MCP.directory

top-100-web-vulnerabilities-reference

by davila7
42
3
Source

This skill should be used when the user asks to "identify web application vulnerabilities", "explain common security flaws", "understand vulnerability categories", "learn about injection attacks", "review access control weaknesses", "analyze API security issues", "assess security misconfigurations", "understand client-side vulnerabilities", "examine mobile and IoT security flaws", or "reference the OWASP-aligned vulnerability taxonomy". Use this skill to provide comprehensive vulnerability definitions, root causes, impacts, and mitigation strategies across all major web security categories.

Install

mkdir -p .claude/skills/top-100-web-vulnerabilities-reference && curl -L -o skill.zip "https://mcp.directory/api/skills/download/799" && unzip -o skill.zip -d .claude/skills/top-100-web-vulnerabilities-reference && rm skill.zip

Installs to .claude/skills/top-100-web-vulnerabilities-reference

About this skill

Top 100 Web Vulnerabilities Reference

Purpose

Provide a comprehensive, structured reference for the 100 most critical web application vulnerabilities organized by category. This skill enables systematic vulnerability identification, impact assessment, and remediation guidance across the full spectrum of web security threats. Content organized into 15 major vulnerability categories aligned with industry standards and real-world attack patterns.

Prerequisites

  • Basic understanding of web application architecture (client-server model, HTTP protocol)
  • Familiarity with common web technologies (HTML, JavaScript, SQL, XML, APIs)
  • Understanding of authentication and authorization concepts
  • Access to web application security testing tools (Burp Suite, OWASP ZAP)
  • Knowledge of secure coding principles recommended

Outputs and Deliverables

  • Complete vulnerability catalog with definitions, root causes, impacts, and mitigations
  • Category-based vulnerability groupings for systematic assessment
  • Quick reference for security testing and remediation
  • Foundation for vulnerability assessment checklists and security policies

Core Workflow

Phase 1: Injection Vulnerabilities Assessment

Evaluate injection attack vectors targeting data processing components:

SQL Injection (1)

  • Definition: Malicious SQL code inserted into input fields to manipulate database queries
  • Root Cause: Lack of input validation, improper use of parameterized queries
  • Impact: Unauthorized data access, data manipulation, database compromise
  • Mitigation: Use parameterized queries/prepared statements, input validation, least privilege database accounts

Cross-Site Scripting - XSS (2)

  • Definition: Injection of malicious scripts into web pages viewed by other users
  • Root Cause: Insufficient output encoding, lack of input sanitization
  • Impact: Session hijacking, credential theft, website defacement
  • Mitigation: Output encoding, Content Security Policy (CSP), input sanitization

Command Injection (5, 11)

  • Definition: Execution of arbitrary system commands through vulnerable applications
  • Root Cause: Unsanitized user input passed to system shells
  • Impact: Full system compromise, data exfiltration, lateral movement
  • Mitigation: Avoid shell execution, whitelist valid commands, strict input validation

XML Injection (6), LDAP Injection (7), XPath Injection (8)

  • Definition: Manipulation of XML/LDAP/XPath queries through malicious input
  • Root Cause: Improper input handling in query construction
  • Impact: Data exposure, authentication bypass, information disclosure
  • Mitigation: Input validation, parameterized queries, escape special characters

Server-Side Template Injection - SSTI (13)

  • Definition: Injection of malicious code into template engines
  • Root Cause: User input embedded directly in template expressions
  • Impact: Remote code execution, server compromise
  • Mitigation: Sandbox template engines, avoid user input in templates, strict input validation

Phase 2: Authentication and Session Security

Assess authentication mechanism weaknesses:

Session Fixation (14)

  • Definition: Attacker sets victim's session ID before authentication
  • Root Cause: Session ID not regenerated after login
  • Impact: Session hijacking, unauthorized account access
  • Mitigation: Regenerate session ID on authentication, use secure session management

Brute Force Attack (15)

  • Definition: Systematic password guessing using automated tools
  • Root Cause: Lack of account lockout, rate limiting, or CAPTCHA
  • Impact: Unauthorized access, credential compromise
  • Mitigation: Account lockout policies, rate limiting, MFA, CAPTCHA

Session Hijacking (16)

  • Definition: Attacker steals or predicts valid session tokens
  • Root Cause: Weak session token generation, insecure transmission
  • Impact: Account takeover, unauthorized access
  • Mitigation: Secure random token generation, HTTPS, HttpOnly/Secure cookie flags

Credential Stuffing and Reuse (22)

