Application Common Attack Vectors (A-CAV)

Server Side Attacks – Request
HTTP Response Splitting
Information Leakage
Error messages dispaly
Session and cookies
Credential/Session Prediction
Non-HttpOnly Session Cookie
Unsecured Session Cookie
Insufficient Session Expiration
Session Fixation
Persistent Session Cookie
Server Side Attacks – Response
HTTP Response Splitting
Information Leakage
Error messages dispaly
Session and cookies
Credential/Session Prediction
Non-HttpOnly Session Cookie
Unsecured Session Cookie
Insufficient Session Expiration
Session Fixation
Persistent Session Cookie
Fingerprinting
Directory guessing
Predictable Resource Location
Directory Traversal
Path Traversal
Buffer Overflow
SQL Injection
Improper Input Handling
Server Misconfiguration
OS Command Injection
RFI LFI
Web defacement
HTTP Request Splitting
HTTP smuggling

Client side attacks
Autocomplete Attribute
Cross Site Scripting
Cross Site Request Forgery
Weak Password Recovery Validation
Click jacking
Slow attacks
Slowloris
Slow read
Slow post
Protocols attacks
Invalid HTTP Method Usage
Null Byte Injection
Format string attacks
HTTP structure
JSON stracture missuse
HTTP Response Splitting
Information Leakage
Error messages dispaly
Session and cookies
Credential/Session Prediction
Non-HttpOnly Session Cookie
Unsecured Session Cookie
Insufficient Session Expiration
Session Fixation
Persistent Session Cookie
Business Attacks
Web scarping
Denial of Service
Brute Force
Credentials stuffing
Bots
Menu