Unlock enhanced API scanning with Burp Suite Enterprise Edition  –  Learn more

Enterprise EditionProfessional

Vulnerabilities detected by Burp Scanner

  • Last updated: March 1, 2024

  • Read time: 1 Minute

Burp Scanner is capable of detecting a wide range of vulnerabilities, which are flagged by the scanner as issues.

This table lists all vulnerabilities that can be identified by Burp Scanner. It is regularly updated in line with the latest PortSwigger research. You can click on any vulnerability for a definition and more information.

Name Severity Index (hex) Index (dec) Classifications

OS command injection

High

0x00100100

1048832

CWE-77 CWE-78 CWE-116

SQL injection

High

0x00100200

1049088

CWE-89 CWE-94 CWE-116

SQL injection (second order)

High

0x00100210

1049104

CWE-89 CWE-94 CWE-116

ASP.NET tracing enabled

High

0x00100280

1049216

CWE-10 CWE-11

File path traversal

High

0x00100300

1049344

CWE-22 CWE-23 CWE-35 CWE-36

XML external entity injection

High

0x00100400

1049600

CWE-611

LDAP injection

High

0x00100500

1049856

CWE-90 CWE-116

XPath injection

High

0x00100600

1050112

CWE-94 CWE-116 CWE-159 CWE-643

XML injection

Medium

0x00100700

1050368

CWE-91 CWE-116 CWE-159 CWE-611 CWE-776

ASP.NET debugging enabled

Medium

0x00100800

1050624

CWE-11

Broken access control

Information

0x00100850

1050704

CWE-284

HTTP PUT method is enabled

High

0x00100900

1050880

CWE-650

Out-of-band resource load (HTTP)

High

0x00100a00

1051136

CWE-610 CWE-918

File path manipulation

High

0x00100b00

1051392

CWE-22 CWE-23 CWE-35 CWE-36

PHP code injection

High

0x00100c00

1051648

CWE-94 CWE-116 CWE-159

Server-side JavaScript code injection

High

0x00100d00

1051904

CWE-94 CWE-95 CWE-116

Perl code injection

High

0x00100e00

1052160

CWE-94 CWE-95 CWE-116

Ruby code injection

High

0x00100f00

1052416

CWE-94 CWE-95 CWE-116

Python code injection

High

0x00100f10

1052432

CWE-94 CWE-95 CWE-116

Expression Language injection

High

0x00100f20

1052448

CWE-116 CWE-159 CWE-917

Unidentified code injection

High

0x00101000

1052672

CWE-94 CWE-95 CWE-116

Server-side template injection

High

0x00101080

1052800

CWE-94 CWE-95 CWE-116

SSI injection

High

0x00101100

1052928

CWE-96 CWE-116 CWE-159

Cross-site scripting (stored)

High

0x00200100

2097408

CWE-79 CWE-80 CWE-116 CWE-159

HTTP request smuggling

High

0x00200140

2097472

CWE-444

Client-side desync

High

0x00200141

2097473

CWE-444

Web cache poisoning

High

0x00200180

2097536

CWE-436

HTTP response header injection

High

0x00200200

2097664

CWE-113

Cross-site scripting (reflected)

High

0x00200300

2097920

CWE-79 CWE-80 CWE-116 CWE-159

Client-side template injection

High

0x00200308

2097928

CWE-116 CWE-159

Cross-site scripting (DOM-based)

High

0x00200310

2097936

CWE-79 CWE-80 CWE-116 CWE-159

Cross-site scripting (reflected DOM-based)

High

0x00200311

2097937

CWE-79 CWE-80 CWE-116 CWE-159

Cross-site scripting (stored DOM-based)

High

0x00200312

2097938

CWE-79 CWE-80 CWE-116 CWE-159

Client-side prototype pollution

Information

0x00200316

2097942

CWE-1321

JavaScript injection (DOM-based)

High

0x00200320

2097952

CWE-94 CWE-95 CWE-116

JavaScript injection (reflected DOM-based)

High

0x00200321

2097953

CWE-94 CWE-95 CWE-116

JavaScript injection (stored DOM-based)

High

0x00200322

2097954

CWE-94 CWE-95 CWE-116

Path-relative style sheet import

Information

0x00200328

2097960

CWE-16

Client-side SQL injection (DOM-based)

