| Alias | Audit Feature | Description | References |
| SQLi | Error Based SQL Injection | Syntax injection attack that can affect the structure of database queries | 1, 2, 3, 4, 5 |
| BSQLi | Blind/Time-Based SQL Injection | Syntax injection attack that can affect the structure of database queries | 1, 2 |
| SSJSi | Server Side Java Script
(SSJS/NoSQL) Injection | Syntax injection attack that can affect the structure of server side javascript in AJAX Servers/NoSQL DBs | 1, 2, 3, 4, 5 |
| RXSS | Reflected Cross Site Scripting | Browser-output targeted attack that can execute HTML, JS and VBS code on other browsers | 1, 2, 3, 4, 5 |
| PXSS | Persistent Cross Site Scripting | Browser-output targeted attack that can execute HTML, JS and VBS code on other browsers | 1, 2, 3 |
| DXSS | DOM Based Cross Site Scripting | Browser-output targeted attack that can execute HTML, JS and VBS code on other browsers | 1, 2, 3 |
| JSONh | JSON Hijacking | JSON Hijacking (Javascript Hijacking) is an attack in which a 3rd party website abuses the beheviour of script tags and JSON to gain private data | 1, 2, 3, 4 |
| LFI | Path Traversal &
Local File Inclusion | Attacks that can affect the application file & directory access/inclusion | 1, 2, 3, 4, 5, 6, 7 |
| RFI | Remote File Inclusion | Attacks that can include (and potentially execute) remote code in the application | 1, 2 |
| CMDExec | Command Injection | Syntax injection attack that can execute system commands in the target host | 1, 2, 3, 4, 5, 6 |
| UPLOAD | Unrestricted File Upload | A vulnerability that can enable attackers to upload malicious files to the server | 1, 2 |
| REDIRECT | Open Redirect | Browser-output targeted attack that can misled users and redirect them to spoofed content | 1, 2, 3, 4 |
| CRLFi | HTTP Header Injection &
HTTP Response Splitting | Browser-output targeted attack that affect the browser through header/response injection | 1, 2, 3, 4 |
| LDAPi | LDAP Injection | Syntax injection attack that can affect the structure of LDAP queries | 1, 2, 3, 4 |
| XPATHi | XPath/XQuery Injection | Syntax injection attack that can affect the structure of XPath queries | 1, 2, 3, 4, 5, 6, 7 |
| MXi | SMTP/IMAP/Email Injection | Syntax injection attack that can spoof semi-legitimate emails and execute mail commands | 1, 2, 3, 4 |
| SSI | Server-Side Includes Injection | Syntax injection attack that can execute scripts on the web server | 1, 2, 3, 4, 5 |
| FORMATi | Format String Attack | An attack that can abuse formatting functions to crash programs or execute harmful code | 1, 2, 3, 4, 5 |
| CODEi | Code Injection | Syntax injection attack that can execute technology-specific code on the server | 1, 2, 3, 4, 5 |
| XMLi | XML Injection | An injection attack that can manipulate the logic of XML dependant services | 1, 2 |
| ELi | EL Injection | Expression Language Injection is an injection attack that can execute limited rogue code in platforms that are using "double evaluation". | 1, 2 |
| BUFFERo | Buffer Overflow | A memory corruption attack that can crash services and execute malicious code | 1, 2, 3, 4, 5, 6, 7, 8, 9 |
| INTEGERo | Integer Overflow | A memory corruption attack that can wraparound numeric values, and indirectly affect resources | 1, 2, 3, 4, 5 |
| CODEDisc | Source Code Disclosure | A collection of vulnerabilities that be used to disclose the server source code | 1 |
| BACKUPf | Backup Files | A dictionary attack that attempts to locate unrestricted access to obsolete & sensitive files | 1 |
| PADDING | Padding Oracle | A cryptography attack on the CBC mode of operation that can decrypt messages without the encryption key | 1, 2 |
| AUTHb | Forceful Browsing /
Authentication Bypass | An attack that can bypass the authentication enforcement using direct resource access | 1, 2, 3, 4, 5 |
| PRIVe | Privilege Escalation | An attack that can enable access to restricted/private content (via parameter tampering / direct access) | 1, 2, 3, 4, 5, 6, 7 |
| XXE | Xml External Entity | An attack that abuses the XML dynamic processing features of webservices by introducing xml structures with links to content outside of the sphere of control. | 1, 2, 3, 4 |
| SESSION | Weak Session Identifier | A vulnerability that can be exploited to impersonate application users | 1, 2, 3, 4, 5, 6 |
| FIXATION | Session Fixation | A vulnerability that can fixate (set) another person's session identifier in order to elevate further attacks | 1, 2, 3, 4, 5, 6 |
| CSRF | Cross Site Request Forgery | A vulnerability that can enable malicious 3rd parties to perform operations on behalf of users | 1, 2, 3, 4, 5, 6 |
| ADoS | Application Denial of Service | An attack that can deny services from legitimate users via application-level issues | 1, 2, 3, 4, 5, 6, 7 |
or new
)
