Sinks
Remote Code Execution (RCE)
Runtime.getRuntime().exec()
ProcessBuilder.start()
Method.invoke()
ScriptEngine.eval()
InitialContext.lookup() (JNDI Injection)
shell_exec()
exec()
system()
passthru()
proc_open()
popen()
eval()
assert()
create_function()
child_process.exec()
child_process.execSync()
child_process.spawn()
vm.runInContext()
vm.runInNewContext()
SQL Injection (SQLi)
Statement.executeQuery()
Statement.executeUpdate()
Statement.execute()
EntityManager.createQuery()
mysqli_query()
mysql_query()
pg_query()
PDO::query() (without prepared statements)
db.collection.find({ user: req.query.user }) (NoSQLi in MongoDB)
sequelize.query() (raw queries)
Path Traversal / Arbitrary File Read/Write
File(String)
FileReader(String)
FileWriter(String)
Files.readAllBytes(Path)
ZipInputStream.getNextEntry()
file_get_contents()
fopen()
readfile()
include()
require()
unlink()
fs.readFileSync()
fs.readFile()
fs.createReadStream()
fs.writeFileSync()
fs.unlinkSync()
Server-Side Request Forgery (SSRF)
HttpURLConnection.openConnection()
URL.openStream()
RestTemplate.getForObject()
WebClient.get().uri()
file_get_contents("http://...")
curl_exec()
stream_context_create()
http.get()
axios.get()
fetch()
request()
Cross-Site Scripting (XSS)
response.getWriter().write()
HttpServletResponse.getOutputStream().print()
JSP: <%= userInput %>
echo $_GET["input"];
print($_POST["input"]);
printf($_GET["input"]);
exit($_GET["input"]);
res.send(req.query.input)
res.write(req.body.input)
document.write(req.query.input) (in client-side JS)
Cross-Site Request Forgery (CSRF)
doPost(HttpServletRequest req, HttpServletResponse res)
doPut(HttpServletRequest req, HttpServletResponse res)
doDelete(HttpServletRequest req, HttpServletResponse res)
Forms with method="POST" and no CSRF token
Session-modifying endpoints ($_SESSION, setcookie())
app.post('/update', (req, res) => {...} (without CSRF token verification)
XML External Entity (XXE) Injection
DocumentBuilder.parse()
SAXParser.parse()
XMLReader.parse()
TransformerFactory.newInstance().newTransformer().transform()
simplexml_load_string()
DOMDocument.loadXML()
xml_parser_create()
xml2js.parseString()
libxmljs.parseXml()
LDAP Injection
DirContext.search()
LdapContext.search()
ldap_search()
ldap_list()
ldap_read()
ldapClient.search() (Node.js LDAP client)
Insecure Logging (Information Disclosure)
Logger.info()
Logger.debug()
System.out.println()
PrintWriter.println()
error_log($_GET["input"]);
var_dump($_POST["password"]);
print_r($_SERVER);
console.log(req.body.password)
winston.log('info', req.query.debug)
Insecure Cryptography
MessageDigest.getInstance("MD5")
Cipher.getInstance("DES")
Cipher.getInstance("ECB")
md5()
sha1()
crypt("plaintext", "salt")
base64_encode()
crypto.createHash('md5')
crypto.createCipher('des', key)
Insecure Session Management
HttpSession.getAttribute()
request.getSession(true)
session_start();
setcookie("PHPSESSID", ...)
req.session.user = "admin" (without secure flags)
Last updated
Was this helpful?