The application does not conform to the API requirements for a
function call that requires extra privileges. This could allow attackers to gain
privileges by causing the function to be called
The server contains a protection mechanism that assumes that
any URI that is accessed using HTTP GET will not cause a state change to the
associated resource. This might allow attackers to bypass intended access
restrictions and conduct resource modification and deletion attacks, since some
applications allow GET to modify state.
The Web services architecture may require exposing a WSDL file
that contains information on the publicly accessible services and how callers of
these services should interact with them (e.g. what parameters they expect and
what types they return).
The software uses external input to dynamically construct an
XQuery expression used to retrieve data from an XML database, but it does not
neutralize or incorrectly neutralizes that input. This allows an attacker to
control the structure of the query.
A protection mechanism relies exclusively, or to a large
extent, on the evaluation of a single condition or the integrity of a single
object or entity in order to make a decision about granting access to restricted
resources or functionality.