High

0x00200330

2097968

CWE-89 CWE-116 CWE-159

Client-side SQL injection (reflected DOM-based)

High

0x00200331

2097969

CWE-89 CWE-116 CWE-159

Client-side SQL injection (stored DOM-based)

High

0x00200332

2097970

CWE-89 CWE-116 CWE-159

WebSocket URL poisoning (DOM-based)

High

0x00200340

2097984

CWE-345 CWE-346 CWE-441

WebSocket URL poisoning (reflected DOM-based)

High

0x00200341

2097985

CWE-345 CWE-346 CWE-441

WebSocket URL poisoning (stored DOM-based)

High

0x00200342

2097986

CWE-345 CWE-346 CWE-441

Local file path manipulation (DOM-based)

High

0x00200350

2098000

CWE-22 CWE-73

Local file path manipulation (reflected DOM-based)

High

0x00200351

2098001

CWE-22 CWE-73

Local file path manipulation (stored DOM-based)

High

0x00200352

2098002

CWE-22 CWE-73

Client-side XPath injection (DOM-based)

Low

0x00200360

2098016

CWE-79 CWE-116 CWE-159

Client-side XPath injection (reflected DOM-based)

Low

0x00200361

2098017

CWE-79 CWE-116 CWE-159

Client-side XPath injection (stored DOM-based)

Low

0x00200362

2098018

CWE-79 CWE-116 CWE-159

Client-side JSON injection (DOM-based)

Low

0x00200370

2098032

CWE-79 CWE-116 CWE-159

Client-side JSON injection (reflected DOM-based)

Low

0x00200371

2098033

CWE-79 CWE-116 CWE-159

Client-side JSON injection (stored DOM-based)

Low

0x00200372

2098034

CWE-79 CWE-116 CWE-159

Flash cross-domain policy

High

0x00200400

2098176

CWE-942

Silverlight cross-domain policy

High

0x00200500

2098432

CWE-942

Content security policy: allowlisted script resources

Information

0x00200503

2098435

CWE-79 CWE-80 CWE-116 CWE-159

Content security policy: allows untrusted script execution

Information

0x00200504

2098436

CWE-79 CWE-80 CWE-116 CWE-159

Content security policy: allows untrusted style execution

Information

0x00200505

2098437

CWE-116 CWE-159

Content security policy: malformed syntax

Information

0x00200506

2098438

Content security policy: allows clickjacking

Information

0x00200507

2098439

CWE-693 CWE-1021

Content security policy: allows form hijacking

Information

0x00200508

2098440

CWE-116

Content security policy: not enforced

Information

0x00200509

2098441

GraphQL endpoint found

Information

0x00200510

2098448

GraphQL endpoint discovered

Information

0x00200511

2098449

GraphQL introspection enabled

Low

0x00200512

2098450

CWE-200

GraphQL suggestions enabled

Low

0x00200513

2098451

CWE-200

GraphQL content type not validated

Low

0x00200514

2098452

CWE-352

Cross-origin resource sharing

Information

0x00200600

2098688

CWE-942

Cross-origin resource sharing: arbitrary origin trusted

High

0x00200601

2098689

CWE-942

Cross-origin resource sharing: unencrypted origin trusted

Low

0x00200602

2098690

CWE-942

Cross-origin resource sharing: all subdomains trusted

Low

0x00200603

2098691

CWE-942

Web cache deception

Medium

0x00200650

2098768

Cross-site request forgery

Medium

0x00200700

2098944

CWE-352

SMTP header injection

Medium

0x00200800

2099200

CWE-93 CWE-159

JWT signature not verified

High

0x00200900

2099456

CWE-345 CWE-347

JWT none algorithm supported

High

0x00200901

2099457

CWE-345

JWT self-signed JWK header supported

High

0x00200902

2099458

JWT weak HMAC secret

High

0x00200903

2099459

JWT arbitrary jku header supported

High

0x00200904

2099460

JWT arbitrary x5u header supported

High

0x00200905

2099461

Cleartext submission of password

High

0x00300100

3145984

CWE-319

External service interaction (DNS)

Information

0x00300200

3146240

CWE-918 CWE-406

External service interaction (HTTP)