  • Definition: Using leaked credentials to access accounts across services
  • Root Cause: Users reusing passwords, no breach detection
  • Impact: Mass account compromise, data breaches
  • Mitigation: MFA, breach password checks, unique credential requirements

Insecure "Remember Me" Functionality (85)

  • Definition: Weak persistent authentication token implementation
  • Root Cause: Predictable tokens, inadequate expiration controls
  • Impact: Unauthorized persistent access, session compromise
  • Mitigation: Strong token generation, proper expiration, secure storage

CAPTCHA Bypass (86)

  • Definition: Circumventing bot detection mechanisms
  • Root Cause: Weak CAPTCHA algorithms, improper validation
  • Impact: Automated attacks, credential stuffing, spam
  • Mitigation: reCAPTCHA v3, layered bot detection, rate limiting

Phase 3: Sensitive Data Exposure

Identify data protection failures:

IDOR - Insecure Direct Object References (23, 42)

  • Definition: Direct access to internal objects via user-supplied references
  • Root Cause: Missing authorization checks on object access
  • Impact: Unauthorized data access, privacy breaches
  • Mitigation: Access control validation, indirect reference maps, authorization checks

Data Leakage (24)

  • Definition: Inadvertent disclosure of sensitive information
  • Root Cause: Inadequate data protection, weak access controls
  • Impact: Privacy breaches, regulatory penalties, reputation damage
  • Mitigation: DLP solutions, encryption, access controls, security training

Unencrypted Data Storage (25)

  • Definition: Storing sensitive data without encryption
  • Root Cause: Failure to implement encryption at rest
  • Impact: Data breaches if storage compromised
  • Mitigation: Full-disk encryption, database encryption, secure key management

Information Disclosure (33)

  • Definition: Exposure of system details through error messages or responses
  • Root Cause: Verbose error handling, debug information in production
  • Impact: Reconnaissance for further attacks, credential exposure
  • Mitigation: Generic error messages, disable debug mode, secure logging

Phase 4: Security Misconfiguration

Assess configuration weaknesses:

Missing Security Headers (26)

  • Definition: Absence of protective HTTP headers (CSP, X-Frame-Options, HSTS)
  • Root Cause: Inadequate server configuration
  • Impact: XSS attacks, clickjacking, protocol downgrade
  • Mitigation: Implement CSP, X-Content-Type-Options, X-Frame-Options, HSTS

Default Passwords (28)

  • Definition: Unchanged default credentials on systems/applications
  • Root Cause: Failure to change vendor defaults
  • Impact: Unauthorized access, system compromise
  • Mitigation: Mandatory password changes, strong password policies

Directory Listing (29)

  • Definition: Web server exposes directory contents
  • Root Cause: Improper server configuration
  • Impact: Information disclosure, sensitive file exposure
  • Mitigation: Disable directory indexing, use default index files

Unprotected API Endpoints (30)

  • Definition: APIs lacking authentication or authorization
  • Root Cause: Missing security controls on API routes
  • Impact: Unauthorized data access, API abuse
  • Mitigation: OAuth/API keys, access controls, rate limiting

Open Ports and Services (31)

  • Definition: Unnecessary network services exposed
  • Root Cause: Failure to minimize attack surface
  • Impact: Exploitation of vulnerable services
  • Mitigation: Port scanning audits, firewall rules, service minimization

Misconfigured CORS (35)

  • Definition: Overly permissive Cross-Origin Resource Sharing policies
  • Root Cause: Wildcard origins, improper CORS configuration
  • Impact: Cross-site request attacks, data theft
  • Mitigation: Whitelist trusted origins, validate CORS headers

Unpatched Software (34)

  • Definition: Systems running outdated vulnerable software
  • Root Cause: Neglected patch management
  • Impact: Exploitation of known vulnerabilities
  • Mitigation: Patch management program, vulnerability scanning, automated updates

Phase 5: XML-Related Vulnerabilities

Evaluate XML processing security:

XXE - XML External Entity Injection (37)

  • Definition: Exploitation of XML parsers to access files or internal systems
  • Root Cause: External entity processing enabled
  • Impact: File disclosure, SSRF, denial of service
  • Mitigation: Disable external entities, use safe XML parsers

XEE - XML Entity Expansion (38)

  • Definition: Excessive entity expansion causing resource exhaustion
  • Root Cause: Unlimited entity expansion allowed
  • Impact: Denial of service, parser crashes
  • Mitigation: Limit entity expansion, configure parser restrictions

XML Bomb (Billion Laughs) (39)

