| CARVIEW |
Select Language
HTTP/2 200
date: Fri, 10 Oct 2025 09:31:09 GMT
content-type: text/html; charset=utf-8
cf-ray: 98c51a64dc29c7cf-BLR
cf-cache-status: DYNAMIC
access-control-allow-origin: *
age: 0
cache-control: max-age=600
expires: Fri, 10 Oct 2025 09:41:09 GMT
last-modified: Thu, 09 Oct 2025 23:50:10 GMT
server: cloudflare
strict-transport-security: max-age=31536000; includeSubDomains
vary: Accept-Encoding
via: 1.1 varnish
content-security-policy: default-src 'self' https://*.fontawesome.com https://api.github.com https://*.githubusercontent.com https://*.google-analytics.com https://owaspadmin.azurewebsites.net https://*.twimg.com https://platform.twitter.com https://www.youtube.com https://*.doubleclick.net; frame-ancestors 'self'; frame-src https://*.vuejs.org https://*.stripe.com https://*.wufoo.com https://*.sched.com https://*.google.com https://*.twitter.com https://www.youtube.com https://w.soundcloud.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://viewer.diagrams.net https://fonts.googleapis.com https://*.fontawesome.com https://app.diagrams.net https://cdnjs.cloudflare.com https://cse.google.com https://*.vuejs.org https://*.stripe.com https://*.wufoo.com https://*.youtube.com https://*.meetup.com https://*.sched.com https://*.google-analytics.com https://unpkg.com https://buttons.github.io https://www.google.com https://*.gstatic.com https://*.twitter.com https://*.twimg.com; style-src 'self' 'unsafe-inline' https://*.gstatic.com https://cdnjs.cloudflare.com https://www.google.com https://fonts.googleapis.com https://platform.twitter.com https://*.twimg.com data:; font-src 'self' https://*.fontawesome.com fonts.gstatic.com; manifest-src 'self' https://pay.google.com; img-src 'self' https://*.globalappsec.org https://render.com https://*.render.com https://okteto.com https://*.okteto.com data: www.w3.org https://*.bestpractices.dev https://licensebuttons.net https://img.shields.io https://*.twitter.com https://github.githubassets.com https://*.twimg.com https://platform.twitter.com https://*.githubusercontent.com https://*.vercel.app https://*.cloudfront.net https://*.coreinfrastructure.org https://*.securityknowledgeframework.org https://badges.gitter.im https://travis-ci.org https://api.travis-ci.org https://s3.amazonaws.com https://snyk.io https://coveralls.io https://requires.io https://github.com https://*.googleapis.com https://*.google.com https://*.gstatic.com
permissions-policy: geolocation=(self)
referrer-policy: same-origin
x-cache: MISS
x-cache-hits: 0
x-content-type-options: nosniff
x-fastly-request-id: c393801941d08e2c02a74de11b03579b7d79cb54
x-frame-options: SAMEORIGIN
x-github-request-id: CF6A:24E3C1:15D229:19D92C:68E8D25C
x-origin-cache: HIT
x-proxy-cache: MISS
x-served-by: cache-bom-vanm7210066-BOM
x-timer: S1760088669.008233,VS0,VE302
content-encoding: gzip
Attacks | OWASP Foundation
This website uses cookies to analyze our traffic and only share that information with our analytics partners.
Acceptx
Attacks
What is an attack?
Attacks are the techniques that attackers use to exploit the vulnerabilities in applications. Attacks are often confused with vulnerabilities, so please try to be sure that the attack you are describing is something that an attacker would do, rather than a weakness in an application.
List of Attacks
- Binary Planting
- Blind SQL Injection
- Blind XPath Injection
- Brute Force Attack
- Buffer Overflow via Environment Variables
- Buffer Overflow Attack
- CORS OriginHeaderScrutiny
- CORS RequestPreflightScrutiny by Dominique RIGHETTO
- CSV Injection by Timo Goosen, Albinowax
- Cache Poisoning by Weilin Zhong, Rezos
- Cash Overflow by psiinon
- Clickjacking by Gustav Rydstedt
- Code Injection by Weilin Zhong, Rezos
- Command Injection by Weilin Zhong
- Comment Injection Attack by Weilin Zhong, Rezos
- Content Spoofing by Andrew Smith
- Credential stuffing by Neal Mueller
- Cross-User Defacement
- Cross Site Scripting (XSS) by KirstenS
- Cross Frame Scripting by Rezos, Justin Ludwig
- Cross Site History Manipulation (XSHM) by Adar Weidman
- Cross Site Tracing
- Cryptanalysis
- Custom Special Character Injection by Rezos
- Denial of Service by Nsrav
- Direct Dynamic Code Evaluation - Eval Injection
- Embedding Null Code by Nsrav
- Execution After Redirect (EAR) by Robert Gilbert (amroot)
- Forced browsing
- Form action hijacking by Robert Gilbert (amroot)
- Format string attack
- Full Path Disclosure
- Function Injection
- HTTP/2 Reset Attack by Vaibhav Malik
- HTTP Response Splitting
- LDAP Injection
- Log Injection
- Man-in-the-browser attack
- Manipulator-in-the-middle attack
- Mobile code invoking untrusted mobile code
- Mobile code non-final public field
- Mobile code object hijack
- Parameter Delimiter
- Password Spraying Attack by Rishu Ranjan
- Path Traversal
- Qrljacking
- RSQL Injection by David Utón (m3n0sd0n4ld)
- Reflected DOM Injection
- Regular expression Denial of Service - ReDoS by Adar Weidman
- Repudiation Attack
- Resource Injection
- Reverse Tabnabbing
- SQL Injection
- Server-Side Includes (SSI) Injection by Weilin Zhong, Nsrav
- Server Side Request Forgery by Eoftedal
- Session Prediction
- Session fixation by mwood
- Session hijacking attack
- Setting Manipulation
- Special Element Injection
- Spyware
- Traffic flood
- Trojan Horse
- Unicode Encoding
- Web Parameter Tampering
- Windows ::DATA Alternate Data Stream
- XPATH Injection
- XSRF
- XSS in Converting File Content to Text by Mohammad Reza Omrani
- XSS in subtitle by Mohammad MortazaviZade
- Cross Site Request Forgery (CSRF) by KirstenS
- IP Spoofing via HTTP Headers by Ahmadreza Parsizadeh
- Web Service Amplification Attack by Thomas Vissers
The OWASP® Foundation works to improve the security of software through its community-led open source software projects,
hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences.
Important Community Links
- Community
- Attacks (You are here)
- Vulnerabilities
- Controls