What is the BreachVex Vulnerability Encyclopedia?

A structured reference covering 107 vulnerability classes (injection, access control, authentication, API, client-side) with CWE/OWASP mappings, CVSS scores, FAQ and real CVE examples. Maintained by the BreachVex team for security engineers.

How is the content organized?

Five OWASP-aligned categories: Injection, Access Control, Authentication, API, Client-side. Each vulnerability has a pillar page (overview) and specific variants (techniques, payloads, bypasses).

Are pages available in French?

Yes — 107 vulnerabilities translated EN+FR (214 pages). Language switcher in header. Correct hreflang links for international SEO.

How does BreachVex detect these vulnerabilities?

A multi-stage attack engine running 9 exploit squads and 47 integrated tools, with proof-of-exploit on every finding. Batch validation: 296 findings across 22 targets, under 2% false positives.

How can I contribute or report an error?

Email contact@breachvex.com with the page slug and proposed correction. External sources (HackerOne, CVE, OWASP) welcomed.

Vulnerability Encyclopedia

Structured reference — from injection to authentication flaws. Real CVEs, HackerOne reports, and code-level prevention.

15 vulnerability classes · 92 variants

Injection· 4

Command Injection

OS command injection (CWE-77/CWE-78) lets attackers run arbitrary OS commands on the host server, enabling remote code execution and full system compromise.

CWE-77A03:2021CVSS 9.86 variants

SQL Injection

SQL injection (CWE-89, OWASP A03:2021) manipulates database queries to extract credentials, bypass authentication, and achieve RCE via xp_cmdshell or COPY TO PROGRAM.

CWE-89A03:2021CVSS 9.86 variants

SSTI — Server-Side Template Injection

Server-Side Template Injection tricks the server's template engine into executing attacker-controlled expressions, often leading directly to Remote Code Execution.

CWE-1336A03:2021CVSS 9.87 variants

XXE — XML External Entity Injection

XXE (CWE-611) exploits XML parsers that resolve external entities, enabling file disclosure, SSRF, and RCE in some configurations. One parser flag eliminates the attack class.

CWE-611A05:2021CVSS 7.56 variants

Client-Side· 3

CSRF — Cross-Site Request Forgery

CSRF (CWE-352, OWASP A01:2021) forces authenticated users to execute unwanted state-changing requests by exploiting browser cookie auto-send.

CWE-352A01:2021CVSS 8.06 variants

Open Redirect

Open redirect (CWE-601) lets attackers hijack trusted redirect parameters to send users to controlled URLs — phishing, OAuth token theft, and SSRF escalation.

CWE-601A01:2021CVSS 6.16 variants

XSS — Cross-Site Scripting

XSS (CWE-79, OWASP A03:2021) lets attackers inject JavaScript into pages served to other users — session theft, credential harvesting, and account takeover.

CWE-79A03:2021CVSS 6.16 variants

Access Control· 2

IDOR — Insecure Direct Object Reference

IDOR (CWE-639, OWASP A01:2021) lets attackers access any user's records by swapping an object ID — the #1 cause of SaaS data breaches and 49% of all critical bug bounty findings.

CWE-639A01:2021CVSS 7.56 variants

Path Traversal

Path traversal (CWE-22) lets attackers escape an intended directory with ../ sequences to read sensitive files, chain to RCE via log poisoning, or escape containers entirely.

CWE-22A01:2021CVSS 7.56 variants

Authentication· 2

JWT Vulnerabilities

JWT vulnerabilities (CWE-287): algorithm confusion, secret brute-force, and key-source injection — all bypass authentication entirely when tokens are misconfigured.

CWE-287A07:2021CVSS 9.86 variants

Session Fixation

Session fixation (CWE-384) lets an attacker pre-set a victim's session ID before login, then hijack the authenticated session without intercepting cookies.

CWE-384A07:2021CVSS 8.86 variants

API Security· 4

Business Logic Flaws

Business logic flaws abuse valid application features in unintended ways — price manipulation, workflow skipping, race conditions, and discount stacking that scanners rarely catch.

CWE-840A04:2021CVSS 6.57 variants

Mass Assignment

Mass assignment vulnerabilities let attackers modify object fields that should never be user-controlled, enabling privilege escalation and data corruption via ORM auto-binding.

CWE-915A04:2021CVSS 8.16 variants

Race Conditions

Race conditions (CWE-362) exploit timing gaps between check and action — coupon reuse, balance manipulation, and limit overflows via single-packet HTTP/2.

CWE-362A04:2021CVSS 5.96 variants

SSRF — Server-Side Request Forgery

SSRF (CWE-918, OWASP A10:2021) forces a server to request internal resources — cloud metadata credentials, IMDSv1 tokens, and internal services exposed to full takeover.

CWE-918A10:2021CVSS 7.56 variants

Frequently Asked Questions

What is the BreachVex Vulnerability Encyclopedia?: A structured reference covering 107 vulnerability classes (injection, access control, authentication, API, client-side) with CWE/OWASP mappings, CVSS scores, FAQ and real CVE examples. Maintained by the BreachVex team for security engineers.
How is the content organized?: Five OWASP-aligned categories: Injection, Access Control, Authentication, API, Client-side. Each vulnerability has a pillar page (overview) and specific variants (techniques, payloads, bypasses).
Are pages available in French?: Yes — 107 vulnerabilities translated EN+FR (214 pages). Language switcher in header. Correct hreflang links for international SEO.
How does BreachVex detect these vulnerabilities?: A multi-stage attack engine running 9 exploit squads and 47 integrated tools, with proof-of-exploit on every finding. Batch validation: 296 findings across 22 targets, under 2% false positives.
How can I contribute or report an error?: Email contact@breachvex.com with the page slug and proposed correction. External sources (HackerOne, CVE, OWASP) welcomed.