CWE VIEW: Weaknesses in OWASP Top Ten (2017)
The following graph shows the tree-like relationships between weaknesses that exist at different levels of abstraction. At the highest level, categories and classes exist to group weaknesses. A category is a CWE entry that contains a set of other entries that share a common characteristic. Classes are weaknesses that is described in a very abstract fashion, typically independent of any specific language or technology and are more general than a base weakness. Within classes, base level weaknesses are used to present a more specific type of weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. A variant is a weakness that is described at a very low level of detail, typically limited to a specific language or technology. A chain is a set of weaknesses that must be reachable consecutively in order to produce an exploitable vulnerability. A composite is a set of weaknesses that must all be present simultaneously in order to produce an exploitable vulnerability. Show Details:
1026 - Weaknesses in OWASP Top Ten (2017)
![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1027 (OWASP Top Ten 2017 Category A1 - Injection) Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2017. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1027 (OWASP Top Ten 2017 Category A1 - Injection) > 77 (Improper Neutralization of Special Elements used in a Command ('Command Injection')) The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1027 (OWASP Top Ten 2017 Category A1 - Injection) > 78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Shell injectionShell metacharacters ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1027 (OWASP Top Ten 2017 Category A1 - Injection) > 88 (Argument Injection or Modification) The software does not sufficiently delimit the arguments being passed to a component in another control sphere, allowing alternate arguments to be provided, leading to potentially security-relevant changes. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1027 (OWASP Top Ten 2017 Category A1 - Injection) > 89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')) The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1027 (OWASP Top Ten 2017 Category A1 - Injection) > 90 (Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')) The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1027 (OWASP Top Ten 2017 Category A1 - Injection) > 91 (XML Injection (aka Blind XPath Injection)) The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1027 (OWASP Top Ten 2017 Category A1 - Injection) > 564 (SQL Injection: Hibernate) Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1027 (OWASP Top Ten 2017 Category A1 - Injection) > 917 (Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')) The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.EL Injection ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1027 (OWASP Top Ten 2017 Category A1 - Injection) > 943 (Improper Neutralization of Special Elements in Data Query Logic) The application generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1028 (OWASP Top Ten 2017 Category A2 - Broken Authentication) Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2017. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1028 (OWASP Top Ten 2017 Category A2 - Broken Authentication) > 287 (Improper Authentication) When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.authentificationAuthC ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1028 (OWASP Top Ten 2017 Category A2 - Broken Authentication) > 256 (Unprotected Storage of Credentials) Storing a password in plaintext may result in a system compromise. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1028 (OWASP Top Ten 2017 Category A2 - Broken Authentication) > 308 (Use of Single-factor Authentication) The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1028 (OWASP Top Ten 2017 Category A2 - Broken Authentication) > 384 (Session Fixation) Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1028 (OWASP Top Ten 2017 Category A2 - Broken Authentication) > 522 (Insufficiently Protected Credentials) This weakness occurs when the application transmits or stores authentication credentials and uses an insecure method that is susceptible to unauthorized interception and/or retrieval. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1028 (OWASP Top Ten 2017 Category A2 - Broken Authentication) > 523 (Unprotected Transport of Credentials) Login pages not using adequate measures to protect the user name and password while they are in transit from the client to the server. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1028 (OWASP Top Ten 2017 Category A2 - Broken Authentication) > 613 (Insufficient Session Expiration) According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1028 (OWASP Top Ten 2017 Category A2 - Broken Authentication) > 620 (Unverified Password Change) When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1028 (OWASP Top Ten 2017 Category A2 - Broken Authentication) > 640 (Weak Password Recovery Mechanism for Forgotten Password) The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1029 (OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure) Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2017. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1029 (OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure) > 220 (Sensitive Data Under FTP Root) The application stores sensitive data under the FTP document root with insufficient access control, which might make it accessible to untrusted parties. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1029 (OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure) > 295 (Improper Certificate Validation) The software does not validate, or incorrectly validates, a certificate. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1029 (OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure) > 311 (Missing Encryption of Sensitive Data) The software does not encrypt sensitive or critical information before storage or transmission. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1029 (OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure) > 312 (Cleartext Storage of Sensitive Information) The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1029 (OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure) > 319 (Cleartext Transmission of Sensitive Information) The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1029 (OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure) > 320 (Key Management Errors) Weaknesses in this category are related to errors in the management of cryptographic keys. