Continuous Dynamic DAST Vulnerability Classes

Continuous Dynamic Premium Edition (PE)

Continuous Dynamic PE includes testing for both technical and business logic vulnerabilities. Black Duck’s Threat Research Center (TRC) performs custom testing to identify business logic flaws. Black Duck’s TRC engineers, who uncover these types of vulnerabilities, are technical experts capable of understanding account structures, contextual logic, and similar characteristics of web applications.

Technical - Continuous Dynamic DAST Vulnerability Classes PE
Application Code Execution	Application Misconfiguration	Autocomplete Attribute
Brute Force	Buffer Overflow	Cacheable Sensitive Response
Clickjacking	Content Spoofing	Cross Site Request Forgery
Cross Site Scripting	Denial of Service	Directory Indexing
Fingerprinting	Frameable Resource	HTTP Response Splitting
Improper Input Handling	Information Leakage	Insecure Indexing
Insufficient Anti-automation	Insufficient Authentication	Insufficient Authorization
Insufficient Password Policy Implementation	Insufficient Password Recovery	Insufficient Process Validation
Insufficient Session Expiration	Insufficient Transport Layer Protection	LDAP Injection
Mail Command Injection	Missing Secure Headers	Non-HttpOnly Session Cookie
OS Command Injection	OS Commanding	Path Traversal
Predictable Resource Location	Query Language Injection	Remote File Inclusion
Routing Detour	Server Misconfiguration	Session Fixation
Session Prediction	SQL Injection	SSI Injection
Unsecured Session Cookie	URL Redirector Abuse	Vulnerable Library
XML External Entities	XML Injection	XPath Injection

Technical - Continuous Dynamic DAST Vulnerability Classes PE

Application Code Execution

Application Misconfiguration

Autocomplete Attribute

Brute Force

Buffer Overflow

Cacheable Sensitive Response

Clickjacking

Content Spoofing

Cross Site Request Forgery

Cross Site Scripting

Denial of Service

Directory Indexing

Fingerprinting

Frameable Resource

HTTP Response Splitting

Improper Input Handling

Information Leakage

Insecure Indexing

Insufficient Anti-automation

Insufficient Authentication

Insufficient Authorization

Insufficient Password Policy Implementation

Insufficient Password Recovery

Insufficient Process Validation

Insufficient Session Expiration

Insufficient Transport Layer Protection

LDAP Injection

Mail Command Injection

Missing Secure Headers

Non-HttpOnly Session Cookie

OS Command Injection

OS Commanding

Path Traversal

Predictable Resource Location

Query Language Injection

Remote File Inclusion

Routing Detour

Server Misconfiguration

Session Fixation

Session Prediction

SQL Injection

SSI Injection

Unsecured Session Cookie

URL Redirector Abuse

Vulnerable Library

XML External Entities

XML Injection

XPath Injection

Technical Vulnerabilities Covered by PE - OWASP 2021 Top 10
Vulnerabilities	Description
A01	Broken Access Control
A02	Cryptographic Failures
A03	Injection
A04	Insecure Design
A05	Security Misconfiguration
A06	Vulnerable and Outdated Components
A07	Identification and Authentication Failures
A08	Software and Data Integrity Failures

Technical Vulnerabilities Covered by PE - OWASP 2021 Top 10

Vulnerabilities

Description

A01

Broken Access Control

A02

Cryptographic Failures

A03

Injection

A04

Insecure Design

A05

Security Misconfiguration

A06

Vulnerable and Outdated Components

A07

Identification and Authentication Failures

A08

Software and Data Integrity Failures

Business Logic Flaws - Continuous Dynamic Vulnerability Classes
Abuse of Functionality	Insecure Indexing	Insufficient Process Validation
Brute Force	Insufficient Anti-Automation	Insufficient Session Expiration
Credential/Session Prediction	Insufficient Authentication	Session Fixation
Cross-Site Request Forgery	Insufficient Authorization	Denial of Service
Insufficient Password Recovery

Business Logic Flaws - Continuous Dynamic Vulnerability Classes

Abuse of Functionality

Insecure Indexing

Insufficient Process Validation

Brute Force

Insufficient Anti-Automation

Insufficient Session Expiration

Credential/Session Prediction

Insufficient Authentication

Session Fixation

Cross-Site Request Forgery

Insufficient Authorization

Denial of Service

Insufficient Password Recovery

Continuous Dynamic Standard Edition (SE)

Continuous Dynamic SE tests for the following technical vulnerabilities, it does not test for business logic flaws.

