Common Threat Patterns

This catalogue covers the most commonly-encountered threats across modern web applications and APIs. Use it as a checklist during your threat identification step.

Authentication & Session Management

Credential Stuffing

Category: Spoofing
Description: Attackers use automated tools to try leaked username/password combinations at scale against your login endpoint.
Why it matters: Billions of credentials are available from past breaches. Most users reuse passwords.
Mitigations: Rate limiting, MFA, breached password detection (Have I Been Pwned), anomaly detection

Session Hijacking

Category: Spoofing
Description: An attacker obtains a valid session token (via XSS, network interception, or theft from storage) and uses it to impersonate the victim.
Mitigations: HttpOnly + Secure + SameSite=Strict cookies; short session lifetimes; re-authentication for sensitive actions; Content Security Policy

JWT Forgery

Category: Spoofing
Description: A weakly-configured JWT implementation allows an attacker to forge tokens — e.g. by exploiting the alg: none vulnerability or a weak secret.
Mitigations: Strong signing keys (RS256 or ES256 preferred over HS256); validate iss, aud, exp claims; reject alg: none

Password Reset Abuse

Category: Spoofing
Description: Weak password reset tokens (short, predictable, or long-lived) can be guessed or brute-forced, allowing account takeover.
Mitigations: Cryptographically random tokens; short expiry (15–60 minutes); single-use tokens; rate-limit reset requests

Injection

SQL Injection

Category: Tampering
Description: User-supplied input is interpolated into a SQL query, allowing an attacker to modify query logic, exfiltrate data, or modify/delete records.
Mitigations: Parameterised queries / prepared statements; ORM with safe query building; SAST scanning; least-privilege DB user

NoSQL Injection

Category: Tampering
Description: Similar to SQL injection but targeting MongoDB, DynamoDB, and other NoSQL databases via malformed query operators.
Mitigations: Input validation; avoid building query objects from user input; use schema validation

Command Injection

Category: Tampering / Elevation of Privilege
Description: User input is passed to a shell command, allowing arbitrary command execution on the server.
Mitigations: Avoid shell calls entirely; if unavoidable, use allowlisted arguments; never pass user input directly to a shell

SSRF (Server-Side Request Forgery)

Category: Information Disclosure / Elevation of Privilege
Description: An attacker causes the server to make HTTP requests to internal endpoints (e.g. AWS metadata service, internal APIs) by manipulating a URL parameter.
Mitigations: Allowlist permitted outbound URLs; validate and sanitise URL inputs; block access to cloud metadata endpoints (169.254.169.254)

Authorisation

IDOR (Insecure Direct Object Reference)

Category: Elevation of Privilege
Description: An API endpoint uses a predictable identifier (e.g. GET /users/123) without checking that the caller is authorised to access that specific resource.
Mitigations: Object-level authorisation checks on every request; use indirect references (random IDs, slugs) rather than sequential integers

Missing Function-Level Authorisation

Category: Elevation of Privilege
Description: Admin functionality is accessible to non-admin users because the UI hides it but the API does not enforce it.
Mitigations: Server-side authorisation on every endpoint; do not rely solely on UI access controls

Mass Assignment

Category: Elevation of Privilege
Description: An API endpoint automatically binds request body fields to model attributes, allowing an attacker to set fields they should not control (e.g. role: admin).
Mitigations: Explicit field allowlists; separate endpoints for privileged operations; reject unexpected fields

Data Exposure

Excessive Data in API Responses

Category: Information Disclosure
Description: API endpoints return more fields than the client needs, including sensitive internal fields (hashed passwords, internal IDs, admin flags).
Mitigations: Response DTOs with explicit field mapping; API response audits; use GraphQL with field-level authorisation

Sensitive Data in Logs

Category: Information Disclosure
Description: Application logs capture PII, credentials, or session tokens — either accidentally or via over-verbose debug logging left in production.
Mitigations: Log sanitisation; structured logging with sensitive field redaction; log access controls

Insecure Storage of Secrets

Category: Information Disclosure
Description: API keys, database passwords, or private keys are stored in source control, environment variable dumps, or container images.
Mitigations: Secret management systems (HashiCorp Vault, AWS Secrets Manager); git secret scanning (git-secrets, Trufflehog); never commit secrets

Availability

Rate Limiting Bypass

Category: Denial of Service
Description: An attacker bypasses rate limiting by rotating IP addresses, using different user agents, or exploiting gaps in the rate limiting implementation.
Mitigations: Rate limit by user ID (authenticated) in addition to IP; require CAPTCHA; WAF rules

Regex Denial of Service (ReDoS)

Category: Denial of Service
Description: A user-supplied string triggers catastrophic backtracking in a regular expression, consuming CPU and causing service degradation or timeout.
Mitigations: Avoid ambiguous regex; use timeout-aware regex engines; test regex with malicious inputs

Dependency Exhaustion

Category: Denial of Service
Description: A downstream dependency (database, third-party API) becomes slow or unavailable, and the absence of circuit breakers causes the calling service to exhaust its own connection pool or thread pool.
Mitigations: Circuit breakers; timeouts on all external calls; connection pool limits; bulkhead pattern

Supply Chain

Compromised Dependency

Category: Tampering / Elevation of Privilege
Description: A malicious actor compromises an open-source package your application depends on, injecting malicious code into a widely-distributed update.
Mitigations: Dependency pinning with lockfiles; Software Composition Analysis (SCA) scanning; private artefact registry with approved packages; SLSA framework

Typosquatting

Category: Spoofing
Description: An attacker publishes a package with a name similar to a legitimate package (e.g. lodsh instead of lodash), hoping developers install the wrong one.
Mitigations: Verify package names carefully; SCA scanning; private registry that mirrors approved packages only