CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > CWE- Individual Dictionary Definition (4.14)  
ID

CWE VIEW: Weaknesses in OWASP Top Ten (2010)

View ID: 809
Vulnerability Mapping: PROHIBITEDThis CWE ID must not be used to map to real-world vulnerabilities
Type: Graph
Downloads: Booklet | CSV | XML
+ Objective
CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top Ten is available.
+ Audience
StakeholderDescription
Software DevelopersThis view outlines the most important issues as identified by the OWASP Top Ten (2010 version), providing a good starting point for web application developers who want to code more securely.
Product CustomersThis view outlines the most important issues as identified by the OWASP Top Ten (2010 version), providing customers with a way of asking their software developers to follow minimum expectations for secure code.
EducatorsSince the OWASP Top Ten covers the most frequently encountered issues, this view can be used by educators as training material for students.
+ Relationships
The following graph shows the tree-like relationships between weaknesses that exist at different levels of abstraction. At the highest level, categories and pillars exist to group weaknesses. Categories (which are not technically weaknesses) are special CWE entries used to group weaknesses that share a common characteristic. Pillars are weaknesses that are described in the most abstract fashion. Below these top-level entries are weaknesses are varying levels of abstraction. Classes are still very abstract, typically independent of any specific language or technology. Base level weaknesses are used to present a more specific type of weakness. A variant is a weakness that is described at a very low level of detail, typically limited to a specific language or technology. A chain is a set of weaknesses that must be reachable consecutively in order to produce an exploitable vulnerability. While a composite is a set of weaknesses that must all be present simultaneously in order to produce an exploitable vulnerability.
Show Details:
809 - Weaknesses in OWASP Top Ten (2010)
+CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.OWASP Top Ten 2010 Category A1 - Injection - (810)
809 (Weaknesses in OWASP Top Ten (2010)) > 810 (OWASP Top Ten 2010 Category A1 - Injection)
Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2010.
*BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - (78)
809 (Weaknesses in OWASP Top Ten (2010)) > 810 (OWASP Top Ten 2010 Category A1 - Injection) > 78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Shell injectionShell metacharacters
*BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') - (88)
809 (Weaknesses in OWASP Top Ten (2010)) > 810 (OWASP Top Ten 2010 Category A1 - Injection) > 88 (Improper Neutralization of Argument Delimiters in a Command ('Argument Injection'))
The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
*BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - (89)
809 (Weaknesses in OWASP Top Ten (2010)) > 810 (OWASP Top Ten 2010 Category A1 - Injection) > 89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
*BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') - (90)
809 (Weaknesses in OWASP Top Ten (2010)) > 810 (OWASP Top Ten 2010 Category A1 - Injection) > 90 (Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection'))
The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
*BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.XML Injection (aka Blind XPath Injection) - (91)
809 (Weaknesses in OWASP Top Ten (2010)) > 810 (OWASP Top Ten 2010 Category A1 - Injection) > 91 (XML Injection (aka Blind XPath Injection))
The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
+CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.OWASP Top Ten 2010 Category A2 - Cross-Site Scripting (XSS) - (811)
809 (Weaknesses in OWASP Top Ten (2010)) > 811 (OWASP Top Ten 2010 Category A2 - Cross-Site Scripting (XSS))
Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2010.
*BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - (79)
809 (Weaknesses in OWASP Top Ten (2010)) > 811 (OWASP Top Ten 2010 Category A2 - Cross-Site Scripting (XSS)) > 79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.XSSHTML InjectionCSS
+CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.OWASP Top Ten 2010 Category A3 - Broken Authentication and Session Management - (812)
