Resources

Glossary

Terms Pentrova uses across the product, the docs, and the vulnerability database. Each entry explains what the class is, why it matters, and the direction mitigation usually takes.

New to the category? Start with what automated penetration testing is, or compare automated vs manual penetration testing.

Filter by category

Glossary entries

• Broken Object Level Authorization

  (BOLA)

  Access Control

  The API sibling of IDOR, listed as the top risk in the OWASP API Security Top 10 because authorisation checks on object-scoped endpoints are often missing.

• Cross-Site Request Forgery

  (CSRF)

  AppSec

  A defect where a cross-origin page tricks the browser into sending an authenticated request to a target site, relying on automatic cookie inclusion.

• Cross-Site Scripting

  (XSS)

  Injection

  An injection flaw where attacker-controlled data reaches a browser-side scripting sink, letting the attacker execute script in the victim's session origin.

• Dynamic Application Security Testing

  (DAST)

  AppSec

  Black-box testing against a running application that probes HTTP surfaces for injection, auth, and misconfiguration classes without needing source access.

• Insecure Direct Object Reference

  (IDOR)

  Access Control

  An access-control flaw where the server accepts a client object identifier and returns the object without verifying the caller is authorised.

• JSON Web Token

  (JWT)

  Crypto

  A compact signed token format used to assert claims between parties, popular for stateless auth and notorious for implementation defects.

• Log4Shell

  (CVE-2021-44228)

  Injection

  A remote code execution flaw in Apache Log4j 2.x where JNDI lookups inside logged strings caused servers to fetch and execute attacker classes.

• Mutual TLS

  (mTLS)

  Crypto

  An extension of TLS where both server and client authenticate each other with X.509 certificates, common for service-to-service auth in zero-trust.

• OAuth 2.0

  (OAuth2)

  Crypto

  A delegated authorisation framework specified in RFC 6749 that lets a third-party client access a user's resources without holding the user's password.

• Race Condition

  AppSec

  A defect where correctness depends on the timing of concurrent operations, exploited by rapid parallel requests that bypass a business-logic check.

• Server-Side Request Forgery

  (SSRF)

  Infra

  A defect where an application fetches an attacker-supplied URL, letting them reach internal services, cloud metadata, or link-local ranges.

• Server-Side Template Injection

  (SSTI)

  Injection

  An injection defect where user input reaches a server-side template engine, letting the attacker evaluate expressions and often escalate to RCE.

• SQL Injection

  (SQLi)

  Injection

  An injection flaw where attacker-controlled input is concatenated into a SQL statement, letting the attacker read, modify, or exfiltrate database content.

• Static Application Security Testing

  (SAST)

  AppSec

  White-box analysis that reads source code, bytecode, or IR to flag insecure patterns without executing the application.

• Vulnerability Assessment and Penetration Testing

  (VAPT)

  AppSec

  A combined engagement that pairs breadth-first vulnerability scanning with depth-first penetration testing to produce a catalog and a proof set.

• XML External Entity

  (XXE)

  Injection

  A defect in XML parsers that dereference external entity declarations, letting attackers read local files, trigger SSRF, or exhaust resources.