← Back to appsec.fyi
Application Security Glossary
Definitions I keep coming back to. If you're new to appsec or just need a refresher, this should help.
Vulnerability Classes
- Cross-Site Scripting (XSS)
- Injecting malicious scripts into web pages that other users view. There are three flavors: reflected (payload bounces off the server in the response), stored (payload persists in the database and hits every visitor), and DOM-based (the vulnerability lives entirely in client-side JavaScript). XSS is still the most commonly reported bug on platforms like HackerOne.
- SQL Injection (SQLi)
- Manipulating SQL queries by injecting input that the application treats as code instead of data. Can be in-band (you see the results directly), blind (you infer data from true/false responses or time delays), or out-of-band (data exfiltrated through DNS or HTTP callbacks). Parameterized queries kill it dead, yet it still shows up everywhere.
- Server-Side Request Forgery (SSRF)
- Tricking the server into making HTTP requests to places it shouldn't — internal services, cloud metadata endpoints (169.254.169.254), or private networks. SSRF became a top-10 issue after the Capital One breach. If your app fetches URLs on behalf of users, you probably have attack surface here.
- Cross-Site Request Forgery (CSRF)
- Forcing a logged-in user's browser to make requests they didn't intend — transferring funds, changing emails, anything state-changing. The attacker never sees the response; they just need the victim's browser to send the request with cookies attached. SameSite cookies have reduced the attack surface significantly, but bypasses exist.
- Insecure Direct Object Reference (IDOR)
- Accessing someone else's data by changing an ID in a request — swapping
user_id=123 to user_id=124. The server trusts the client to only request its own resources. UUIDs make it harder to guess, but if the UUID leaks anywhere in the application, you're back to square one. This is really just a subset of broken access control, but it gets its own category because it's so common in bug bounty.
- XML External Entity (XXE)
- Exploiting XML parsers that process external entity references. You craft XML with an entity that points to a local file (
file:///etc/passwd) or an internal URL, and the parser fetches it for you. Blind XXE uses out-of-band channels when you can't see the response directly. Modern parsers disable external entities by default, but legacy configurations are everywhere.
- Remote Code Execution (RCE)
- The big one. Any vulnerability that lets an attacker run arbitrary code on the server. Can come from deserialization flaws, template injection, command injection, file upload bugs, or dependency vulnerabilities. RCE is usually a critical finding because there's nothing left to protect once someone has a shell.
- Server-Side Template Injection (SSTI)
- Injecting template syntax (Jinja2, Twig, Velocity, etc.) into server-side templates. If user input ends up inside a template expression rather than being rendered as a string, you can often escalate to RCE by walking the language's object hierarchy. The
{{7*7}} test is the classic first step. See RCE resources.
- Insecure Deserialization
- When an application deserializes untrusted data without validation. In Java, that means gadget chains via ysoserial. In PHP, it's
unserialize() and phar:// wrappers. In Python, it's pickle.loads(). The core problem is the same everywhere: deserialization can trigger method calls, and attackers chain existing classes together to reach code execution.
- Broken Access Control
- A catch-all for any failure to enforce who can do what. Covers vertical privilege escalation (regular user accesses admin functions), horizontal privilege escalation (user A accesses user B's data), and missing function-level checks. It's been #1 on the OWASP Top 10 since 2021 for a reason — most apps get authentication right but authorization wrong.
- Broken Object Level Authorization (BOLA)
- The API-specific name for IDOR. An API endpoint that takes an object ID doesn't verify the caller owns that object. BOLA is #1 on the OWASP API Security Top 10. Testing for it is straightforward: authenticate as user A, grab object IDs from user B's responses, and see if the API serves them up. See API Security resources.
- Broken Function Level Authorization (BFLA)
- An API lets you call admin endpoints just because you're authenticated — it checks who you are but not what you're allowed to do. The classic test: find the admin API docs (or guess the endpoints) and replay requests with a regular user's token. See API Security resources.
- Command Injection
- When user input gets concatenated into a shell command. The semicolon, pipe, and backtick are your friends:
; cat /etc/passwd. Usually found in features that interact with the OS — ping utilities, file processors, PDF generators. The fix is to avoid shell execution entirely and use language-level APIs instead.
- Prototype Pollution
- A JavaScript-specific vulnerability where an attacker modifies
Object.prototype, affecting every object in the application. Commonly found through recursive merge functions that don't filter __proto__ or constructor.prototype. Impact ranges from denial of service to RCE depending on what the application does with polluted properties downstream.
- Race Condition
- When the outcome depends on the timing of concurrent operations. In web apps, this usually means sending the same request multiple times before the first one finishes — redeeming a coupon twice, withdrawing money from the same balance concurrently, or bypassing rate limits. The recent HTTP/2 single-packet attack made these far more practical to exploit.
