Vulns type collection to go through for each web application.
Reflected File Download(RFD){json endpoint or json api}
Brute Force (CWE-307)
Business Logic Errors (CWE-840)
CRLF Injection (CWE-93)
Cleartext Storage of Sensitive Information (CWE-312)
Cleartext Transmission of Sensitive Information (CWE-319)
Client-Side Enforcement of Server-Side Security (CWE-602)
Code Injection (CWE-94)
Command Injection - Generic (CWE-77)
Cross-Site Request Forgery (CSRF) (CWE-352)
Cross-site Scripting (XSS) - DOM (CWE-79)
Cross-site Scripting (XSS) - Generic (CWE-79)
Cross-site Scripting (XSS) - Reflected (CWE-79)
Cross-site Scripting (XSS) - Stored (CWE-79)
Cross-site Scripting (XSS) - Mutation
Cryptographic Issues - Generic (CWE-310)
Denial of Service (CWE-400)
Deserialization of Untrusted Data (CWE-502)
Double Free (CWE-415)
Forced Browsing (CWE-425)
HTTP Request Smuggling (CWE-444)
HTTP Response Splitting (CWE-113)
Heap Overflow (CWE-122)
Improper Access Control - Generic (CWE-284)
Improper Authentication - Generic (CWE-287)
Improper Certificate Validation (CWE-295)
Improper Following of a Certificate's Chain of Trust (CWE-296)
Improper Neutralization of HTTP Headers for Scripting Syntax (CWE-644)
Inadequate Encryption Strength (CWE-326)
Information Exposure Through Debug Information (CWE-215)
Information Exposure Through Directory Listing (CWE-548)
Information Exposure Through an Error Message (CWE-209)
Insecure Direct Object Reference (IDOR) (CWE-639)
Insecure Storage of Sensitive Information (CWE-922)
Insufficient Session Expiration (CWE-613)
Insufficiently Protected Credentials (CWE-522)
Key Exchange without Entity Authentication (CWE-322)
LDAP Injection (CWE-90)
Malware (CAPEC-549)
Missing Encryption of Sensitive Data (CWE-311)
Missing Required Cryptographic Step (CWE-325)
NULL Pointer Dereference (CWE-476)
OS Command Injection (CWE-78)
Off-by-one Error (CWE-193)
Unvalidated/Open Redirect (CWE-601)
Out-of-bounds Read (CWE-125)
Password in Configuration File (CWE-260)
Path Traversal (CWE-22)
Plaintext Storage of a Password (CWE-256)
Privacy Violation (CWE-359)
Privilege Escalation (CAPEC-233)
Reliance on Cookies without Validation and Integrity Checking in a Security Decision (CWE-784)
Remote File Inclusion (CWE-98)
Resource Injection (CWE-99)
Reusing a Nonce, Key Pair in Encryption (CWE-323)
Reversible One-Way Hash (CWE-328)
SQL Injection (CWE-89)
Security Through Obscurity (CWE-656)
Server-Side Request Forgery SSRF/XSPA (CWE-918)
Session Fixation (CWE-384)
Stack Overflow (CWE-121)
Storing Passwords in a Recoverable Format (CWE-257)
Type Confusion (CWE-843)
UI Redressing (Clickjacking) (CAPEC-103)
Unprotected Transport of Credentials (CWE-523)
Unverified Password Change (CWE-620)
Use After Free (CWE-416)
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338)
Use of Externally-Controlled Format String (CWE-134)
Use of Hard-coded Credentials (CWE-798)
Use of Hard-coded Cryptographic Key (CWE-321)
Use of Hard-coded Password (CWE-259)
Use of Inherently Dangerous Function (CWE-242)
Use of Insufficiently Random Values (CWE-330)
Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
Use of a Key Past its Expiration Date (CWE-324)
Violation of Secure Design Principles (CWE-657)
Weak Cryptography for Passwords (CWE-261)
Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
Wrap-around Error (CWE-128)
Write-what-where Condition (CWE-123)
XML Entity Expansion (CWE-776)
XML External Entities (XXE) (CWE-611)
XML Injection (CWE-91)
Denial of Service DOS(CWE-400)
Guessable Captcha (CWE-804)
Unrestricted Upload of File with Dangerous Type(CWE-434)
Overly Permissive Cross-domain Whitelist(CWE-942)
Inclusion of Functionality from Untrusted Control Sphere(CWE-829)
DNS misconfiguration
Missing Best Practice
Allocation of Resources Without Limits or Throttling (CWE-770)
Array Index Underflow (CWE-129)
