Functionality Abuse
Data uniqueness not properly verified
Description The application does not properly validate the uniqueness of the data, allowing an attacker to reuse or regenerate information that should be valid for one use only. Impact Lead to different vulnerabilities by abusing the misconfigured ...
Hidden fields manipulation
Description It is possible to modify fields that are invisible to the regular user and cause undesired behaviors in the application. Impact Force unwanted actions in the application modifying resources which can not be accessible by user. ...
Privacy violation
Description The system violates one or more privacy requirements. Impact Incur in legal trouble due to a violation of user privacy. Recommendation Abide by the privacy regulations in force. Threat Unauthenticated attacker from the Internet in the ...
Account lockout
Description It is possible to cause account lockouts, effectively blocking users from accessing the system. Impact Avoid the access of valid users to the application. Recommendation Avoid blocking users accounts as a mechanism of protection, make it ...
Non-upgradable dependencies
Description Dependencies are not explicitly declared (name and version) within the source code. They are copied directly into the repositories. Impact - Loss of maintainability because dependencies are not maintained. - Late update of units in case a ...
Improper authorization control for web services - RDS
Description Some RDS instances can be publicly accessible, which can compromise the stored information. Impact Obtain confidential information of the database. Recommendation Ensure that the relational databases are accesible only by users and roles ...
Duplicate code
Description The application's source code has duplicate code, which may cause unexpected behaviors. Impact - Reduce the maintainability of the code. - Facilitate the propagation of errors if the duplicate code contains any vulnerability. ...
Insecure service configuration - ELB
Description A misconfiguration or default setting on Elastic Load Balancers that can cause to unintentionally increase the attack surface of the company cloud infrastructure. Impact - Result in the connection between load balancer and server being ...
Improper resource allocation
Description The system allocates unnecessary resources due to the use of improper programming practices or inefficient algorithms. Alternatively, the allocation can be controlled by an external source (e.g., user input), and hence, requests that ...
Cached form fields
Description The application does not disable caching of input fields, thus the information will be stored in the browser's cache. Impact Obtain valid users of the application. Recommendation The data cache to browsers level must be disabled using ...
Traceability loss - Server's clock
Description The systems internal clock is not synced with NTP servers. Impact Write log entries with a wrong date. Recommendation Sync the server date with a NTP server. Threat Anonymous attacker from the Internet. Expected Remediation Time ⌚ 30 ...
Remote File Inclusion
Description The application allows to load and execute malicious files from remote locations. This practice may allow an attacker to retrieve sensitive data from the server or execute commands remotely. Impact - Obtain sensitive data from the server. ...
Insecure service configuration - Host verification
Description The system does not properly restrict incoming connections from unknown external hosts. Impact Establish connections with untrusted machines. Recommendation Validate that incoming connections come from trusted hosts already defined in the ...
Debugging enabled in production - APK
Description The system has debugging enabled in the production environment, which can cause technical information leaks when an error occurs. Impact Get technical or sensitive information. Recommendation Configure the attribute: ...
Insecure service configuration - ADB Backups
Description The application allows backups via ADB (Android Debug Bridge). The backups performed by this functionality are not encrypted. Sensitive data of authenticated users can be included in the backup, and this data can be extracted by a ...
Lack of root detection
Description The application does not check whether the Android system on which it is running has been rooted. Impact Install malicious tools in order to cause unexpected behaviors. Recommendation Validate that the device is not rooted at application ...
Password change without identity check
Description The system allows a user to change their password without requesting the previous one or enforcing another identity verification mechanism. Impact Gain total control over a user account. Recommendation - Guarantee that the current ...
Insecure functionality
Description A functionality that is part of the system can be leveraged by an attacker in order to negatively impact it. Impact Change the password after the security code has been compromised. Recommendation Validate on the server side that the ...
Symmetric denial of service
Description The server is rendered unresponsive by successively repeating a request which consumes a lot of resources or takes too long to be processed. Impact Deny temporary or permanently the access to one or several application services. ...
Asymmetric denial of service
Description The server is rendered unresponsive as a result of one of the following: - An amplification attack, which uses a single request to produce multiple responses. - A single malicious request that breaks the application or consumes an ...