
Code Injection | The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. | |
Remote File Inclusion | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. | |
Resource Injection | The software receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. | |
HTTP Response Splitting | The software receives data from an upstream component, but does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. | |
Memory Corruption - Generic | The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. | |
Classic Buffer Overflow | The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. | |
Stack Overflow | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). | |
Heap Overflow | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). | |
Write-what-where Condition | Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow. | |
Buffer Underflow | The software writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer. | |
Out-of-bounds Read | The software reads data past the end, or before the beginning, of the intended buffer. | |
Buffer Over-read | The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer. | |
Buffer Under-read | The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer. | |
Wrap-around Error | Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefined value. | |
Array Index Underflow | The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. | |
Incorrect Calculation of Buffer Size | The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow. | |
Use of Externally-Controlled Format String | The software uses a function that accepts a format string as an argument, but the format string originates from an external source. | |
Improper Neutralization of Escape, Meta, or Control Sequences | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component. | |
Improper Null Termination | The software does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator. | |
Improper Handling of URL Encoding (Hex Encoding) | The software does not properly handle when all or part of an input has been URL encoded. | |
Incomplete Denylist | An application uses a "denylist" of prohibited values, but the denylist is incomplete. | |
Integer Overflow | The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. | |
Integer Underflow | The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. | |
Off-by-one Error | A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. | |
Information Disclosure | An information disclosure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information. | |
Information Exposure Through Sent Data | The accidental exposure of sensitive information through sent data refers to the transmission of data which are either sensitive in and of itself or useful in the further exploitation of the system through standard data channels. | |
Information Exposure Through Discrepancy | The product behaves differently or sends different responses in a way that exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. | |
Information Exposure Through Timing Discrepancy | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. | |
Information Exposure Through an Error Message | The software generates an error message that includes sensitive information about its environment, users, or associated data. | |
Information Exposure Through Debug Information | The application contains debugging code that can expose sensitive information to untrusted parties. | |
Use of Inherently Dangerous Function | The program calls a function that can never be guaranteed to work safely. | |
Plaintext Storage of a Password | Storing a password in plaintext may result in a system compromise. | |
Storing Passwords in a Recoverable Format | The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts. | |
Use of Hard-coded Password | The software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. | |
Password in Configuration File | The software stores a password in a configuration file that might be accessible to actors who do not know the password. | |
Weak Cryptography for Passwords | Obscuring a password with a trivial encoding does not protect the password. | |
Improper Privilege Management | The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. | |
Improper Handling of Insufficient Permissions or Privileges | The application does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the application in an invalid state. | |
Improper Access Control - Generic | The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. | |
Improper Authorization | The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. | |
Improper Authentication - Generic | When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. | |
Authentication Bypass Using an Alternate Path or Channel | A product requires authentication, but the product has an alternate path or channel that does not require authentication. | |
Improper Certificate Validation | The software does not validate, or incorrectly validates, a certificate. | |
Improper Following of a Certificate's Chain of Trust | The software does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate. | |
Man-in-the-Middle | The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint. | |
Brute Force | The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks. | |
Cryptographic Issues - Generic | Weaknesses in this category are related to the use of cryptography. | |
Missing Encryption of Sensitive Data | The software does not encrypt sensitive or critical information before storage or transmission. | |
Cleartext Storage of Sensitive Information | The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere. | |
Cleartext Transmission of Sensitive Information | The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. | |
Use of Hard-coded Cryptographic Key | The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered. | |
Key Exchange without Entity Authentication | The software performs a key exchange with an actor without verifying the identity of that actor. | |
Reusing a Nonce, Key Pair in Encryption | Nonces should be used for the present occasion and only once. | |
Use of a Key Past its Expiration Date | The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key. | |
Missing Required Cryptographic Step | The software does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by that algorithm. | |
Inadequate Encryption Strength | The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. | |
Use of a Broken or Risky Cryptographic Algorithm | The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. | |
Reversible One-Way Hash | The product uses a hashing algorithm that produces a hash value that can be used to determine the original input, or to find an input that can produce the same hash, more efficiently than brute force techniques. | |
Use of Insufficiently Random Values | The software may use insufficiently random numbers or values in a security context that depends on unpredictable numbers. | |