809 (Weaknesses in OWASP Top Ten (2010)) > 812 (OWASP Top Ten 2010 Category A3 - Broken Authentication and Session Management)
Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2010.
*ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.Improper Authentication - (287)
809 (Weaknesses in OWASP Top Ten (2010)) > 812 (OWASP Top Ten 2010 Category A3 - Broken Authentication and Session Management) > 287 (Improper Authentication)
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.authentificationAuthNAuthC
*BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.Missing Authentication for Critical Function - (306)
809 (Weaknesses in OWASP Top Ten (2010)) > 812 (OWASP Top Ten 2010 Category A3 - Broken Authentication and Session Management) > 306 (Missing Authentication for Critical Function)
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
*BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.Improper Restriction of Excessive Authentication Attempts - (307)
809 (Weaknesses in OWASP Top Ten (2010)) > 812 (OWASP Top Ten 2010 Category A3 - Broken Authentication and Session Management) > 307 (Improper Restriction of Excessive Authentication Attempts)
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.
*BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.Use of Hard-coded Credentials - (798)
809 (Weaknesses in OWASP Top Ten (2010)) > 812 (OWASP Top Ten 2010 Category A3 - Broken Authentication and Session Management) > 798 (Use of Hard-coded Credentials)
The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
+CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.OWASP Top Ten 2010 Category A4 - Insecure Direct Object References - (813)
809 (Weaknesses in OWASP Top Ten (2010)) > 813 (OWASP Top Ten 2010 Category A4 - Insecure Direct Object References)
Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2010.
*BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - (22)
809 (Weaknesses in OWASP Top Ten (2010)) > 813 (OWASP Top Ten 2010 Category A4 - Insecure Direct Object References) > 22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Directory traversalPath traversal
*BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.Unrestricted Upload of File with Dangerous Type - (434)
809 (Weaknesses in OWASP Top Ten (2010)) > 813 (OWASP Top Ten 2010 Category A4 - Insecure Direct Object References) > 434 (Unrestricted Upload of File with Dangerous Type)
The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.Unrestricted File Upload
*BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.Authorization Bypass Through User-Controlled Key - (639)
809 (Weaknesses in OWASP Top Ten (2010)) > 813 (OWASP Top Ten 2010 Category A4 - Insecure Direct Object References) > 639 (Authorization Bypass Through User-Controlled Key)
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.Insecure Direct Object Reference / IDORBroken Object Level Authorization / BOLAHorizontal Authorization
*BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.Inclusion of Functionality from Untrusted Control Sphere - (829)
809 (Weaknesses in OWASP Top Ten (2010)) > 813 (OWASP Top Ten 2010 Category A4 - Insecure Direct Object References) > 829 (Inclusion of Functionality from Untrusted Control Sphere)
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
*ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.Missing Authorization - (862)
809 (Weaknesses in OWASP Top Ten (2010)) > 813 (OWASP Top Ten 2010 Category A4 - Insecure Direct Object References) > 862 (Missing Authorization)
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.AuthZ
*ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.Incorrect Authorization - (863)
809 (Weaknesses in OWASP Top Ten (2010)) > 813 (OWASP Top Ten 2010 Category A4 - Insecure Direct Object References) > 863 (Incorrect Authorization)
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.AuthZ
*ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.Improper Control of Resource Identifiers ('Resource Injection') - (99)
809 (Weaknesses in OWASP Top Ten (2010)) > 813 (OWASP Top Ten 2010 Category A4 - Insecure Direct Object References) > 99 (Improper Control of Resource Identifiers ('Resource Injection'))
The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.Insecure Direct Object Reference
+CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.OWASP Top Ten 2010 Category A5 - Cross-Site Request Forgery(CSRF) - (814)
809 (Weaknesses in OWASP Top Ten (2010)) > 814 (OWASP Top Ten 2010 Category A5 - Cross-Site Request Forgery(CSRF))
Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2010.
*CompositeComposite - a Compound Element that consists of two or more distinct weaknesses, in which all weaknesses must be present at the same time in order for a potential vulnerability to arise. Removing any of the weaknesses eliminates or sharply reduces the risk. One weakness, X, can be "broken down" into component weaknesses Y and Z. There can be cases in which one weakness might not be essential to a composite, but changes the nature of the composite when it becomes a vulnerability.Cross-Site Request Forgery (CSRF) - (352)
809 (Weaknesses in OWASP Top Ten (2010)) > 814 (OWASP Top Ten 2010 Category A5 - Cross-Site Request Forgery(CSRF)) > 352 (Cross-Site Request Forgery (CSRF))
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Session RidingCross Site Reference ForgeryXSRF
+CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.OWASP Top Ten 2010 Category A6 - Security Misconfiguration - (815)
809 (Weaknesses in OWASP Top Ten (2010)) > 815 (OWASP Top Ten 2010 Category A6 - Security Misconfiguration)
Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2010.
*BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.Generation of Error Message Containing Sensitive Information - (209)
809 (Weaknesses in OWASP Top Ten (2010)) > 815 (OWASP Top Ten 2010 Category A6 - Security Misconfiguration) > 209 (Generation of Error Message Containing Sensitive Information)
The product generates an error message that includes sensitive information about its environment, users, or associated data.
*VariantVariant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.Storage of File with Sensitive Data Under Web Root - (219)
809 (Weaknesses in OWASP Top Ten (2010)) > 815 (OWASP Top Ten 2010 Category A6 - Security Misconfiguration) > 219 (Storage of File with Sensitive Data Under Web Root)
The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.
*BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.Execution with Unnecessary Privileges - (250)
809 (Weaknesses in OWASP Top Ten (2010)) > 815 (OWASP Top Ten 2010 Category A6 - Security Misconfiguration) > 250 (Execution with Unnecessary Privileges)
The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
*BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.Insertion of Sensitive Information into Externally-Accessible File or Directory - (538)
809 (Weaknesses in OWASP Top Ten (2010)) > 815 (OWASP Top Ten 2010 Category A6 - Security Misconfiguration) > 538 (Insertion of Sensitive Information into Externally-Accessible File or Directory)
The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
*BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.Files or Directories Accessible to External Parties - (552)
809 (Weaknesses in OWASP Top Ten (2010)) > 815 (OWASP Top Ten 2010 Category A6 - Security Misconfiguration) > 552 (Files or Directories Accessible to External Parties)
The product makes files or directories accessible to unauthorized actors, even though they should not be.
*ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.Incorrect Permission Assignment for Critical Resource - (732)
809 (Weaknesses in OWASP Top Ten (2010)) > 815 (OWASP Top Ten 2010 Category A6 - Security Misconfiguration) > 732 (Incorrect Permission Assignment for Critical Resource)
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
+CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.OWASP Top Ten 2010 Category A7 - Insecure Cryptographic Storage - (816)
809 (Weaknesses in OWASP Top Ten (2010)) > 816 (OWASP Top Ten 2010 Category A7 - Insecure Cryptographic Storage)
Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2010.
*ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.Missing Encryption of Sensitive Data - (311)
809 (Weaknesses in OWASP Top Ten (2010)) > 816 (OWASP Top Ten 2010 Category A7 - Insecure Cryptographic Storage) > 311 (Missing Encryption of Sensitive Data)
The product does not encrypt sensitive or critical information before storage or transmission.
*BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.Cleartext Storage of Sensitive Information - (312)
809 (Weaknesses in OWASP Top Ten (2010)) > 816 (OWASP Top Ten 2010 Category A7 - Insecure Cryptographic Storage) > 312 (Cleartext Storage of Sensitive Information)
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
*ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.Inadequate Encryption Strength - (326)