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
Brute Force (CWE-307)
Buffer Over-read (CWE-126)
Buffer Under-read (CWE-127)
Buffer Underflow (CWE-124)
Business Logic Errors (CWE-840)
CRLF Injection (CWE-93)
Classic Buffer Overflow (CWE-120)
Cleartext Storage of Sensitive Information (CWE-312)
Cleartext Transmission of Sensitive Information (CWE-319)
Client-Side Enforcement of Server-Side Security (CWE-602)
Code Injection (CWE-94)
Command Injection - Generic (CWE-77)
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (CWE-362)
Cross-Site Request Forgery (CSRF) (CWE-352)
Cross-site Scripting (XSS) - DOM (CWE-79)
Cross-site Scripting (XSS) - Generic (CWE-79)
Cross-site Scripting (XSS) - Reflected (CWE-79)
Cross-site Scripting (XSS) - Stored (CWE-79)
Cryptographic Issues - Generic (CWE-310)
Denial of Service (CWE-400)
Deserialization of Untrusted Data (CWE-502)
Double Free (CWE-415)
Download of Code Without Integrity Check (CWE-494)
Embedded Malicious Code (CWE-506)
Execution with Unnecessary Privileges (CWE-250)
Exposed Dangerous Method or Function (CWE-749)
External Control of Critical State Data (CWE-642)
Externally Controlled Reference to a Resource in Another Sphere (CWE-610)
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) (CWE-75)
File and Directory Information Exposure (CWE-538)
Forced Browsing (CWE-425)
HTTP Request Smuggling (CWE-444)
HTTP Response Splitting (CWE-113)
Heap Overflow (CWE-122)
Improper Access Control - Generic (CWE-284)
Improper Authentication - Generic (CWE-287)
Improper Authorization (CWE-285)
Improper Certificate Validation (CWE-295)
Improper Check or Handling of Exceptional Conditions (CWE-703)
Improper Export of Android Application Components (CWE-926)
Improper Following of a Certificate's Chain of Trust (CWE-296)
Improper Handling of Highly Compressed Data (Data Amplification) (CWE-409)
Improper Handling of Insufficient Permissions or Privileges (CWE-280)
Improper Handling of URL Encoding (Hex Encoding) (CWE-177)
Improper Input Validation (CWE-20)
Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150)
Improper Neutralization of HTTP Headers for Scripting Syntax (CWE-644)
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE-80)
Improper Null Termination (CWE-170)
Improper Privilege Management (CWE-269)
Inadequate Encryption Strength (CWE-326)
Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
Incomplete Blacklist (CWE-184)
Incorrect Authorization (CWE-863)
Incorrect Calculation of Buffer Size (CWE-131)
Incorrect Comparison (CWE-697)
Incorrect Permission Assignment for Critical Resource (CWE-732)
Information Disclosure (CWE-200)
Information Exposure Through Debug Information (CWE-215)
Information Exposure Through Directory Listing (CWE-548)
Information Exposure Through Discrepancy (CWE-203)
Information Exposure Through Sent Data (CWE-201)
Information Exposure Through Timing Discrepancy (CWE-208)
Information Exposure Through an Error Message (CWE-209)
Insecure Direct Object Reference (IDOR) (CWE-639)
Insecure Storage of Sensitive Information (CWE-922)
Insecure Temporary File (CWE-377)
Insufficient Session Expiration (CWE-613)
Insufficiently Protected Credentials (CWE-522)
Integer Overflow (CWE-190)
Integer Underflow (CWE-191)
Key Exchange without Entity Authentication (CWE-322)
LDAP Injection (CWE-90)
Leftover Debug Code (Backdoor) (CWE-489)
Malware (CAPEC-549)
Man-in-the-Middle (CWE-300)
Memory Corruption - Generic (CWE-119)
Misconfiguration (CWE-16)
Missing Authentication for Critical Function (CWE-306)
Missing Authorization (CWE-862)
Missing Encryption of Sensitive Data (CWE-311)
Missing Required Cryptographic Step (CWE-325)
Modification of Assumed-Immutable Data (MAID) (CWE-471)
NULL Pointer Dereference (CWE-476)
OS Command Injection (CWE-78)
Off-by-one Error (CWE-193)
Open Redirect (CWE-601)
Out-of-bounds Read (CWE-125)
Password in Configuration File (CWE-260)
Path Traversal (CWE-22)
