OWASP Source Mapping: Attacks × Cheat Sheets

This document maps every OWASP attack (www-community) and Cheat Sheet (CheatSheetSeries) to a security category, each linked to its canonical public page. Within a category, equivalent items share a single checklist line: the attack(s) and the cheat sheet(s) that address the same risk are listed together, comma-separated. Items with no direct counterpart stand on their own line.

Credit belongs to OWASP. Attacks live at https://owasp.org/www-community/attacks/<attack> and cheat sheets at https://cheatsheetseries.owasp.org/cheatsheets/<cheat>.html.

1. Injection (generic)

2. SQL / Database Injection

SQL Injection, SQL Injection Prevention, Query Parameterization (interpreter)
Blind SQL Injection (interpreter)
SQL Injection Bypassing WAF (interpreter)
RSQL Injection (interpreter)
NoSQL Security (interpreter)

3. OS / Command Injection

Command Injection, OS Command Injection Defense (interpreter)

4. LDAP / XPath / XML Injection

LDAP Injection, LDAP Injection Prevention (interpreter)
XPATH Injection (interpreter)
Blind XPath Injection (interpreter)
XML External Entity (XXE) Prevention, XML Security (xml)

5. Cross-Site Scripting (XSS)

Cross Site Scripting (XSS), Cross Site Scripting Prevention, XSS Filter Evasion (browser)
DOM Based XSS, DOM based XSS Prevention, DOM Clobbering Prevention (browser)
Reflected DOM Injection (browser)
XSS in Converting File Content to Text (browser)
XSS in subtitle (browser)
Cross Frame Scripting (browser)
Cross Site Tracing (browser)
Content Security Policy (browser)

6. Cross-Site Request Forgery (CSRF) & Clickjacking

Cross Site Request Forgery (CSRF), XSRF, Cross-Site Request Forgery Prevention (http-request)
Clickjacking, Clickjacking Defense (browser)
Cross Site History Manipulation (XSHM) (browser)
Form action hijacking (network)
Reverse Tabnabbing (browser)

7. Redirects & Forwards

Open Redirect, Unvalidated Redirects and Forwards (network)
Execution After Redirect (EAR) (browser)

8. Access Control & Authorization

Insecure Direct Object Reference (IDOR), Insecure Direct Object Reference Prevention (access-control)
Forced browsing (access-control)
Web Parameter Tampering (access-control)
Setting Manipulation (access-control)
Authorization (access-control)
Transaction Authorization (access-control)
Mass Assignment (access-control)
Multi-Tenant Application Security (access-control)

9. Authentication & Credentials

Brute Force Attack, Password Spraying Attack, Bot Management and Anti-Automation (credential-endpoint)
Credential stuffing, Credential Stuffing Prevention (credential-endpoint)
Qrljacking (federation)
Authentication, Multifactor Authentication (access-control)
Password Storage (access-control)
Forgot Password, Choosing and Using Security Questions (access-control)
Email Validation and Verification in Identity Systems (access-control)

10. Session Management

Session fixation, Session hijacking attack, Session Prediction, Session Management (access-control)
Cookie Theft Mitigation (access-control)

11. Identity Federation (OAuth / SAML / JWT)

OAuth 2.0 Protocol (federation)
SAML Security (federation)
JSON Web Token for Java (federation)

12. Cryptography & Transport Security

Cryptanalysis, Cryptographic Storage, Key Management (crypto)
Manipulator-in-the-Middle (MITM), Transport Layer Security (transport)
HTTP Strict Transport Security (transport)
Pinning (transport)

13. Server-Side Request Forgery (SSRF)

Server Side Request Forgery, Server-Side Request Forgery Prevention (network)

14. Path Traversal & File Handling

15. HTTP Protocol Abuse (Headers, Caching, Splitting)

HTTP Response Splitting, Cross-User Defacement (interpreter)
HTTP Security Response Headers (split: browser, transport, http-request, access-control)
Cache Poisoning (interpreter)
IP Spoofing via HTTP Headers (http-request)