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1029 (OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure) > 325 (Missing Required Cryptographic Step) The software does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by that algorithm. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1029 (OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure) > 326 (Inadequate Encryption Strength) The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1029 (OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure) > 327 (Use of a Broken or Risky Cryptographic Algorithm) The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1029 (OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure) > 328 (Reversible One-Way Hash) The product uses a hashing algorithm that produces a hash value that can be used to determine the original input, or to find an input that can produce the same hash, more efficiently than brute force techniques. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1029 (OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure) > 359 (Exposure of Private Information ('Privacy Violation')) The software does not properly prevent private data (such as credit card numbers) from being accessed by actors who either (1) are not explicitly authorized to access the data or (2) do not have the implicit consent of the people to which the data is related.Privacy leakPrivacy leakage ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1030 (OWASP Top Ten 2017 Category A4 - XML External Entities (XXE)) Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2017. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1030 (OWASP Top Ten 2017 Category A4 - XML External Entities (XXE)) > 611 (Improper Restriction of XML External Entity Reference ('XXE')) The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.XXE ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1030 (OWASP Top Ten 2017 Category A4 - XML External Entities (XXE)) > 776 (Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')) The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.XEEBillion Laughs AttackXML Bomb ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1031 (OWASP Top Ten 2017 Category A5 - Broken Access Control) Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2017. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1031 (OWASP Top Ten 2017 Category A5 - Broken Access Control) > 22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')) The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Directory traversalPath traversal ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1031 (OWASP Top Ten 2017 Category A5 - Broken Access Control) > 284 (Improper Access Control) The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Authorization ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1031 (OWASP Top Ten 2017 Category A5 - Broken Access Control) > 285 (Improper Authorization) The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.AuthZ ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1031 (OWASP Top Ten 2017 Category A5 - Broken Access Control) > 425 (Direct Request ('Forced Browsing')) The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.forced browsing ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1031 (OWASP Top Ten 2017 Category A5 - Broken Access Control) > 639 (Authorization Bypass Through User-Controlled Key) The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.Insecure Direct Object ReferenceHorizontal Authorization ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1032 (OWASP Top Ten 2017 Category A6 - Security Misconfiguration) Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2017. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1032 (OWASP Top Ten 2017 Category A6 - Security Misconfiguration) > 16 (Configuration) Weaknesses in this category are typically introduced during the configuration of the software. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1032 (OWASP Top Ten 2017 Category A6 - Security Misconfiguration) > 209 (Information Exposure Through an Error Message) The software generates an error message that includes sensitive information about its environment, users, or associated data. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1032 (OWASP Top Ten 2017 Category A6 - Security Misconfiguration) > 548 (Information Exposure Through Directory Listing) A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1033 (OWASP Top Ten 2017 Category A7 - Cross-Site Scripting (XSS)) Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2017. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1033 (OWASP Top Ten 2017 Category A7 - Cross-Site Scripting (XSS)) > 79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')) The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.XSSHTML InjectionCSS ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1034 (OWASP Top Ten 2017 Category A8 - Insecure Deserialization) Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2017. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1034 (OWASP Top Ten 2017 Category A8 - Insecure Deserialization) > 502 (Deserialization of Untrusted Data) The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Marshaling, UnmarshalingPickling, Unpickling ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1035 (OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities) Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1036 (OWASP Top Ten 2017 Category A10 - Insufficient Logging & Monitoring) Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2017. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1036 (OWASP Top Ten 2017 Category A10 - Insufficient Logging & Monitoring) > 223 (Omission of Security-relevant Information) The application does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe. ![]() ![]() 1026 (Weaknesses in OWASP Top Ten (2017)) > 1036 (OWASP Top Ten 2017 Category A10 - Insufficient Logging & Monitoring) > 778 (Insufficient Logging) When a security-critical event occurs, the software either does not record the event or omits important details about the event when logging it. Relationship The relationships in this view have been pulled directly from the 2017 OWASP Top 10 document, either from the explicit mapping section, or from weakness types alluded to in the written sections.
More information is available — Please select a different filter. |
Page Last Updated:
March 29, 2018
|
Use of the Common Weakness Enumeration and the associated references from this website are subject to the Terms of Use. For more information, please email cwe@mitre.org. CWE is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 2006-2017, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation. |
|