Path Traversal: '.../...//' (CWE-35)
Phishing (CAPEC-98)
Plaintext Storage of a Password (CWE-256)
Privacy Violation (CWE-359)
Privilege Escalation (CAPEC-233)
Relative Path Traversal (CWE-23)
Reliance on Cookies without Validation and Integrity Checking in a Security Decision (CWE-784)
Reliance on Reverse DNS Resolution for a Security-Critical Action (CWE-350)
Reliance on Untrusted Inputs in a Security Decision (CWE-807)
Remote File Inclusion (CWE-98)
Replicating Malicious Code (Virus or Worm) (CWE-509)
Resource Injection (CWE-99)
Reusing a Nonce, Key Pair in Encryption (CWE-323)
Reversible One-Way Hash (CWE-328)
SQL Injection (CWE-89)
Security Through Obscurity (CWE-656)
Server-Side Request Forgery (SSRF) (CWE-918)
Session Fixation (CWE-384)
Stack Overflow (CWE-121)
Storing Passwords in a Recoverable Format (CWE-257)
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
Trust of System Event Data (CWE-360)
Type Confusion (CWE-843)
UI Redressing (Clickjacking) (CAPEC-103)
Unchecked Error Condition (CWE-391)
Uncontrolled Recursion (CWE-674)
Unprotected Transport of Credentials (CWE-523)
Unrestricted Upload of File with Dangerous Type (CWE-434)
Untrusted Search Path (CWE-426)
Unverified Password Change (CWE-620)
Use After Free (CWE-416)
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338)
Use of Externally-Controlled Format String (CWE-134)
Use of Hard-coded Credentials (CWE-798)
Use of Hard-coded Cryptographic Key (CWE-321)
Use of Hard-coded Password (CWE-259)
Use of Inherently Dangerous Function (CWE-242)
Use of Insufficiently Random Values (CWE-330)
Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
Use of a Key Past its Expiration Date (CWE-324)
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
Violation of Secure Design Principles (CWE-657)
Weak Cryptography for Passwords (CWE-261)
Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
Wrap-around Error (CWE-128)Write-what-where Condition (CWE-123)
XML Entity Expansion (CWE-776)XML External Entities (XXE) (CWE-611)
XML Injection (CWE-91)XSS Using MIME Type Mismatch (CAPEC-209)
Allocation of Resources Without Limits or Throttling (CWE-770)
Array Index Underflow (CWE-129)
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
Brute Force (CWE-307)
Buffer Over-read (CWE-126)
Buffer Under-read (CWE-127)
Buffer Underflow (CWE-124)
Business Logic Errors (CWE-840)
CRLF Injection (CWE-93)
Classic Buffer Overflow (CWE-120)
Cleartext Storage of Sensitive Information (CWE-312)
Cleartext Transmission of Sensitive Information (CWE-319)
Client-Side Enforcement of Server-Side Security (CWE-602)
Code Injection (CWE-94)
Command Injection - Generic (CWE-77)
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (CWE-362)
Cross-Site Request Forgery (CSRF) (CWE-352)
Cross-site Scripting (XSS) - DOM (CWE-79)
Cross-site Scripting (XSS) - Generic (CWE-79)
Cross-site Scripting (XSS) - Reflected (CWE-79)
Cross-site Scripting (XSS) - Stored (CWE-79)
Cryptographic Issues - Generic (CWE-310)
Denial of Service (CWE-400)
Deserialization of Untrusted Data (CWE-502)
Double Free (CWE-415)
Embedded Malicious Code (CWE-506)
Exposed Dangerous Method or Function (CWE-749)
External Control of Critical State Data (CWE-642)
Externally Controlled Reference to a Resource in Another Sphere (CWE-610)
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) (CWE-75)
File and Directory Information Exposure (CWE-538)
Forced Browsing (CWE-425)
HTTP Request Smuggling (CWE-444)
HTTP Response Splitting (CWE-113)
Heap Overflow (CWE-122)
Improper Access Control - Generic (CWE-284)
Improper Authentication - Generic (CWE-287)
Improper Authorization (CWE-285)
Improper Certificate Validation (CWE-295)
Improper Check or Handling of Exceptional Conditions (CWE-703)
Improper Export of Android Application Components (CWE-926)
Improper Following of a Certificate's Chain of Trust (CWE-296)
