| SQL injection (UNION/blind/NoSQL) | T1190 | CWE-89 | references/injection-sqli-cmdi.md | scripts/ssrf_toolkit.py (probe pattern) / sqlmap |
| OS command / argument injection | T1059 | CWE-78 / CWE-88 | references/injection-sqli-cmdi.md | - |
| Reflected/stored/DOM XSS | T1059.007 | CWE-79 | references/xss-csp-clientside.md | scripts/xss_csp_forge.py |
| CSP bypass / script gadgets | T1059.007 | CWE-1021 | references/xss-csp-clientside.md | scripts/xss_csp_forge.py |
| Client-side prototype pollution -> XSS | T1059.007 | CWE-1321 | references/xss-csp-clientside.md | scripts/xss_csp_forge.py |
| SSRF + cloud metadata theft | T1552.005 | CWE-918 | references/ssrf-cloud-metadata.md | scripts/ssrf_toolkit.py |
| IMDSv2 bypass (Axios gadget) | T1552.005 | CWE-113 | references/ssrf-cloud-metadata.md | scripts/proto_ssti_gadgets.py |
| HTTP request smuggling / desync | T1190 | CWE-444 | references/http-desync-cache.md | scripts/desync_probe.py |
| Web cache poisoning / deception | T1557 | CWE-525 | references/http-desync-cache.md | scripts/desync_probe.py |
| SSTI -> RCE (Jinja2/Twig/FM/...) | T1059 | CWE-1336 | references/ssti-deserialization.md | scripts/proto_ssti_gadgets.py |
| Server-side prototype pollution -> RCE | T1059 | CWE-1321 | references/ssti-deserialization.md | scripts/proto_ssti_gadgets.py |
| Insecure deserialization (Java/.NET/PHP) | T1059 | CWE-502 | references/ssti-deserialization.md | ysoserial / ysoserial.net |
| JWT forgery (none/confusion/jku/jwk/kid) | T1078 | CWE-347 | references/auth-api-access-control.md | scripts/jwt_forge.py |
| OAuth/OIDC/SAML auth bypass | T1078 | CWE-287 | references/auth-api-access-control.md | scripts/jwt_forge.py |
| GraphQL abuse (batch/alias/depth) | T1190 | CWE-770 | references/auth-api-access-control.md | scripts/graphql_audit.py |
| IDOR / BOLA / mass assignment | T1078 | CWE-639 / CWE-915 | references/auth-api-access-control.md | - |
| Race condition (single-packet) | T1190 | CWE-362 | references/auth-api-access-control.md | scripts/race_single_packet.py |