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG is not cryptographically strong. | |
Reliance on Reverse DNS Resolution for a Security-Critical Action | The software performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname. | |
Cross-Site Request Forgery (CSRF) | The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. | |
Privacy Violation | The software does not properly prevent private data (such as credit card numbers) from being accessed by actors who either (1) are not explicitly authorized to access the data or (2) do not have the implicit consent of the people to which the data is related. | |
Trust of System Event Data | Security based on event locations are insecure and can be spoofed. | |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. | |
Time-of-check Time-of-use (TOCTOU) Race Condition | The software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state. | |
Insecure Temporary File | Creating and using insecure temporary files can leave application and system data vulnerable to attack. | |
Session Fixation | Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. | |
Unchecked Error Condition | Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed. | |
Denial of Service | The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended. | |
Improper Handling of Highly Compressed Data (Data Amplification) | The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. | |
Double Free | The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations. | |
Use After Free | Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. | |
Forced Browsing | The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. | |
Untrusted Search Path | The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control. | |
HTTP Request Smuggling | When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being aware of it. | |
User Interface (UI) Misrepresentation of Critical Information | The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks. | |
Modification of Assumed-Immutable Data (MAID) | The software does not properly protect an assumed-immutable element from being modified by an attacker. | |
NULL Pointer Dereference | A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. | |
Leftover Debug Code (Backdoor) | The application was deployed with active debugging code that can create unintended entry points. | |
Deserialization of Untrusted Data | The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. | |
Embedded Malicious Code | The application contains code that appears to be malicious in nature. | |
Replicating Malicious Code (Virus or Worm) | Replicating malicious code, including viruses and worms, will attempt to attack other systems once it has successfully compromised the target system or software. | |
Insufficiently Protected Credentials | This weakness occurs when the application transmits or stores authentication credentials and uses an insecure method that is susceptible to unauthorized interception and/or retrieval. | |
Unprotected Transport of Credentials | Login pages not using adequate measures to protect the username and password while they are in transit from the client to the server. | |
Use of Web Browser Cache Containing Sensitive Information | The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached. | |
File and Directory Information Exposure | The product stores sensitive information in files or directories that are accessible to actors outside of the intended control sphere. | |
Information Exposure Through Directory Listing | A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers. | |
Open Redirect | A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. | |
Client-Side Enforcement of Server-Side Security | The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. | |
Externally Controlled Reference to a Resource in Another Sphere | The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. | |
XML External Entities (XXE) | The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. | |
Insufficient Session Expiration | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." | |
Unverified Password Change | When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. | |
Insecure Direct Object Reference (IDOR) | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. | |
Weak Password Recovery Mechanism for Forgotten Password | The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. | |
External Control of Critical State Data | The software stores security-critical state information about its users, or the software itself, in a location that is accessible to unauthorized actors. | |
Improper Neutralization of HTTP Headers for Scripting Syntax | The application does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash. | |
Security Through Obscurity | The software uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism. | |
Violation of Secure Design Principles | The product violates well-established principles for secure design. | |
Uncontrolled Recursion | The product does not properly control the amount of recursion that takes place, which consumes excessive resources, such as allocated memory or the program stack. | |
Incorrect Comparison | The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses. | |
Improper Check or Handling of Exceptional Conditions | The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software. | |
Exposed Dangerous Method or Function | The software provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted. | |
Allocation of Resources Without Limits or Throttling | The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on how many resources can be allocated, in violation of the intended security policy for that actor. | |
XML Entity Expansion | The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. | |
Reliance on Cookies without Validation and Integrity Checking in a Security Decision | The application uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user. | |
Use of Hard-coded Credentials | The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. | |
Reliance on Untrusted Inputs in a Security Decision | The application uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. | |
Business Logic Errors | Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. | |
Type Confusion | The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. | |
Incorrect Authorization | The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. | |
Server-Side Request Forgery (SSRF) | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. | |
Insecure Storage of Sensitive Information | The software stores sensitive information without properly limiting read or write access by unauthorized actors. | |
Improper Export of Android Application Components | The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains. |