IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. Learn

knowledge graph

The security knowledge graph for web and API vulnerabilities.

Clear, standards-mapped explanations of the vulnerability classes that lead to real compromise. Every entry connects to its CWE, CAPEC, MITRE ATT&CK, and OWASP references - and to the related flaws it chains with. Built and maintained by the team behind Impactr, an autonomous AI penetration testing platform.

Guides & checklistsComparisonsSecurity glossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Access Control

Insecure Direct Object Reference (IDOR)

An application exposes references to objects (IDs, filenames, keys) and fails to verify that the current user is authorized to access the referenced object.

CWE-639A01:2021

Cross-Site Request Forgery (CSRF)

An attacker tricks an authenticated user's browser into submitting a state-changing request the user did not intend.

CWE-352A01:2021

Path Traversal (Directory Traversal)

Unsanitized file path input lets an attacker escape the intended directory and read or write arbitrary files.

CWE-22A01:2021

Broken Access Control

Users can act outside their intended permissions - accessing other users' data or admin functionality - because access controls are missing or inconsistent.

CWE-284A01:2021

Injection

SQL Injection (SQLi)

Untrusted input is concatenated into a SQL query, letting an attacker alter the query's logic to read, modify, or destroy data.

CWE-89A03:2021

Cross-Site Scripting (XSS)

An application reflects or stores untrusted input that is later interpreted as active script in a victim's browser.

CWE-79A03:2021

Server-Side Template Injection (SSTI)

User input is embedded into a server-side template and evaluated by the template engine, often leading to remote code execution.

CWE-1336A03:2021

OS Command Injection

Untrusted input is passed to a system shell, letting an attacker execute arbitrary operating-system commands.

CWE-78A03:2021

Server-Side

Server-Side Request Forgery (SSRF)

An attacker coerces a server into making HTTP requests to targets of their choosing - often internal services or cloud metadata endpoints.

CWE-918A10:2021

XML External Entity Injection (XXE)

A weakly configured XML parser resolves attacker-defined external entities, enabling file disclosure, SSRF, and denial of service.

CWE-611A05:2021

Authentication

JWT Attacks

Weak validation of JSON Web Tokens - unverified signatures, alg confusion, or weak keys - lets attackers forge trusted tokens.

CWE-347A07:2021

Data & Serialization

Insecure Deserialization

Untrusted serialized data is deserialized without validation, allowing object tampering and often remote code execution.

CWE-502A08:2021
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub