Item Memorize Web Application Threat Any weakness in application logic, input handling, authentication, or configuration that can be exploited to compromise confidentiality, integrity, or availability
Rank Vulnerability Code Name 1 A01:2021 Broken Access Control 2 A02:2021 Cryptographic Failures 3 A03:2021 Injection 4 A04:2021 Insecure Design 5 A05:2021 Security Misconfiguration 6 A06:2021 Vulnerable and Outdated Components 7 A07:2021 Identification and Authentication Failures 8 A08:2021 Software and Data Integrity Failures 9 A09:2021 Security Logging and Monitoring Failures 10 A10:2021 Server-Side Request Forgery (SSRF)
MEMORY HOOK:Access → Crypto → Injection → Design → Config → Components → Auth → Integrity → Logging → SSRF
Item Memorize Meaning Failure to enforce restrictions on authenticated users Result Unauthorized actions
Cause Missing access checks Client-side access control IDOR (Insecure Direct Object Reference) Metadata manipulation Force browsing
Step Action 1 User authenticates 2 Modifies request 3 Server fails to verify authorization 4 Unauthorized resource accessed
Impact Data exposure Privilege escalation Account takeover
Item Memorize Meaning Improper use or absence of cryptography Affects Data in transit and at rest
Failure Plaintext data transmission Weak encryption algorithms Hardcoded keys No TLS Improper key management
Impact Data leakage MITM attacks Credential theft
MEMORY HOOK:No crypto → stolen data
Item Memorize Meaning Untrusted input interpreted as commands Root Cause Lack of input validation
Type SQL Injection NoSQL Injection OS Command Injection LDAP Injection XPath Injection
Step Action 1 Attacker submits crafted input 2 Application trusts input 3 Interpreter executes payload
Impact Data loss Authentication bypass Remote code execution
Item Memorize Meaning Missing or ineffective security controls Phase Design stage
Characteristic No threat modeling Missing business logic validation Insecure workflows
Trap Correct Coding bug NO Design flaw YES
Item Memorize Meaning Incorrect security configuration Layer Application, server, platform
Example Default credentials Verbose errors Unnecessary services Directory listing Unpatched software
Impact Information disclosure Full compromise
Item Memorize Meaning Using components with known vulnerabilities Includes Libraries, frameworks, OS
Cause No inventory No patching Unsupported software
Impact Exploitable known CVEs Full system compromise
MEMORY HOOK:Old = exploitable
Item Memorize Meaning Weak or broken auth mechanisms Replaces Broken Authentication
Example Weak passwords No MFA Session fixation Credential stuffing
Impact Account takeover Privilege escalation
Item Memorize Meaning Lack of integrity verification Target Updates, CI/CD, serialized data
Example Unsigned updates Insecure deserialization Compromised plugins
Impact Remote code execution Supply-chain compromise
Item Memorize Meaning Inability to detect attacks Root Cause Missing or weak logging
Example No logs Logs not monitored No alerts
Impact Delayed breach detection Extended attacker persistence
Item Memorize Meaning Server makes unauthorized requests Controlled By Attacker input
Step Action 1 Attacker supplies URL 2 Server fetches resource 3 Internal systems accessed
Impact Internal port scanning Cloud metadata access Credential leakage
MEMORY HOOK:Server becomes attacker’s proxy