Improper Handling of Highly Compressed Data (Data Amplification) (CWE-409)
Improper Handling of Insufficient Permissions or Privileges (CWE-280)
Improper Handling of URL Encoding (Hex Encoding) (CWE-177)
Improper Input Validation (CWE-20)
Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150)
Improper Neutralization of HTTP Headers for Scripting Syntax (CWE-644)
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE-80)
Improper Null Termination (CWE-170)
Improper Privilege Management (CWE-269)
Inadequate Encryption Strength (CWE-326)
Incomplete Blacklist (CWE-184)
Incorrect Authorization (CWE-863)
Incorrect Calculation of Buffer Size (CWE-131)
Incorrect Comparison (CWE-697)
Information Disclosure (CWE-200)
Information Exposure Through Debug Information (CWE-215)
Information Exposure Through Directory Listing (CWE-548)
Information Exposure Through Discrepancy (CWE-203)
Information Exposure Through Sent Data (CWE-201)
Information Exposure Through Timing Discrepancy (CWE-208)
Information Exposure Through an Error Message (CWE-209)
Insecure Direct Object Reference (IDOR) (CWE-639)
Insecure Storage of Sensitive Information (CWE-922)
Insecure Temporary File (CWE-377)
Insufficient Session Expiration (CWE-613)
Insufficiently Protected Credentials (CWE-522)
Integer Overflow (CWE-190)
Integer Underflow (CWE-191)
Key Exchange without Entity Authentication (CWE-322)
LDAP Injection (CWE-90)
Leftover Debug Code (Backdoor) (CWE-489)
Malware (CAPEC-549)Man-in-the-Middle (CWE-300)
Memory Corruption - Generic (CWE-119)
Missing Encryption of Sensitive Data (CWE-311)
Missing Required Cryptographic Step (CWE-325)
Modification of Assumed-Immutable Data (MAID) (CWE-471)
NULL Pointer Dereference (CWE-476)
OS Command Injection (CWE-78)
Off-by-one Error (CWE-193)
Open Redirect (CWE-601)
Out-of-bounds Read (CWE-125)
Password in Configuration File (CWE-260)
Path Traversal (CWE-22)
Path Traversal: '.../...//' (CWE-35)
Phishing (CAPEC-98)Plaintext Storage of a Password (CWE-256)
Privacy Violation (CWE-359)Privilege Escalation (CAPEC-233)
Relative Path Traversal (CWE-23)
Reliance on Cookies without Validation and Integrity Checking in a Security Decision (CWE-784)
Reliance on Reverse DNS Resolution for a Security-Critical Action (CWE-350)
Reliance on Untrusted Inputs in a Security Decision (CWE-807)
Remote File Inclusion (CWE-98)
Replicating Malicious Code (Virus or Worm) (CWE-509)
Resource Injection (CWE-99)
Reusing a Nonce, Key Pair in Encryption (CWE-323)
Reversible One-Way Hash (CWE-328)
SQL Injection (CWE-89)
Security Through Obscurity (CWE-656)
Server-Side Request Forgery (SSRF) (CWE-918)
Session Fixation (CWE-384)
Stack Overflow (CWE-121)
Storing Passwords in a Recoverable Format (CWE-257)
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
Trust of System Event Data (CWE-360)Type Confusion (CWE-843)
UI Redressing (Clickjacking) (CAPEC-103)Unchecked Error Condition (CWE-391)
Uncontrolled Recursion (CWE-674)Unprotected Transport of Credentials (CWE-523)
Unverified Password Change (CWE-620)Use After Free (CWE-416)
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338)
Use of Externally-Controlled Format String (CWE-134)
Use of Hard-coded Credentials (CWE-798)
Use of Hard-coded Cryptographic Key (CWE-321)
Use of Hard-coded Password (CWE-259)
Use of Inherently Dangerous Function (CWE-242)
Use of Insufficiently Random Values (CWE-330)
Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
Use of a Key Past its Expiration Date (CWE-324)
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
Violation of Secure Design Principles (CWE-657)
Weak Cryptography for Passwords (CWE-261)
Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
Wrap-around Error (CWE-128)Write-what-where Condition (CWE-123)
XML Entity Expansion (CWE-776)XML External Entities (XXE) (CWE-611)
XML Injection (CWE-91)
XSS Using MIME Type Mismatch (CAPEC-209)