- Mass Assignment
- Sending extra parameters in a request that the API blindly binds to an internal object. If the user model has an
is_admin field and you include "is_admin": true in your profile update request, some frameworks will happily set it. The fix: explicitly whitelist which fields can be updated. See API Security resources.
Techniques & Concepts
- Privilege Escalation
- Moving from lower to higher access. Vertical escalation means going from regular user to admin. Horizontal escalation means accessing another user's data at the same privilege level. Both are access control failures, but they require different testing approaches. See Authorization resources.
- Certificate Pinning
- A mobile app security measure that hardcodes which TLS certificate or public key the app trusts, preventing interception by proxy tools like Burp Suite. Bypassing it (usually with Frida or objection) is step one of most mobile pentests. See Mobile Security resources.
- Gadget Chain
- A sequence of existing classes in an application's classpath that, when deserialized in the right order, produces a useful side effect — usually code execution. The attacker doesn't inject new code; they just arrange existing code like puzzle pieces. ysoserial and PHPGGC are the standard tools for generating them. See Deserialization resources.
- WAF Bypass
- Getting a payload past a Web Application Firewall. Techniques include case variation (
UnIoN SeLeCt), comment injection (/**/), double encoding, HTTP parameter pollution, and using equivalent functions the WAF doesn't recognize. WAFs are a speed bump, not a wall — if the underlying code is vulnerable, someone will find a bypass.
- Out-of-Band (OOB) Exfiltration
- Extracting data through a side channel when you can't see the response directly. Usually involves making the target server issue a DNS lookup or HTTP request to an attacker-controlled server, encoding the stolen data in the subdomain or URL path. Burp Collaborator is the go-to tool for this.
- DOM Clobbering
- Abusing how browsers expose named HTML elements as properties on
document and window. By injecting HTML with specific id or name attributes, you can overwrite JavaScript variables and objects, potentially bypassing sanitization or security checks. Niche but effective when other XSS vectors are blocked.
- Dependency Confusion
- Publishing a malicious package to a public registry (npm, PyPI) with the same name as a company's private internal package but a higher version number. Build systems that check public registries first — or don't pin to a private source — will pull the attacker's version instead. Alex Birsan's 2021 research showed this affecting Apple, Microsoft, and dozens of others.
- Typosquatting
- Registering package names that look like popular ones —
reqeusts instead of requests, lodahs instead of lodash. Developers install them by accident and the malicious package runs arbitrary code via post-install scripts. Package registries have started adding protections, but new typosquat campaigns show up weekly.
- DNS Rebinding
- A technique that bypasses same-origin policy and SSRF filters by making a domain resolve to an external IP first (passing validation), then re-resolving to an internal IP when the actual request is made. The server thinks it's talking to an external host, but it's actually hitting 127.0.0.1 or a cloud metadata endpoint.
- Subdomain Enumeration
- Finding all subdomains of a target organization — often the first step in a pentest or bug bounty engagement. Combines passive sources (certificate transparency logs, DNS datasets) with active techniques (brute-forcing, DNS resolution). Tools like subfinder, amass, and httpx form the standard pipeline.
- Subdomain Takeover
- When a subdomain's DNS points to an external service (GitHub Pages, Heroku, S3) that has been decommissioned. An attacker claims the same resource on the external service and now controls content served from the target's subdomain. Can be chained with cookie scoping to steal session cookies.
- OWASP Top 10
- The industry standard awareness document for web application security risks, updated every few years. The 2021 edition put Broken Access Control at #1 and added new categories like SSRF and Software Supply Chain. Not a checklist or a testing guide — more of a "here's what's hurting people the most right now." owasp.org
- OWASP ASVS
- Application Security Verification Standard. If the Top 10 is the awareness doc, ASVS is the actual checklist — three tiers of security requirements (opportunistic, standard, advanced) that you can test against. Useful for setting a security baseline or scoping a pentest. owasp.org
- Burp Suite
- The de facto standard for web application security testing. An intercepting proxy with a scanner, repeater, intruder, and a massive extension ecosystem (BApp Store). The community edition is free; Pro adds the scanner and advanced features. If you do web security, you use Burp.
- ysoserial
- A proof-of-concept tool that generates Java deserialization payloads using known gadget chains from common libraries (Commons Collections, Spring, Groovy). You pick a chain, provide a command, and it spits out a serialized object that triggers RCE when deserialized. There are .NET and PHP equivalents (ysoserial.net, PHPGGC). See Deserialization resources.
- Nuclei
- A template-based vulnerability scanner from ProjectDiscovery. The power is in the community templates — thousands of YAML files that check for specific CVEs, misconfigurations, and exposures. Fast, scriptable, and easy to extend. Pairs well with subfinder and httpx for full recon-to-scan pipelines. See Recon resources.
