File: alerts.md | Updated: 11/18/2025
ZAP provides the following HTTP passive and active scan rules which find specific vulnerabilities.
Note that these are examples of the alerts raised - many rules include different details depending on the exact problem encountered.
Only the release rules are included in ZAP by default, the beta and alpha rules can be installed via the ZAP Marketplace
.
You can also use HTTP passive and active scripts, examples of which are available in the ZAP community scripts repo, as well as Websocket passive scripts.
Many alerts support tags which allow you to see which alerts are related to, for example, specific OWASP Top Ten categories or OWASP Web Service Testing Guide chapters.
Some alerts are only relevant for specific technologies
The CWE and WASC columns are only shown on wider screens - if you are using a mobile phone then try turning your screen sideways if you want to see them.
| ID | Alert | Status <br>betaalphareleasedeprecated | Risk <br>LowHighMediumInformational | Type <br>ToolActivePassiveScript ActiveScript PassiveClient PassiveWebSocket Passive | CWE | WASC | | --- | --- | --- | --- | --- | --- | --- | | 0 | Directory Browsing | release | Medium | Active | 548 | 48 | | 2 | Private IP Disclosure | release | Low | Passive | 497 | 13 | | 3 | Session ID in URL Rewrite | release | | Passive | | | | 3-1 | Session ID in URL Rewrite | release | Medium | Passive | 598 | 13 | | 3-2 | Session ID in URL Rewrite | release | Medium | Passive | 598 | 13 | | 3-3 | Referer Exposes Session ID | release | Medium | Passive | 598 | 13 | | 6 | Path Traversal | release | | Active | | | | 6-1 | Path Traversal | release | High | Active | 22 | 33 | | 6-2 | Path Traversal | release | High | Active | 22 | 33 | | 6-3 | Path Traversal | release | High | Active | 22 | 33 | | 6-4 | Path Traversal | release | High | Active | 22 | 33 | | 6-5 | Path Traversal | release | High | Active | 22 | 33 | | 7 | Remote File Inclusion | release | High | Active | 98 | 5 | | 41 | Source Code Disclosure - Git | beta | High | Active | 541 | 34 | | 42 | Source Code Disclosure - SVN | beta | Medium | Active | 541 | 34 | | 43 | Source Code Disclosure - File Inclusion | beta | High | Active | 541 | 33 | | 10003 | Vulnerable JS Library | release | Medium | Passive | 1395 | | | 10004 | Tech Detection Passive Scanner | release | Informational | Tool | | 13 | | 10009 | In Page Banner Information Leak | beta | Low | Passive | 497 | 13 | | 10010 | Cookie No HttpOnly Flag | release | Low | Passive | 1004 | 13 | | 10011 | Cookie Without Secure Flag | release | Low | Passive | 614 | 13 | | 10015 | Re-examine Cache-control Directives | release | Informational | Passive | 525 | 13 | | 10016 | Web Browser XSS Protection Not Enabled | deprecated | | Passive | | | | 10017 | Cross-Domain JavaScript Source File Inclusion | release | Low | Passive | 829 | 15 | | 10019 | Content-Type Header Missing | release | | Passive | | | | 10019-1 | Content-Type Header Missing | release | Informational | Passive | 345 | 12 | | 10019-2 | Content-Type Header Empty | release | Informational | Passive | 345 | 12 | | 10020 | Anti-clickjacking Header | release | | Passive | | | | 10020-1 | Missing Anti-clickjacking Header | release | Medium | Passive | 1021 | 15 | | 10020-2 | Multiple X-Frame-Options Header Entries | release | Medium | Passive | 1021 | 15 | | 10020-3 | X-Frame-Options Defined via META (Non-compliant with Spec) | release | Medium | Passive | 1021 | 15 | | 10020-4 | X-Frame-Options Setting Malformed | release | Medium | Passive | 1021 | 15 | | 10021 | X-Content-Type-Options Header Missing | release | Low | Passive | 693 | 15 | | 10023 | Information Disclosure - Debug Error Messages | release | Low | Passive | 1295 | 13 | | 10024 | Information Disclosure - Sensitive Information in URL | release | Informational | Passive | 598 | 13 | | 10025 | Information Disclosure - Sensitive Information in HTTP Referrer Header | release | Informational | Passive | 598 | 13 | | 10026 | HTTP Parameter Override | beta | Medium | Passive | 20 | 20 | | 10027 | Information Disclosure - Suspicious Comments | release | Informational | Passive | 615 | 13 | | 10028 | Off-site Redirect | release | High | Passive | 601 | 38 | | 10029 | Cookie Poisoning | release | Informational | Passive | 565 | 20 | | 10030 | User Controllable Charset | release | Informational | Passive | 20 | 20 | | 10031 | User Controllable HTML Element Attribute (Potential XSS) | release | Informational | Passive | 20 | 20 | | 10032 | Viewstate | release | | Passive | | | | 10032-1 | Potential IP Addresses Found in the Viewstate | release | Medium | Passive | 642 | 14 | | 10032-2 | Emails Found in the Viewstate | release | Medium | Passive | 642 | 14 | | 10032-3 | Old Asp.Net Version in Use | release | Low | Passive | 642 | 14 | | 10032-4 | Viewstate without MAC Signature (Unsure) | release | High | Passive | 642 | 14 | | 10032-5 | Viewstate without MAC Signature (Sure) | release | High | Passive | 642 | 14 | | 10032-6 | Split Viewstate in Use | release | Informational | Passive | 642 | 14 | | 10033 | Directory Browsing | release | Medium | Passive | 548 | 16 | | 10034 | Heartbleed OpenSSL Vulnerability (Indicative) | release | High | Passive | 119 | 20 | | 10035 | Strict-Transport-Security Header | release | | Passive | | | | 10035-1 | Strict-Transport-Security Header Not Set | release | Low | Passive | 319 | 15 | | 10035-2 | Strict-Transport-Security Disabled | release | Low | Passive | 319 | 15 | | 10035-3 | Strict-Transport-Security Multiple Header Entries (Non-compliant with Spec) | release | Low | Passive | 319 | 15 | | 10035-4 | Strict-Transport-Security Header on Plain HTTP Response | release | Informational | Passive | 319 | 15 | | 10035-5 | Strict-Transport-Security Missing Max-Age (Non-compliant with Spec) | release | Low | Passive | 319 | 15 | | 10035-6 | Strict-Transport-Security Defined via META (Non-compliant with Spec) | release | Low | Passive | 319 | 15 | | 10035-7 | Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) | release | Low | Passive | 319 | 15 | | 10035-8 | Strict-Transport-Security Malformed Content (Non-compliant with Spec) | release | Low | Passive | 319 | 15 | | 10036 | HTTP Server Response Header | release | | Passive | | | | 10036-1 | Server Leaks its Webserver Application via "Server" HTTP Response Header Field | release | Informational | Passive | 497 | 13 | | 10036-2 | Server Leaks Version Information via "Server" HTTP Response Header Field | release | Low | Passive | 497 | 13 | | 10037 | Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) | release | Low | Passive | 497 | 13 | | 10038 | Content Security Policy (CSP) Header Not Set | release | | Passive | | | | 10038-1 | Content Security Policy (CSP) Header Not Set | release | Medium | Passive | 693 | 15 | | 10038-2 | Obsolete Content Security Policy (CSP) Header Found | release | Informational | Passive | 693 | 15 | | 10038-3 | Content Security Policy (CSP) Report-Only Header Found | release | Informational | Passive | 693 | 15 | | 10039 | X-Backend-Server Header Information Leak | release | Low | Passive | 497 | 13 | | 10040 | Secure Pages Include Mixed Content | release | Low | Passive | 311 | 4 | | 10041 | HTTP to HTTPS Insecure Transition in Form Post | release | Medium | Passive | 319 | 15 | | 10042 | HTTPS to HTTP Insecure Transition in Form Post | release | Medium | Passive | 319 | 15 | | 10043 | User Controllable JavaScript Event (XSS) | release | Informational | Passive | 20 | 20 | | 10044 | Big Redirect Detected (Potential Sensitive Information Leak) | release | | Passive | | | | 10044-1 | Big Redirect Detected (Potential Sensitive Information Leak) | release | Low | Passive | 201 | 13 | | 10044-2 | Multiple HREFs Redirect Detected (Potential Sensitive Information Leak) | release | Low | Passive | 201 | 13 | | 10045 | Source Code Disclosure - /WEB-INF Folder | release | | Active | | | | 10045-1 | Source Code Disclosure - /WEB-INF Folder | release | High | Active | 541 | 34 | | 10045-2 | Properties File Disclosure - /WEB-INF folder | release | High | Active | 541 | 34 | | 10046 | Insecure Component | deprecated | | Passive | | | | 10047 | HTTPS Content Available via HTTP | beta | Low | Active | 311 | 4 | | 10048 | Remote Code Execution - Shell Shock | beta | | Active | | | | 10048-1 | Remote Code Execution - Shell Shock | beta | High | Active | 78 | 31 | | 10048-2 | Remote Code Execution - Shell Shock | beta | High | Active | 78 | 31 | | 10049 | Content Cacheability | beta | | Passive | | | | 10049-1 | Non-Storable Content | beta | Informational | Passive | 524 | 13 | | 10049-2 | Storable but Non-Cacheable Content | beta | Informational | Passive | 524 | 13 | | 10049-3 | Storable and Cacheable Content | beta | Informational | Passive | 524 | 13 | | 10050 | Retrieved from Cache | release | | Passive | | | | 10050-1 | Retrieved from Cache | release | Informational | Passive | 525 | | | 10050-2 | Retrieved from Cache | release | Informational | Passive | 525 | | | 10051 | Relative Path Confusion | beta | Medium | Active | 20 | 20 | | 10052 | X-ChromeLogger-Data (XCOLD) Header Information Leak | release | Medium | Passive | 532 | 13 | | 10053 | Apache Range Header DoS (CVE-2011-3192) | deprecated | Medium | Active | 400 | 10 | | 10054 | Cookie without SameSite Attribute | release | | Passive | | | | 10054-1 | Cookie without SameSite Attribute | release | Low | Passive | 1275 | 13 | | 10054-2 | Cookie with SameSite Attribute None | release | Low | Passive | 1275 | 13 | | 10054-3 | Cookie with Invalid SameSite Attribute | release | Low | Passive | 1275 | 13 | | 10055 | CSP | release | | Passive | | | | 10055-1 | CSP: X-Content-Security-Policy | release | Low | Passive | 693 | 15 | | 10055-2 | CSP: X-WebKit-CSP | release | Low | Passive | 693 | 15 | | 10055-3 | CSP: Notices | release | Low | Passive | 693 | 15 | | 10055-4 | CSP: Wildcard Directive | release | Medium | Passive | 693 | 15 | | 10055-5 | CSP: script-src unsafe-inline | release | Medium | Passive | 693 | 15 | | 10055-6 | CSP: style-src unsafe-inline | release | Medium | Passive | 693 | 15 | | 10055-7 | CSP: script-src unsafe-hashes | release | Medium | Passive | 693 | 15 | | 10055-8 | CSP: style-src unsafe-hashes | release | Medium | Passive | 693 | 15 | | 10055-9 | CSP: Malformed Policy (Non-ASCII) | release | Medium | Passive | 693 | 15 | | 10055-10 | CSP: script-src unsafe-eval | release | Medium | Passive | 693 | 15 | | 10055-11 | CSP: Meta Policy Invalid Directive | release | Medium | Passive | 693 | 15 | | 10055-12 | CSP: Header & Meta | release | Informational | Passive | 693 | 15 | | 10055-13 | CSP: Failure to Define Directive with No Fallback | release | Medium | Passive | 693 | 15 | | 10056 | X-Debug-Token Information Leak | release | Low | Passive | 489 | 13 | | 10057 | Username Hash Found | release | Informational | Passive | 284 | 2 | | 10058 | GET for POST | release | Informational | Active | 16 | 20 | | 10061 | X-AspNet-Version Response Header | release | Low | Passive | 933 | 14 | | 10062 | PII Disclosure | release | High | Passive | 359 | 13 | | 10063 | Permissions Policy Header Not Set | beta | | Passive | | | | 10063-1 | Permissions Policy Header Not Set | beta | Low | Passive | 693 | 15 | | 10063-2 | Deprecated Feature Policy Header Set | beta | Low | Passive | 16 | 15 | | 10070 | Use of SAML | alpha | | Passive | | | | 10094 | Base64 Disclosure | alpha | | Passive | | | | 10094-1 | ASP.NET ViewState Disclosure | alpha | Informational | Passive | 319 | 13 | | 10094-2 | ASP.NET ViewState Integrity | alpha | High | Passive | 642 | 13 | | 10094-3 | Base64 Disclosure | alpha | Informational | Passive | 319 | 13 | | 10095 | Backup File Disclosure | beta | Medium | Active | 530 | 34 | | 10096 | Timestamp Disclosure - Unix | release | Low | Passive | 497 | 13 | | 10097 | Hash Disclosure - MD4 / MD5 | release | Low | Passive | 497 | 13 | | 10098 | Cross-Domain Misconfiguration | release | Medium | Passive | 264 | 14 | | 10099 | Source Code Disclosure - PHP | beta | Medium | Passive | 540 | 13 | | 10101 | Access Control Issue - Improper Authentication | alpha | High | Tool | 287 | 1 | | 10102 | Access Control Issue - Improper Authorization | alpha | High | Tool | 205 | 2 | | 10103 | Image Exposes Location or Privacy Data | beta | Informational | Passive | 200 | 13 | | 10104 | User Agent Fuzzer | release | Informational | Active | | | | 10105 | Weak Authentication Method | release | | Passive | | | | 10105-1 | Authentication Credentials Captured | release | Medium | Passive | 287 | 1 | | 10105-2 | Weak Authentication Method | release | Medium | Passive | 326 | 4 | | 10106 | HTTP Only Site | beta | Medium | Active | 311 | 4 | | 10107 | Httpoxy - Proxy Header Misuse | beta | High | Active | 20 | 20 | | 10108 | Reverse Tabnabbing | release | Medium | Passive | 1022 | | | 10109 | Modern Web Application | release | Informational | Passive | | | | 10110 | Dangerous JS Functions | beta | Low | Passive | 749 | | | 10111 | Authentication Request Identified | beta | Informational | Passive | | | | 10112 | Session Management Response Identified | beta | Informational | Passive | | | | 10113 | Verification Request Identified | beta | Informational | Passive | | | | 10115 | Script Served From Malicious Domain (polyfill) | release | | Passive | | | | 10115-1 | Script Served From Malicious Domain (polyfill) | release | High | Passive | 829 | 15 | | 10115-2 | Script Served From Malicious Domain (polyfill) | release | High | Passive | 829 | 15 | | 10116 | ZAP is Out of Date | release | Medium | Passive | 1104 | 45 | | 10202 | Absence of Anti-CSRF Tokens | release | Medium | Passive | 352 | 9 | | 20012 | Anti-CSRF Tokens Check | beta | Medium | Active | 352 | 9 | | 20014 | HTTP Parameter Pollution | beta | Informational | Active | 20 | 20 | | 20015 | Heartbleed OpenSSL Vulnerability | release | High | Active | 119 | 20 | | 20016 | Cross-Domain