Vulnerability Glossary

Plain-language reference for common web vulnerabilities — what each one is, why it's a risk, and how to detect and fix it.

A vulnerability scan is only as useful as your ability to act on it. Each entry in this glossary explains one web vulnerability in plain language: what it is, how attackers exploit it, how to confirm it on your own site, and the exact fix — with copy-paste configuration for nginx and Apache. No theory for its own sake, just what you need to recognize an issue in a report and close it.

Use it to triage a scan, harden a server, or learn the OWASP categories without wading through dense specs. Entries are short and practical, and each one links to the related issues it commonly appears alongside. New terms are added as Exploita's scanner learns to detect more issues — every entry maps to something the scanner actually checks for on a live site.

Entries are tagged by severity — the risk an issue typically carries if left unfixed. Critical and high issues can lead directly to compromise, account takeover, or data exposure; medium issues weaken your defenses or leak information that helps an attacker; low issues are best-practice hardening that closes the gaps before they matter. Browse by severity below, or run a full scan to see which of these actually affect your site.

high
TLS 1.0 Deprecated

TLS 1.0 is deprecated: the 1999 protocol version was formally retired by RFC 8996 in 2021 and banned by PCI DSS in 2018. A server that still accepts it exposes connections to known downgrade and cipher attacks, and fails most compliance audits.

Read
high
Weak Cipher Suites

Weak cipher suites are TLS encryption negotiation options that use broken or outdated algorithms (RC4, 3DES, export-grade, NULL/anonymous), allowing attackers to decrypt, downgrade, or tamper with HTTPS traffic.

Read
medium
Clickjacking

Clickjacking is a UI redressing attack where an attacker loads your site in a transparent iframe over a decoy page, so users think they're clicking the attacker's content while actually clicking buttons on yours.

Read
medium
Directory Listing Vulnerability

A directory listing vulnerability occurs when a web server returns an auto-generated index of files for a folder that has no index page, exposing file names, backups, and structure that should stay private.

Read
medium
Missing SameSite Cookie Attribute

A missing SameSite cookie attribute means a cookie has no SameSite flag in its Set-Cookie header, so browsers may send it on cross-site requests and open the door to CSRF.

Read
medium
Mixed Content

Mixed content is when a page served over HTTPS loads sub-resources (scripts, styles, images, fonts, or iframes) over plain HTTP, breaking the page's encryption guarantees.

Read
medium
Open Redirect

An open redirect is a flaw where your app sends users to a URL taken from user-controlled input (like ?url= or ?next=) without validating it, letting attackers redirect visitors from your trusted domain to a malicious site.

Read
low
HTTP TRACE Method Enabled

HTTP TRACE method enabled means your web server answers TRACE requests by echoing the received request back to the client (a loopback). It's a low-severity OWASP A05 security misconfiguration that scanners and auditors still flag, historically tied to Cross-Site Tracing (XST).

Read
low
Missing Referrer-Policy

A missing Referrer-Policy header means the browser uses its default referrer behavior, which can leak the full URL of your pages — including paths, query parameters, and tokens — to third-party sites via the Referer header.

Read

These entries explain individual vulnerabilities. To find which ones actually affect your site — verified with proof, not guesswork — run a full scan with Exploita's AI-powered scanner.

Run a Full Vulnerability Scan