High

0x00300210

3146256

CWE-918 CWE-406

External service interaction (SMTP)

Information

0x00300220

3146272

CWE-16 CWE-406

Referer-dependent response

Information

0x00400100

4194560

CWE-16 CWE-213

Spoofable client IP address

Information

0x00400110

4194576

CWE-16

User agent-dependent response

Information

0x00400120

4194592

CWE-16

Password returned in later response

Medium

0x00400200

4194816

CWE-204

Password submitted using GET method

Low

0x00400300

4195072

CWE-598

Password returned in URL query string

Low

0x00400400

4195328

CWE-598

SQL statement in request parameter

Medium

0x00400480

4195456

CWE-598

Cross-domain POST

Information

0x00400500

4195584

CWE-16

ASP.NET ViewState without MAC enabled

High

0x00400600

4195840

CWE-642

XML entity expansion

Medium

0x00400700

4196096

CWE-776

Long redirection response

Information

0x00400800

4196352

CWE-698

Serialized object in HTTP message

High

0x00400900

4196608

CWE-502

Duplicate cookies set

Information

0x00400a00

4196864

CWE-16

Input returned in response (stored)

Information

0x00400b00

4197120

CWE-20 CWE-116

Input returned in response (reflected)

Information

0x00400c00

4197376

CWE-20 CWE-116

Suspicious input transformation (reflected)

Information

0x00400d00

4197632

CWE-20

Suspicious input transformation (stored)

Information

0x00400e00

4197888

CWE-20

Request URL override

Information

0x00400f00

4198144

CWE-436

Vulnerable JavaScript dependency

Low

0x00500080

5243008

CWE-1104

Open redirection (reflected)

Low

0x00500100

5243136

CWE-601

Open redirection (stored)

Medium

0x00500101

5243137

CWE-601

Open redirection (DOM-based)

Low

0x00500110

5243152

CWE-601

Open redirection (reflected DOM-based)

Low

0x00500111

5243153

CWE-601

Open redirection (stored DOM-based)

Medium

0x00500112

5243154

CWE-601

TLS cookie without secure flag set

Medium

0x00500200

5243392

CWE-614

Cookie scoped to parent domain

Low

0x00500300

5243648

CWE-16

Cross-domain Referer leakage

Information

0x00500400

5243904

CWE-200

Cross-domain script include

Information

0x00500500

5244160

CWE-829

Cookie without HttpOnly flag set

Low

0x00500600

5244416

CWE-16

Session token in URL

Medium

0x00500700

5244672

CWE-200 CWE-384 CWE-598

Password field with autocomplete enabled

Low

0x00500800

5244928

CWE-200

Password value set in cookie

Medium

0x00500900

5245184

CWE-287

File upload functionality

Information

0x00500980

5245312

CWE-434

Frameable response (potential Clickjacking)

Information

0x005009a0

5245344

CWE-693 CWE-1021

Browser cross-site scripting filter disabled

Information

0x005009b0

5245360

CWE-16

HTTP TRACE method is enabled

Information

0x00500a00

5245440

CWE-16

Cookie manipulation (DOM-based)

Low

0x00500b00

5245696

CWE-565 CWE-829

Cookie manipulation (reflected DOM-based)

Low

0x00500b01

5245697

CWE-565 CWE-829

Cookie manipulation (stored DOM-based)

Low

0x00500b02

5245698

CWE-565 CWE-829

Ajax request header manipulation (DOM-based)

Low

0x00500c00

5245952

CWE-116

Ajax request header manipulation (reflected DOM-based)

Low

0x00500c01

5245953

CWE-116

Ajax request header manipulation (stored DOM-based)

Low

0x00500c02

5245954

CWE-116

Denial of service (DOM-based)

Information

0x00500d00

5246208

CWE-400

Denial of service (reflected DOM-based)

Information

0x00500d01

5246209

CWE-400

Denial of service (stored DOM-based)

Low

0x00500d02

5246210

CWE-400

HTML5 web message manipulation (DOM-based)

Information

0x00500e00

5246464

CWE-20

HTML5 web message manipulation (reflected DOM-based)

Information

0x00500e01

5246465

CWE-20

HTML5 web message manipulation (stored DOM-based)

