PowerWAF Security Reference
Attacks Encyclopedia
A comprehensive reference of 25 web application attacks. Learn how they work, see real-world examples, and discover how to defend against them.
Account Takeover (ATO)
Account Takeover (ATO) is an attack in which a malicious actor gains unauthorized access to a user's account by exploiti...
Learn more βBlind SQL Injection
Blind SQL Injection is an advanced form of SQL injection where the attacker cannot see query results directly in the app...
Learn more βBroken Authentication
Broken authentication refers to weaknesses in an application's authentication mechanisms that allow attackers to comprom...
Learn more βCommand Injection Attack
Command injection is a vulnerability where an application executes arbitrary system commands on the host operating syste...
Learn more βCredential Stuffing Attack
A credential stuffing attack is a cyberattack where automated bots use stolen username and password pairs from previous ...
Learn more βDNS Amplification Attack
A DNS amplification attack is a reflection-based distributed denial-of-service (DDoS) attack that exploits open DNS reso...
Learn more βHTTP/2 Rapid Reset Attack
The HTTP/2 Rapid Reset attack (CVE-2023-44487) exploits the stream multiplexing and cancellation mechanism in HTTP/2 to ...
Learn more βLocal File Inclusion (LFI)
Local File Inclusion (LFI) is a vulnerability that allows an attacker to include and read β or in some cases execute β f...
Learn more βPath Traversal Attack
A path traversal attack (also known as directory traversal or dot-dot-slash attack) exploits insufficient input validati...
Learn more βRemote File Inclusion (RFI)
Remote File Inclusion (RFI) is a vulnerability that allows an attacker to include and execute a file hosted on a remote ...
Learn more βSensitive Data Exposure
Sensitive data exposure occurs when an application fails to adequately protect confidential information β such as creden...
Learn more βSession Hijacking
Session hijacking is an attack where an adversary takes over a legitimate user's active web session by stealing, predict...
Learn more βSQL Injection (SQLi)
SQL Injection is a code injection technique that exploits vulnerabilities in an application's database layer by insertin...
Learn more βServer-Side Request Forgery (SSRF)
Server-Side Request Forgery (SSRF) is an attack where the attacker forces a server-side application to make HTTP request...
Learn more βSYN Flood Attack
A SYN flood is a denial-of-service attack that exploits the TCP three-way handshake by sending massive volumes of SYN pa...
Learn more βBrute Force Attack
A brute force attack is a trial-and-error method used to guess login credentials, encryption keys, or hidden pages by sy...
Learn more βClickjacking Attack
Clickjacking (also known as UI redressing) is an attack that tricks users into clicking on something different from what...
Learn more βCross-Site Scripting (XSS)
Cross-Site Scripting (XSS) is an injection attack where malicious scripts are injected into trusted websites. When a use...
Learn more βCross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to execute unwanted actions on a web appl...
Learn more βHTTP Flood Attack
An HTTP Flood is an application-layer (Layer 7) DDoS attack that overwhelms a web server by sending massive volumes of s...
Learn more βIDOR Attack (Insecure Direct Object Reference)
An Insecure Direct Object Reference (IDOR) attack occurs when an application exposes a direct reference to an internal o...
Learn more βJWT Attack (JSON Web Token)
A JWT attack exploits vulnerabilities in JSON Web Token implementation to bypass authentication, escalate privileges, or...
Learn more βPassword Spraying Attack
Password spraying is a type of brute force attack that tests a small number of commonly used passwords against a large n...
Learn more βSlowloris Attack
Slowloris is a low-bandwidth DDoS attack that exhausts a server's connection pool by opening multiple connections and ke...
Learn more βUDP Flood Attack
A UDP flood is a volumetric denial-of-service attack that exploits the connectionless, stateless nature of the User Data...
Learn more β