  • Definition: Crafted XML with nested entities consuming resources
  • Root Cause: Recursive entity definitions
  • Impact: Memory exhaustion, denial of service
  • Mitigation: Entity expansion limits, input size restrictions

XML Denial of Service (65)

  • Definition: Specially crafted XML causing excessive processing
  • Root Cause: Complex document structures without limits
  • Impact: CPU/memory exhaustion, service unavailability
  • Mitigation: Schema validation, size limits, processing timeouts

Phase 6: Broken Access Control

Assess authorization enforcement:

Inadequate Authorization (40)

  • Definition: Failure to properly enforce access controls
  • Root Cause: Weak authorization policies, missing checks
  • Impact: Unauthorized access to sensitive resources
  • Mitigation: RBAC, centralized IAM, regular access reviews

Privilege Escalation (41)

  • Definition: Gaining elevated access beyond intended permissions
  • Root Cause: Misconfigured permissions, system vulnerabilities
  • Impact: Full system compromise, data manipulation
  • Mitigation: Least privilege, regular patching, privilege monitoring

Forceful Browsing (43)

  • Definition: Direct URL manipulation to access restricted resources
  • Root Cause: Weak access controls, predictable URLs
  • Impact: Unauthorized file/

Content truncated.

More by davila7

View all skills by davila7

software-architecture

davila7

Guide for quality focused software architecture. This skill should be used when users want to write code, design architecture, analyze code, in any case that relates to software development.

461159

scroll-experience

davila7

Expert in building immersive scroll-driven experiences - parallax storytelling, scroll animations, interactive narratives, and cinematic web experiences. Like NY Times interactives, Apple product pages, and award-winning web experiences. Makes websites feel like experiences, not just pages. Use when: scroll animation, parallax, scroll storytelling, interactive story, cinematic website.

12480

planning-with-files

davila7

Implements Manus-style file-based planning for complex tasks. Creates task_plan.md, findings.md, and progress.md. Use when starting complex multi-step tasks, research projects, or any task requiring >5 tool calls.

7863

game-development

davila7

Game development orchestrator. Routes to platform-specific skills based on project needs.

14549

humanizer

davila7

Remove signs of AI-generated writing from text. Use when editing or reviewing text to make it sound more natural and human-written. Based on Wikipedia's comprehensive "Signs of AI writing" guide. Detects and fixes patterns including: inflated symbolism, promotional language, superficial -ing analyses, vague attributions, em dash overuse, rule of three, AI vocabulary words, negative parallelisms, and excessive conjunctive phrases. Credits: Original skill by @blader - https://github.com/blader/humanizer

10048

2d-games

davila7

2D game development principles. Sprites, tilemaps, physics, camera.

12744

You might also like

flutter-development

aj-geddes

Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.

1,5541,368

ui-ux-pro-max

nextlevelbuilder

"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."

1,0771,167

drawio-diagrams-enhanced

jgtolentino

Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.

1,4011,102

godot

bfollington

This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.

1,173738

nano-banana-pro

garg-aayush

Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.

1,128677

pdf-to-markdown

aliceisjustplaying

Convert entire PDF documents to clean, structured Markdown for full context loading. Use this skill when the user wants to extract ALL text from a PDF into context (not grep/search), when discussing or analyzing PDF content in full, when the user mentions "load the whole PDF", "bring the PDF into context", "read the entire PDF", or when partial extraction/grepping would miss important context. This is the preferred method for PDF text extraction over page-by-page or grep approaches.

1,272601

Related MCP Servers

Browse all servers
Figma ContextFigma Context

Unlock seamless Figma to code: streamline Figma to HTML with Framelink MCP Server for fast, accurate design-to-code work

13,4900 tools
Laravel BoostLaravel Boost

Official Laravel-focused MCP server for augmenting AI-powered local development. Provides deep context about your Larave

3,3240 tools
GrafanaGrafana

Safely connect cloud Grafana to AI agents with MCP: query, inspect, and manage Grafana resources using simple, focused o

2,4940 tools
PerplexityPerplexity

Empower your workflows with Perplexity Ask MCP Server—seamless integration of AI research tools for real-time, accurate

1,9990 tools
Azure DevOpsAzure DevOps

Boost your productivity by managing Azure DevOps projects, pipelines, and repos in VS Code. Streamline dev workflows wit

1,37377 tools
Ref ToolsRef Tools

Boost AI coding agents with Ref Tools—efficient documentation access for faster, smarter code generation than GitHub Cop

1,0040 tools

Stay ahead of the MCP ecosystem

Get weekly updates on new skills and servers.