A Web application does not validate a client’s access to a resource.

Unvalidated input can be distinguished from valid instructions.

Unvalidated input is embedded in an instruction stream.

A Web action performs an operation on behalf of the user without checking a shared secret.

The cookie is a persistent cookie.

The cookie is not available to client script.

The cookie is sent over an encrypted channel.

The cookie is deleted when the user closes the browser.

Null

Less than sign(<)

Greater than sign(>)

Single quote (')

Reflected XSS

Persistent XSS

Insecure direct object references

Failure to restrict URL access

Input validation using an allow list

SQL queries based on user input

Memory size checks

Validate integer values before referencing arrays

Server configuration files

GET/POST parameters

Network ports

Server code

Injection

Security misconfiguration

Insecure cryptographic storage

Cross-site request forgery