- TruffleHog
- A secrets scanner that finds and verifies leaked credentials across Git repos, S3 buckets, wikis, chat logs, and more. What sets it apart: it actually tests whether detected secrets are live by calling the relevant API. Catches things gitleaks misses because it understands 800+ credential formats.
- Gitleaks
- A fast, lightweight secrets scanner focused on Git repositories. Uses regex-based pattern matching, runs in CI pipelines as a pre-commit hook or GitHub Action. Doesn't verify whether secrets are active (unlike TruffleHog), but the speed and simplicity make it a solid first line of defense.
- Frida
- A dynamic instrumentation toolkit that lets you inject JavaScript into running processes on Android, iOS, Windows, macOS, and Linux. In mobile security testing, it's used to bypass certificate pinning, disable root detection, and hook into application methods at runtime. Objection is a popular wrapper that makes common Frida tasks easier. See Mobile Security resources.
- MobSF
- Mobile Security Framework — an automated, open-source tool for static and dynamic analysis of Android and iOS apps. Decompiles APKs, scans for hardcoded secrets, weak crypto, insecure storage, and maps findings to the OWASP Mobile Top 10. A good starting point before diving into manual testing with Frida. See Mobile Security resources.
- SLSA (Supply-chain Levels for Software Artifacts)
- A security framework with four levels of increasing assurance for software build integrity. Focuses on provenance — being able to prove that a binary was built from specific source code by a specific build system. Pairs with SBOM and Sigstore. You can get to SLSA Level 2 in an afternoon.
- SBOM (Software Bill of Materials)
- A machine-readable inventory of every component in your software — like a nutrition label for code. When Log4Shell hit, organizations with SBOMs could answer "are we affected?" in minutes instead of days. CycloneDX and SPDX are the two main formats.
- Sigstore
- Open-source infrastructure for signing and verifying software artifacts. Uses short-lived certificates tied to your identity (OIDC), so there are no long-lived keys to manage or leak. Cosign signs container images, Fulcio issues certificates, and Rekor provides a public transparency log.
- AFL (American Fuzzy Lop)
- A coverage-guided fuzzer that instruments binaries and uses genetic algorithms to evolve inputs that trigger new code paths. AFL and its successor AFL++ have found thousands of bugs in real-world software. Google's OSS-Fuzz runs it (and libFuzzer) continuously against critical open-source projects.
Defensive Controls
- Content Security Policy (CSP)
- An HTTP header that tells the browser which sources of content are allowed to load. A strict CSP can neutralize most XSS attacks by blocking inline scripts and limiting where scripts can load from. Getting CSP right is harder than it looks —
unsafe-inline and overly broad source lists defeat the purpose. Nonce-based or hash-based policies are the way to go.
- SameSite Cookies
- A cookie attribute that controls when cookies are sent with cross-origin requests.
Strict blocks cookies on all cross-site requests. Lax (the default in modern browsers) allows them only for top-level GET navigations. This single change broke a huge number of CSRF attacks, though bypasses through method overrides and cookie refresh still exist. See CSRF resources.
- CORS (Cross-Origin Resource Sharing)
- A mechanism that lets servers declare which origins can access their resources via browser requests. Misconfigured CORS — especially reflecting the Origin header or allowing
null — can let attackers read API responses cross-origin, which is basically the same impact as XSS. The Access-Control-Allow-Credentials: true header with a wildcard origin is the classic misconfiguration.
- Rate Limiting
- Restricting how many requests a client can make in a given time window. Prevents brute-force attacks, credential stuffing, and API abuse. Implementation matters: rate limiting by IP fails against distributed attacks, and per-endpoint limits can be bypassed by hitting different paths that trigger the same backend logic.
- Input Validation vs. Output Encoding
- Two different things that people constantly confuse. Input validation checks that data matches expected formats (is this an email? is this a number?). Output encoding transforms data so it's safe in a specific context (HTML entities, URL encoding, JavaScript string escaping). For XSS prevention, output encoding is what actually matters — input validation alone is not enough.
- Parameterized Queries
- The correct fix for SQL injection. Instead of concatenating user input into SQL strings, you use placeholders that the database driver fills in safely. Also called prepared statements. Every modern language and framework supports them. If you're building SQL strings with string concatenation in 2026, we need to talk.
- Subresource Integrity (SRI)
- An HTML attribute that lets browsers verify that a fetched resource (script, stylesheet) hasn't been tampered with by checking its cryptographic hash. If you load JavaScript from a CDN, SRI ensures a compromised CDN can't serve malicious code. Use it for any external resource you don't control.
- HTTP Security Headers
- A collection of response headers that enable browser security features:
Strict-Transport-Security (force HTTPS), X-Content-Type-Options (prevent MIME sniffing), X-Frame-Options (prevent clickjacking), Referrer-Policy (control referrer leakage), and Permissions-Policy (restrict browser APIs). Easy wins that take minutes to implement.