16. Encoding & Content Spoofing

Unicode Encoding (interpreter)
Double Encoding (interpreter)
Content Spoofing (browser)

17. CSV / Spreadsheet Injection

CSV Injection (csv)

CORS OriginHeaderScrutiny (http-request)
CORS RequestPreflightScrutiny (http-request)

19. Denial of Service

Regular expression Denial of Service (ReDoS) (regex)

20. Memory Safety & Native Code

Buffer Overflow Attack, Buffer Overflow via Environment Variables (c-cpp)
Format string attack (c-cpp)

21. Mobile Code & Untrusted Code Execution

Mobile code invoking untrusted mobile code (interpreter)
Mobile code non-final public field (java)
Mobile code object hijack (java)

22. Deserialization

Deserialization (split: python, ruby, php, java, dotnet)

23. Malware & Client-Side Threats

Man-in-the-browser attack, Browser Extension Security Vulnerabilities (browser)
Third Party JavaScript Management (browser)

24. Logging, Repudiation & Error Handling

Log Injection, Logging, Application Logging Vocabulary (interpreter)
Repudiation Attack (interpreter)

25. Business Logic & Abuse of Functionality

Business logic and abuse of functionality have no single code surface a per-surface sub-skill defends: the defense is application-specific design, the same reasoning the project's threat modeling drives. Moved to "Out of scope".

26. AI / LLM / Agent Security

Prompt Injection, LLM Prompt Injection Prevention (llm)
MCP Tool Poisoning, MCP (Model Context Protocol) Security (llm)
HITL Dialog Forging (Lies-in-the-Loop) (llm)
AI Agent Security, Secure Coding with AI (llm)
Retrieval-Augmented Generation (RAG) Security (llm)
Secure AI/ML Model Ops (llm)
AML and Sanctions Compliance for AI Agent Payments (llm)

27. Prototype Pollution & Cross-Site Leaks

Prototype Pollution Prevention (javascript)
Cross-site leaks (XS-Leaks) (browser)

28. Frameworks & Language Platforms

29. Web Front-End & Browser

HTML5 Security (browser)
AJAX Security (browser)
Securing Cascading Style Sheets (split: access-control, browser)

30. APIs & Services

GraphQL (api-endpoint)
gRPC Security (api-endpoint)
WebSocket Security (api-endpoint)

31. Cloud, Containers & Infrastructure

Container and workload config is config-as-code the developer ships with the app (Dockerfile, Compose, Pod securityContext), a real surface harden fixes and verify proves, so it is in scope. Cluster administration (RBAC, etcd, API server, admission, network segmentation) is the operator's domain and stays out of scope.

Docker Security, Node.js Docker (container)
Kubernetes Security (container — the workload/Pod portion; cluster administration stays out of scope)
Serverless / FaaS Security (serverless)

32. Supply Chain & CI/CD

NPM Security (interpreter)
Dependency Graph & SBOM Best Practices, Vulnerable Dependency Management (interpreter)

33. Secrets & Configuration

Secrets management is operational: vaults, CI/CD, cloud config, rotation. The one code-level facet (a secret hardcoded in source) is a deterministic scan, not a risk sub-skill. Moved to "Out of scope".

34. Process, Design & Governance

User privacy protection is policy and design (data minimization, transparency, retention), not a code surface a sub-skill defends. Moved to "Out of scope".

35. Payments & Compliance

Secure Integration of Third-Party Payment Gateways (payment)

36. Embedded / IoT / Specialized Domains

Automotive and drone security are embedded-system domains (CAN bus, OTA firmware, sensor and radio integrity, physical access), not the web/API application source Blue Spec audits. Moved to "Out of scope".

Out of scope (no code surface)

These are not sub-skill terrains and carry no checkbox: they are governance, process, operational hardening, or framework usage with no single code surface a per-surface sub-skill defends. Their security value is real, but it lives in process and architecture (or, for a framework, in that language's own skill), not in a defense this catalog ships. Listed for reference, not as work.

