# HTTP Verb Tampering - The [HTTP Verb Tampering](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/03-Testing_for_HTTP_Verb_Tampering) attack exploits web servers that accept many HTTP verbs and methods - This can be exploited by sending malicious requests using unexpected methods, which may lead to bypassing the web application's authorization mechanism or even bypassing its security controls against other web attacks # Insecure Direct Object References (IDOR) - [Insecure Direct Object References (IDOR)](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References) is among the most common web vulns and can lead to accessing data that should not be accessible by attackers - What makes this attack very common is essentially the lack of a solid access control system on the back-end - As web apps store users' files and information, they may use sequential numbers or user IDs to identify each item # XML External Entity (XXE) Injection - Many web applications process XML data as part of their functionality - For example, a web app utilizes outdated XML libraries to parse and process XML input data from the front-end user - In this case, it may be possible to send malicious XML data to disclose local files stored on the back-end serve ala [XML External Entity (XXE) Injection](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_\(XXE\)_Processing)