A security standard that helps prevent cross-site scripting (XSS) attacks by allowing website owners to control which resources can be loaded and executed on their pages.

A cryptographic protocol that provides secure communication over a computer network, commonly used to secure HTTPS connections.

A security feature that allows web pages to make requests to a different domain than the one serving the web page, while maintaining security.

A web security policy mechanism that helps protect websites against protocol downgrade attacks and cookie hijacking by forcing HTTPS connections.

A type of security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.

An attack that tricks a user into performing unwanted actions on a web application in which they're currently authenticated.

An email authentication method that helps prevent email spoofing by specifying which mail servers are authorized to send emails for a domain.

An email authentication method that uses digital signatures to verify that an email message was sent by an authorized sender.

An email authentication protocol that builds on SPF and DKIM to provide domain-level protection against email spoofing.

A malicious technique where an attacker tricks a user into clicking on something different from what the user perceives, potentially revealing confidential information.

A security issue where a web page served over HTTPS contains resources (images, scripts, stylesheets) loaded over HTTP, which can compromise security.

A vulnerability where an attacker can take control of a subdomain by exploiting misconfigured DNS records or abandoned services.

A code injection technique used to attack data-driven applications where malicious SQL statements are inserted into an entry field for execution.

A vulnerability that occurs when an application provides direct access to objects based on user-supplied input, allowing attackers to access unauthorized resources.

A vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.

A vulnerability that occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

A vulnerability that allows an attacker to access files and directories that are stored outside the web root folder by manipulating file paths.

A vulnerability that allows an attacker to gain elevated access to resources that are normally protected from an application or user.

A security principle that states that users and systems should only be granted the minimum level of access necessary to perform their functions.

An attack where an attacker secretly intercepts and relays messages between two parties who believe they are communicating directly with each other.

An attack that overwhelms a target system with traffic from multiple sources, making it unavailable to legitimate users.

An attack that attempts to gain access to a system by trying all possible combinations of passwords or encryption keys.

An attack that uses previously breached username and password combinations to gain unauthorized access to user accounts.

A security vulnerability that is unknown to the vendor and for which no patch or fix is available.

A standardized identifier for publicly known cybersecurity vulnerabilities and exposures.

A standardized framework for rating the severity of security vulnerabilities.

A security testing methodology that simulates real-world attacks to identify vulnerabilities in systems, networks, or applications.

A systematic process of identifying, quantifying, and prioritizing security vulnerabilities in systems, networks, or applications.

A structured approach to identifying and prioritizing potential security threats to a system or application.

A security model that assumes no implicit trust and requires verification for every access request, regardless of location or user.

A security strategy that employs multiple layers of security controls to protect against various types of attacks.

A security device that monitors, filters, and blocks HTTP traffic to and from web applications to protect against common web attacks.

A security system that collects, analyzes, and correlates security events from multiple sources to provide real-time threat detection and response.

A structured approach to handling and managing security incidents to minimize damage and restore normal operations.

A set of security standards designed to ensure that companies that accept, process, store, or transmit credit card information maintain a secure environment.

A US law that establishes national standards for protecting sensitive patient health information.

A European Union regulation that governs data protection and privacy for individuals within the EU.

A framework for evaluating the security, availability, processing integrity, confidentiality, and privacy of service organizations.

An international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system.

A nonprofit organization that provides free resources and tools for improving web application security.

A standard awareness document that represents the most critical security risks to web applications.

A sophisticated, long-term cyberattack campaign that targets specific organizations or individuals for espionage or sabotage.

An attack that targets an organization by compromising one of its suppliers or vendors to gain access to the target organization.

The use of psychological manipulation to trick people into revealing sensitive information or performing actions that compromise security.

A social engineering attack that attempts to trick users into revealing sensitive information by impersonating a trustworthy entity.

The technique used by attackers to move through a network after gaining initial access, typically to find and access high-value targets.

The process of stealing data from a compromised system and transferring it to an attacker-controlled location.

Information that can be used to identify, contact, or locate a specific individual, such as name, address, or social security number.

A security strategy that prevents sensitive data from being lost, stolen, or accessed by unauthorized users.

A model that describes the stages of a cyberattack from initial reconnaissance to data exfiltration.

Artifacts that indicate a security incident has occurred, such as IP addresses, file hashes, or domain names.

A globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.