Database Security
Authorization Regression Testing, Authorization Testing Automation
JAAS
Denial of Service, Denial of Service
HTTP/2 Reset Attack
Traffic flood
Web Service Amplification Attack (SOAP/WS-Addressing amplification, a DoS variant; operational, no code surface)
Cash Overflow
Spyware, Trojan Horse (end-user malware, not a code surface in the audited project; the in-browser delivery facet lives in browser)
REST Security, REST Assessment
Web Service Security
Cloud Architecture Security (design and trade-offs: IAM vs signed URLs, public/private VPCs, trust boundaries, shared-responsibility; no concrete config a sub-skill rewrites, unlike container)
Infrastructure as Code Security (despite the name, it is SDLC process and tooling for managing IaC: IDE plugins, static analysis, image scanning, CI/CD, signing; no insecure-pattern-to-safe-shape in a Terraform/CloudFormation file)
Kubernetes Security — cluster-administration portion only (RBAC, etcd, API server, admission); the workload/Pod portion is in scope under container
Network Segmentation (network architecture and firewall policy)
Subdomain Takeover Prevention (DNS lifecycle and monitoring, not code)
Secrets Management (vaults, CI/CD, rotation; the hardcoded-secret facet is a deterministic scan, not a risk sub-skill)
C-Based Toolchain Hardening (compiler, linker, and build flags; no source sink)
Microservices Security, Microservices based Security Arch Doc
Zero Trust Architecture
CI/CD Security, GitHub Actions Security
Software Supply Chain Security
Error Handling, Full Path Disclosure (global error-handler configuration per stack; the leak is the same disclosure error handling already governs)
Abuse of Functionality, Business Logic Security, Abuse Case (historical) (application-specific design, no single code sink)
User Privacy Protection (data minimization, transparency, retention policy)
Top 10 Automotive Security Vulnerabilities, Drone Security (embedded-system domains: CAN bus, OTA firmware, sensor/radio integrity, not web/API source)
Mobile Application Security (Android/iOS platform hardening: storage, biometrics, pinning, PII; no single code surface. The untrusted-code-loading facet went to interpreter)
Threat Modeling, Threat Modeling (community page)
Attack Surface Analysis
Secure Product Design
Secure Code Review
Virtual Patching
Vulnerability Disclosure
Legacy Application Management
Security Terminology

1. Injection (generic)​

2. SQL / Database Injection​

3. OS / Command Injection​

4. LDAP / XPath / XML Injection​

5. Cross-Site Scripting (XSS)​

6. Cross-Site Request Forgery (CSRF) & Clickjacking​

7. Redirects & Forwards​

8. Access Control & Authorization​

9. Authentication & Credentials​

10. Session Management​

11. Identity Federation (OAuth / SAML / JWT)​

12. Cryptography & Transport Security​

13. Server-Side Request Forgery (SSRF)​

14. Path Traversal & File Handling​

15. HTTP Protocol Abuse (Headers, Caching, Splitting)​

16. Encoding & Content Spoofing​

17. CSV / Spreadsheet Injection​

18. CORS (Cross-Origin Resource Sharing)​

19. Denial of Service​

20. Memory Safety & Native Code​

21. Mobile Code & Untrusted Code Execution​

22. Deserialization​

23. Malware & Client-Side Threats​

24. Logging, Repudiation & Error Handling​

25. Business Logic & Abuse of Functionality​

26. AI / LLM / Agent Security​

27. Prototype Pollution & Cross-Site Leaks​

28. Frameworks & Language Platforms​

29. Web Front-End & Browser​

30. APIs & Services​

31. Cloud, Containers & Infrastructure​

32. Supply Chain & CI/CD​

33. Secrets & Configuration​

34. Process, Design & Governance​

35. Payments & Compliance​

36. Embedded / IoT / Specialized Domains​

Out of scope (no code surface)​