knowledge graph
The security knowledge graph for web and API vulnerabilities.
Clear, standards-mapped explanations of the vulnerability classes that lead to real compromise. Every entry connects to its CWE, CAPEC, MITRE ATT&CK, and OWASP references - and to the related flaws it chains with. Built and maintained by the team behind Impactr, an autonomous AI penetration testing platform.
Access Control
Insecure Direct Object Reference (IDOR)
An application exposes references to objects (IDs, filenames, keys) and fails to verify that the current user is authorized to access the referenced object.
Cross-Site Request Forgery (CSRF)
An attacker tricks an authenticated user's browser into submitting a state-changing request the user did not intend.
Path Traversal (Directory Traversal)
Unsanitized file path input lets an attacker escape the intended directory and read or write arbitrary files.
Broken Access Control
Users can act outside their intended permissions - accessing other users' data or admin functionality - because access controls are missing or inconsistent.
Injection
SQL Injection (SQLi)
Untrusted input is concatenated into a SQL query, letting an attacker alter the query's logic to read, modify, or destroy data.
Cross-Site Scripting (XSS)
An application reflects or stores untrusted input that is later interpreted as active script in a victim's browser.
Server-Side Template Injection (SSTI)
User input is embedded into a server-side template and evaluated by the template engine, often leading to remote code execution.
OS Command Injection
Untrusted input is passed to a system shell, letting an attacker execute arbitrary operating-system commands.
Server-Side
Server-Side Request Forgery (SSRF)
An attacker coerces a server into making HTTP requests to targets of their choosing - often internal services or cloud metadata endpoints.
XML External Entity Injection (XXE)
A weakly configured XML parser resolves attacker-defined external entities, enabling file disclosure, SSRF, and denial of service.