Technical - Continuous Dynamic Vulnerability Classes SE
Abuse of Functionality	Application Misconfiguration	Autocomplete Attribute
Brute Force	Buffer Overflow	Cacheable Sensitive Response
Content Spoofing	Cross Site Request Forgery	Cross Site Scripting
Denial of Service	Directory Indexing	Fingerprinting
Frameable Resource	HTTP Response Splitting	Improper Input Handling
Information Leakage	Insufficient Authentication	Insufficient Authorization
Insufficient Process Validation	Insufficient Transport Layer Protection	LDAP Injection
Mail Command Injection	Missing Secure Headers	OS Command Injection
OS Commanding	Path Traversal	Predictable Resource Location
Remote File Inclusion	Server Misconfiguration	SQL Injection
SSI Injection	URL Redirector Abuse	Vulnerable Library
XML External Entities	XML Injection	XPath Injection

Technical - Continuous Dynamic Vulnerability Classes SE

Abuse of Functionality

Application Misconfiguration

Autocomplete Attribute

Brute Force

Buffer Overflow

Cacheable Sensitive Response

Content Spoofing

Cross Site Request Forgery

Cross Site Scripting

Denial of Service

Directory Indexing

Fingerprinting

Frameable Resource

HTTP Response Splitting

Improper Input Handling

Information Leakage

Insufficient Authentication

Insufficient Authorization

Insufficient Process Validation

Insufficient Transport Layer Protection

LDAP Injection

Mail Command Injection

Missing Secure Headers

OS Command Injection

OS Commanding

Path Traversal

Predictable Resource Location

Remote File Inclusion

Server Misconfiguration

SQL Injection

SSI Injection

URL Redirector Abuse

Vulnerable Library

XML External Entities

XML Injection

XPath Injection

Technical Vulnerabilities Covered by SE - OWASP 2021 Top 10
Vulnerabilities	Description
A01	Broken Access Control
A02	Cryptographic Failures
A03	Injection
A04	Insecure Design
A05	Security Misconfiguration
A06	Vulnerable and Outdated Components
A07	Identification and Authentication Failures

Technical Vulnerabilities Covered by SE - OWASP 2021 Top 10

Vulnerabilities

Description

A01

Broken Access Control

A02

Cryptographic Failures

A03

Injection

A04

Insecure Design

A05

Security Misconfiguration

A06

Vulnerable and Outdated Components

A07

Identification and Authentication Failures

Continuous Dynamic Basic Edition (BE)

Continuous Dynamic BE tests for the following technical vulnerabilities, it does not test for business logic flaws.

Technical - Continuous Dynamic Vulnerability Classes BE
Abuse of Functionality	Application Code Execution	Autocomplete Attribute
Brute Force	Buffer Overflow	Cacheable Sensitive Response
Content Spoofing	Cross Site Request Forgery	Cross Site Scripting
Denial of Service	Directory Indexing	Fingerprinting
Frameable Resource	HTTP Response Splitting	Improper Input Handling
Information Leakage	Insufficient Authentication	Insufficient Authorization
Insufficient Process Validation	Insufficient Transport Layer Protection	LDAP Injection
Mail Command Injection	Missing Secure Headers	OS Command Injection
OS Commanding	Path Traversal	Predictable Resource Location
Remote File Inclusion	Server Misconfiguration	SQL Injection
SSI Injection	URL Redirector Abuse	Vulnerable Library
XML External Entities	XML Injection	XPath Injection
XQuery Injection

Technical - Continuous Dynamic Vulnerability Classes BE

Abuse of Functionality

Application Code Execution

Autocomplete Attribute

Brute Force

Buffer Overflow

Cacheable Sensitive Response

Content Spoofing

Cross Site Request Forgery

Cross Site Scripting

Denial of Service

Directory Indexing

Fingerprinting

Frameable Resource

HTTP Response Splitting

Improper Input Handling

Information Leakage

Insufficient Authentication

Insufficient Authorization

Insufficient Process Validation

Insufficient Transport Layer Protection

LDAP Injection

Mail Command Injection

Missing Secure Headers

OS Command Injection

OS Commanding

Path Traversal

Predictable Resource Location

Remote File Inclusion

Server Misconfiguration

SQL Injection

SSI Injection

URL Redirector Abuse

Vulnerable Library

XML External Entities

XML Injection

XPath Injection

XQuery Injection

Technical Vulnerabilities Covered by BE - OWASP 2021 Top 10
Vulnerabilities	Description
A01	Broken Access Control
A02	Cryptographic Failures
A03	Injection
A04	Insecure Design
A05	Security Misconfiguration
A06	Vulnerable and Outdated Components
A07	Identification and Authentication Failures

Technical Vulnerabilities Covered by BE - OWASP 2021 Top 10

Vulnerabilities

Description

A01

Broken Access Control

A02

Cryptographic Failures

A03

Injection

A04

Insecure Design

A05

Security Misconfiguration

A06

Vulnerable and Outdated Components

A07

Identification and Authentication Failures