Information

0x00500e02

5246466

CWE-20

HTML5 storage manipulation (DOM-based)

Information

0x00500f00

5246720

CWE-20

HTML5 storage manipulation (reflected DOM-based)

Information

0x00500f01

5246721

CWE-20

HTML5 storage manipulation (stored DOM-based)

Information

0x00500f02

5246722

CWE-20

Link manipulation (DOM-based)

Low

0x00501000

5246976

CWE-20

Link manipulation (reflected DOM-based)

Low

0x00501001

5246977

CWE-20

Link manipulation (stored DOM-based)

Low

0x00501002

5246978

CWE-20

Link manipulation (reflected)

Information

0x00501003

5246979

CWE-73 CWE-20

Link manipulation (stored)

Information

0x00501004

5246980

CWE-73 CWE-20

Document domain manipulation (DOM-based)

Medium

0x00501100

5247232

CWE-20

Document domain manipulation (reflected DOM-based)

Medium

0x00501101

5247233

CWE-20

Document domain manipulation (stored DOM-based)

Medium

0x00501102

5247234

CWE-20

DOM data manipulation (DOM-based)

Information

0x00501200

5247488

CWE-20

DOM data manipulation (reflected DOM-based)

Information

0x00501201

5247489

CWE-20

DOM data manipulation (stored DOM-based)

Information

0x00501202

5247490

CWE-20

CSS injection (reflected)

Medium

0x00501300

5247744

CWE-73 CWE-20

CSS injection (stored)

Medium

0x00501301

5247745

CWE-73 CWE-20

Client-side HTTP parameter pollution (reflected)

Low

0x00501400

5248000

CWE-233 CWE-20

Client-side HTTP parameter pollution (stored)

Low

0x00501401

5248001

CWE-233 CWE-20

Form action hijacking (reflected)

Medium

0x00501500

5248256

CWE-73 CWE-20

Form action hijacking (stored)

Medium

0x00501501

5248257

CWE-73 CWE-20

Database connection string disclosed

Medium

0x00600080

6291584

CWE-15 CWE-497

Source code disclosure

Low

0x006000b0

6291632

CWE-18 CWE-200 CWE-388 CWE-540 CWE-541 CWE-615

Backup file

Information

0x006000d8

6291672

CWE-530

Directory listing

Information

0x00600100

6291712

CWE-538 CWE-548

Email addresses disclosed

Information

0x00600200

6291968

CWE-200

Private IP addresses disclosed

Information

0x00600300

6292224

CWE-200

Social security numbers disclosed

Information

0x00600400

6292480

CWE-200

Credit card numbers disclosed

Information

0x00600500

6292736

CWE-200 CWE-388

Private key disclosed

Information

0x00600550

6292816

CWE-200 CWE-388

Robots.txt file

Information

0x00600600

6292992

CWE-200

Json Web Key Set disclosed

Information

0x00600700

6293248

CWE-200

JWT private key disclosed

High

0x00600800

6293504

CWE-200

OpenAPI definition found (active scan check)

Information

0x00600900

6293760

CWE-200

OpenAPI definition found (passive scan check)

Information

0x00600901

6293761

CWE-200

Cacheable HTTPS response

Information

0x00700100

7340288

CWE-524 CWE-525

Base64-encoded data in parameter

Information

0x00700200

7340544

CWE-310 CWE-311

Multiple content types specified

Information

0x00800100

8388864

CWE-436

HTML does not specify charset

Information

0x00800200

8389120

CWE-16 CWE-436

HTML uses unrecognized charset

Information

0x00800300

8389376

CWE-16 CWE-436

Content type incorrectly stated

Low

0x00800400

8389632

CWE-16 CWE-436

Content type is not specified

Information

0x00800500

8389888

CWE-16

TLS certificate

Medium

0x01000100

16777472

CWE-295 CWE-326 CWE-327

Unencrypted communications

Low

0x01000200

16777728

CWE-326

Strict transport security not enforced

Low

0x01000300

16777984

CWE-523

Mixed content

Information

0x01000400

16778240

CWE-16 CWE-319

Hidden HTTP 2

Information

0x01000500

16778496

CWE-912

Extension generated issue

Information

0x08000000

134217728

BCheck generated issue

Information

0x09000000

150994944

Was this article helpful?