Misconfiguration | beta | | Active | | | | 20016-1 | Cross-Domain Misconfiguration - Adobe - Read | beta | High | Active | 264 | 14 | | 20016-2 | Cross-Domain Misconfiguration - Adobe - Send | beta | High | Active | 264 | 14 | | 20016-3 | Cross-Domain Misconfiguration - Silverlight | beta | High | Active | 264 | 14 | | 20017 | Source Code Disclosure - CVE-2012-1823 | release | High | Active | 20 | 20 | | 20018 | Remote Code Execution - CVE-2012-1823 | release | High | Active | 20 | 20 | | 20019 | External Redirect | release | | Active | | | | 20019-1 | External Redirect | release | High | Active | 601 | 38 | | 20019-2 | External Redirect | release | High | Active | 601 | 38 | | 20019-3 | External Redirect | release | High | Active | 601 | 38 | | 20019-4 | External Redirect | release | High | Active | 601 | 38 | | 30001 | Buffer Overflow | release | Medium | Active | 120 | 7 | | 30002 | Format String Error | release | Medium | Active | 134 | 6 | | 30003 | Integer Overflow Error | beta | Medium | Active | 190 | 3 | | 40003 | CRLF Injection | release | Medium | Active | 113 | 25 | | 40008 | Parameter Tampering | release | Medium | Active | 472 | 20 | | 40009 | Server Side Include | release | High | Active | 97 | 31 | | 40012 | Cross Site Scripting (Reflected) | release | High | Active | 79 | 8 | | 40013 | Session Fixation | beta | High | Active | 384 | 37 | | 40014 | Cross Site Scripting (Persistent) | release | High | Active | 79 | 8 | | 40015 | LDAP Injection | alpha | High | Active | 90 | 29 | | 40016 | Cross Site Scripting (Persistent) - Prime | release | Informational | Active | 79 | 8 | | 40017 | Cross Site Scripting (Persistent) - Spider | release | Informational | Active | 79 | 8 | | 40018 | SQL Injection | release | High | Active | 89 | 19 | | 40019 | SQL Injection - MySQL (Time Based) | release | High | Active | 89 | 19 | | 40020 | SQL Injection - Hypersonic SQL (Time Based) | release | High | Active | 89 | 19 | | 40021 | SQL Injection - Oracle (Time Based) | release | High | Active | 89 | 19 | | 40022 | SQL Injection - PostgreSQL (Time Based) | release | High | Active | 89 | 19 | | 40023 | Possible Username Enumeration | beta | Informational | Active | 204 | 13 | | 40024 | SQL Injection - SQLite (Time Based) | release | High | Active | 89 | 19 | | 40025 | Proxy Disclosure | beta | Medium | Active | 204 | 45 | | 40026 | Cross Site Scripting (DOM Based) | release | High | Active | 79 | 8 | | 40027 | SQL Injection - MsSQL (Time Based) | release | High | Active | 89 | 19 | | 40028 | ELMAH Information Leak | release | Medium | Active | 94 | 14 | | 40029 | Trace.axd Information Leak | release | Medium | Active | 215 | 13 | | 40031 | Out of Band XSS | beta | High | Active | 79 | 8 | | 40032 | .htaccess Information Leak | release | Medium | Active | 94 | 14 | | 40033 | NoSQL Injection - MongoDB | alpha | High | Active | 943 | 19 | | 40034 | .env Information Leak | release | Medium | Active | 215 | 13 | | 40035 | Hidden File Found | release | Medium | Active | 538 | 13 | | 40036 | JWT Scan Rule | alpha | Medium | Active | | | | 40038 | Bypassing 403 | beta | Medium | Active | 348 | | | 40039 | Web Cache Deception | alpha | Medium | Active | 444 | | | 40040 | CORS Header | beta | | Active | | | | 40040-1 | CORS Header | beta | Informational | Active | 942 | 14 | | 40040-2 | CORS Misconfiguration | beta | Medium | Active | 942 | 14 | | 40040-3 | CORS Misconfiguration | beta | High | Active | 942 | 14 | | 40041 | File Upload | alpha | Medium | Active | | | | 40042 | Spring Actuator Information Leak | release | Medium | Active | 215 | 13 | | 40043 | Log4Shell | release | | Active | | | | 40043-1 | Log4Shell (CVE-2021-44228) | release | High | Active | 117 | 20 | | 40043-2 | Log4Shell (CVE-2021-45046) | release | High | Active | 117 | 20 | | 40044 | Exponential Entity Expansion (Billion Laughs Attack) | beta | Medium | Active | 776 | 44 | | 40045 | Spring4Shell | release | High | Active | 78 | 20 | | 40046 | Server Side Request Forgery | beta | High | Active | 918 | 20 | | 40047 | Text4shell (CVE-2022-42889) | beta | High | Active | 117 | 20 | | 50007 | ExtensionGraphQl | alpha | | Tool | | | | 50007-1 | GraphQL Endpoint Supports Introspection | alpha | Informational | Tool | 16 | 15 | | 50007-2 | GraphQL Server Implementation Identified | alpha | Informational | Tool | 205 | 45 | | 90001 | Insecure JSF ViewState | release | Medium | Passive | 642 | 14 | | 90002 | Java Serialization Object | beta | Medium | Passive | 502 | | | 90003 | Sub Resource Integrity Attribute Missing | beta | Medium | Passive | 345 | 15 | | 90004 | Insufficient Site Isolation Against Spectre Vulnerability | beta | | Passive | | | | 90004-1 | Insufficient Site Isolation Against Spectre Vulnerability | beta | Low | Passive | 693 | 14 | | 90004-2 | Insufficient Site Isolation Against Spectre Vulnerability | beta | Low | Passive | 693 | 14 | | 90004-3 | Insufficient Site Isolation Against Spectre Vulnerability | beta | Low | Passive | 693 | 14 | | 90005 | Fetch Metadata Request Headers | alpha | | Passive | | | | 90005-1 | Sec-Fetch-Site Header is Missing | alpha | Informational | Passive | 352 | 9 | | 90005-2 | Sec-Fetch-Mode Header is Missing | alpha | Informational | Passive | 352 | 9 | | 90005-3 | Sec-Fetch-Dest Header is Missing | alpha | Informational | Passive | 352 | 9 | | 90005-4 | Sec-Fetch-User Header is Missing | alpha | Informational | Passive | 352 | 9 | | 90005-5 | Sec-Fetch-Site Header Has an Invalid Value | alpha | Informational | Passive | 352 | 9 | | 90005-6 | Sec-Fetch-Mode Header Has an Invalid Value | alpha | Informational | Passive | 352 | 9 | | 90005-7 | Sec-Fetch-Dest Header Has an Invalid Value | alpha | Informational | Passive | 352 | 9 | | 90005-8 | Sec-Fetch-User Header Has an Invalid Value | alpha | Informational | Passive | 352 | 9 | | 90011 | Charset Mismatch | release | | Passive | | | | 90011-1 | Charset Mismatch (Header Versus Meta Content-Type Charset) | release | Informational | Passive | 436 | 15 | | 90011-2 | Charset Mismatch (Header Versus Meta Charset) | release | Informational | Passive | 436 | 15 | | 90011-3 | Charset Mismatch (Meta Charset Versus Meta Content-Type Charset) | release | Informational | Passive | 436 | 15 | | 90011-4 | Charset Mismatch | release | Informational | Passive | 436 | 15 | | 90017 | XSLT Injection | release | Medium | Active | 91 | 23 | | 90018 | Advanced SQL Injection | beta | High | Active | 89 | 19 | | 90019 | Server Side Code Injection | release | | Active | | | | 90019-1 | Server Side Code Injection - PHP Code Injection | release | High | Active | 94 | 20 | | 90019-2 | Server Side Code Injection - ASP Code Injection | release | High | Active | 94 | 20 | | 90020 | Remote OS Command Injection | release | High | Active | 78 | 31 | | 90021 | XPath Injection | release | High | Active | 643 | 39 | | 90022 | Application Error Disclosure | release | Medium | Passive | 550 | 13 | | 90023 | XML External Entity Attack | release | High | Active | 611 | 43 | | 90024 | Generic Padding Oracle | release | High | Active | 209 | 20 | | 90025 | Expression Language Injection | beta | High | Active | 917 | 20 | | 90026 | SOAP Action Spoofing | beta | High | Active | 451 | | | 90027 | Cookie Slack Detector | beta | Informational | Active | 205 | 45 | | 90028 | Insecure HTTP Method | beta | Medium | Active | 749 | 45 | | 90029 | SOAP XML Injection | beta | High | Active | 91 | | | 90030 | WSDL File Detection | beta | | Passive | | | | 90033 | Loosely Scoped Cookie | release | Informational | Passive | 565 | 15 | | 90034 | Cloud Metadata Potentially Exposed | release | High | Active | 1230 | | | 90035 | Server Side Template Injection | release | High | Active | 1336 | 20 | | 90036 | Server Side Template Injection (Blind) | release | High | Active | 1336 | 20 | | 90037 | Remote OS Command Injection (Time Based) | release | High | Active | 78 | 31 | | 90039 | NoSQL Injection - MongoDB (Time Based) | alpha | High | Active | 943 | 19 | | 100002 | Server is running on Clacks - GNU Terry Pratchett | alpha | Informational | Script Passive | 200 | 13 | | 100003 | Cookie Set Without HttpOnly Flag | alpha | Low | Script Passive | | 13 | | 100004 | Content Security Policy Violations Reporting Enabled | alpha | Informational | Script Passive | 200 | 13 | | 100005 | SameSite Cookie Attribute Protection Used | alpha | Informational | Script Passive | 352 | 9 | | 100006 | Information Disclosure - IP Exposed via F5 BIG-IP Persistence Cookie | alpha | Informational | Script Passive | 311 | 13 | | 100007 | Information Disclosure - Base64-encoded String | alpha | Informational | Script Passive | 311 | 13 | | 100008 | Information Disclosure - Credit Card Number | alpha | High | Script Passive | 311 | 13 | | 100009 | Information Disclosure - Email Addresses | alpha | Low | Script Passive | 311 | 13 | | 100010 | Information Disclosure - Hash | alpha | Low | Script Passive | 327 | 13 | | 100011 | Information Disclosure - HTML Comments | alpha | Informational | Script Passive | 615 | 13 | | 100012 | Information Disclosure - IBAN Numbers | alpha | Low | Script Passive | 200 | 13 | | 100013 | Information Disclosure - Private IP Address | alpha | Medium | Script Passive | 200 | 13 | | 100014 | Reflected HTTP GET Parameter(s) | alpha | Informational | Script Passive | 79 | 8 | | 100015 | HUNT Methodology | alpha | Informational | Script Passive | | | | 100016 | Missing Security Headers | alpha | Low | Script Passive | 693 | 15 | | 100017 | Non Static Site Detected | alpha | Informational | Script Passive | | | | 100018 | Relative Path Overwrite | alpha | Medium | Script Passive | 20 | 13 | | 100019 | Information Disclosure - Server Header | alpha | Low | Script Passive | 200 | 13 | | 100020 | Information Disclosure - SQL Error | alpha | High | Script Passive | 209 | 13 | | 100021 | Telerik UI for ASP.NET AJAX Cryptographic Weakness (CVE-2017-9248) | alpha | High | Script Passive | 327 | 13 | | 100022 | Upload Form Discovered | alpha | Informational | Script Passive | 434 | 20 | | 100023 | Information Disclosure - X-Powered-By Header | alpha | Low | Script Passive | 200 | 13 | | 100025 | Cross-Site WebSocket Hijacking | alpha | High | Script Active | 346 | 9 | | 100026 | JWT None Exploit | alpha | High | Script Active | 347 | 15 | | 100029 | File Content Disclosure (CVE-2019-5418) | alpha | High | Script Active | 74 | 33 | | 100030 | Backup File Detected | alpha | Low | Script Active | 425 | 34 | | 100034 | Information Disclosure - Google API Key | alpha | Informational | Script Passive | 200 | 13 | | 100035 | Information Disclosure - Java Stack Trace | alpha | Medium | Script Passive | 209 | 13 | | 100036 | Information Disclosure - Amazon S3 Bucket URL | alpha | Low | Script Passive | 200 | 13 | | 100044 | Suspicious Input Transformation | alpha | | Script Active | | | | 100044-1 | Suspicious Input Transformation - Quote Consumption | alpha | High | Script Active | 20 | 20 | | 100044-2 | Suspicious Input Transformation - Arithmetic Evaluation | alpha | High | Script Active | 20 | 20 | | 100044-3 | Suspicious Input Transformation - Expression Evaluation | alpha | High | Script Active | 20 | 20 | | 100044-4 | Suspicious Input Transformation - Template Evaluation | alpha | High | Script Active | 20 | 20 | | 100044-5 | Suspicious Input Transformation - EL Evaluation | alpha | High | Script Active | 20 | 20 | | 100044-6 | Suspicious Input Transformation - Unicode Normalisation | alpha | High | Script Active | 20 | 20 | | 100044-7 | Suspicious Input Transformation - URL Decoding Error | alpha | High | Script Active | 20 | 20 | | 100044-8 | Suspicious Input Transformation - Unicode Byte Truncation | alpha | High | Script Active | 20 | 20 | | 100044-9 | Suspicious Input Transformation - Unicode Case Conversion | alpha | High | Script Active | 20 | 20 | | 100044-10 | Suspicious Input Transformation - Unicode Combining Diacritic | alpha | High | Script Active | 20 | 20 | | 110001 | Application Error Disclosure via WebSockets | release | Medium | WebSocket Passive | 209 | 13 | | 110002 | Base64 Disclosure in WebSocket message | release | Informational | WebSocket Passive | | | | 110003 | Information Disclosure - Debug Error Messages via WebSocket | release | Low | WebSocket Passive | 209 | 13 | | 110004 | Email address found in WebSocket message | release | Informational | WebSocket Passive | 359 | 13 | | 110005 | Personally Identifiable Information via WebSocket | release | High | WebSocket Passive | 359 | 13 | | 110006 | Private IP Disclosure via WebSocket | release | Low | WebSocket Passive | | | | 110007 | Username Hash Found in WebSocket message | release | Informational | WebSocket Passive | 284 | 2 | | 110008 | Information Disclosure - Suspicious Comments in XML via WebSocket | release | Informational | WebSocket Passive | 200 | 13 | | 110009 | Full Path Disclosure | alpha | Low | Passive | 209 | 13 | | 120000 | Information Disclosure - Information in Browser Storage | alpha | | Client Passive | | | | 120000-1 | Information Disclosure - Information in Browser localStorage | alpha | Informational | Client Passive | 359 | 13 | | 120000-2 | Information Disclosure - Information in Browser sessionStorage | alpha | Informational | Client Passive | 359 | 13 | | 120001 | Information Disclosure - Sensitive Information in Browser Storage | alpha | | Client Passive | | | | 120001-1 | Information Disclosure - Sensitive Information in Browser localStorage | alpha | Low | Client Passive | 359 | 13 | | 120001-2 | Information Disclosure - Sensitive Information in Browser sessionStorage | alpha | Low | Client Passive | 359 | 13 | | 120002 | Information Disclosure - JWT in Browser Storage | alpha | | Client Passive | | | | 120002-1 | Information Disclosure - JWT in Browser localStorage | alpha | Medium | Client Passive | 922 | 13 | | 120002-2 | Information Disclosure - JWT in Browser sessionStorage | alpha | Informational | Client Passive | 922 | 13 |