809 (Weaknesses in OWASP Top Ten (2010)) > 816 (OWASP Top Ten 2010 Category A7 - Insecure Cryptographic Storage) > 326 (Inadequate Encryption Strength)
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
*ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.Use of a Broken or Risky Cryptographic Algorithm - (327)
809 (Weaknesses in OWASP Top Ten (2010)) > 816 (OWASP Top Ten 2010 Category A7 - Insecure Cryptographic Storage) > 327 (Use of a Broken or Risky Cryptographic Algorithm)
The product uses a broken or risky cryptographic algorithm or protocol.
*VariantVariant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.Use of a One-Way Hash without a Salt - (759)
809 (Weaknesses in OWASP Top Ten (2010)) > 816 (OWASP Top Ten 2010 Category A7 - Insecure Cryptographic Storage) > 759 (Use of a One-Way Hash without a Salt)
The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.
+CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.OWASP Top Ten 2010 Category A8 - Failure to Restrict URL Access - (817)
809 (Weaknesses in OWASP Top Ten (2010)) > 817 (OWASP Top Ten 2010 Category A8 - Failure to Restrict URL Access)
Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2010.
*ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.Improper Authorization - (285)
809 (Weaknesses in OWASP Top Ten (2010)) > 817 (OWASP Top Ten 2010 Category A8 - Failure to Restrict URL Access) > 285 (Improper Authorization)
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.AuthZ
*ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.Missing Authorization - (862)
809 (Weaknesses in OWASP Top Ten (2010)) > 817 (OWASP Top Ten 2010 Category A8 - Failure to Restrict URL Access) > 862 (Missing Authorization)
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.AuthZ
*ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.Incorrect Authorization - (863)
809 (Weaknesses in OWASP Top Ten (2010)) > 817 (OWASP Top Ten 2010 Category A8 - Failure to Restrict URL Access) > 863 (Incorrect Authorization)
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.AuthZ
+CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.OWASP Top Ten 2010 Category A9 - Insufficient Transport Layer Protection - (818)
809 (Weaknesses in OWASP Top Ten (2010)) > 818 (OWASP Top Ten 2010 Category A9 - Insufficient Transport Layer Protection)
Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2010.
*ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.Missing Encryption of Sensitive Data - (311)
809 (Weaknesses in OWASP Top Ten (2010)) > 818 (OWASP Top Ten 2010 Category A9 - Insufficient Transport Layer Protection) > 311 (Missing Encryption of Sensitive Data)
The product does not encrypt sensitive or critical information before storage or transmission.
*BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.Cleartext Transmission of Sensitive Information - (319)
809 (Weaknesses in OWASP Top Ten (2010)) > 818 (OWASP Top Ten 2010 Category A9 - Insufficient Transport Layer Protection) > 319 (Cleartext Transmission of Sensitive Information)
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
+CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.OWASP Top Ten 2010 Category A10 - Unvalidated Redirects and Forwards - (819)
809 (Weaknesses in OWASP Top Ten (2010)) > 819 (OWASP Top Ten 2010 Category A10 - Unvalidated Redirects and Forwards)
Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2010.
*BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.URL Redirection to Untrusted Site ('Open Redirect') - (601)
809 (Weaknesses in OWASP Top Ten (2010)) > 819 (OWASP Top Ten 2010 Category A10 - Unvalidated Redirects and Forwards) > 601 (URL Redirection to Untrusted Site ('Open Redirect'))
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.Open RedirectCross-site RedirectCross-domain Redirect
+ Vulnerability Mapping Notes

Usage: PROHIBITED

(this CWE ID must not be used to map to real-world vulnerabilities)

Reason: View

Rationale:

This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.

Comments:

Use this View or other Views to search and navigate for the appropriate weakness.
+ Notes

Relationship

The relationships in this view are a direct extraction of the CWE mappings that are in the 2010 OWASP document. CWE has changed since the release of that document.
+ References
+ View Metrics
CWEs in this viewTotal CWEs
Weaknesses32out of 938
Categories10out of 374
Views0out of 50
Total42out of1362
+ Content History
+ Submissions
Submission DateSubmitterOrganization
2010-06-17
(CWE 1.9, 2010-06-21)
CWE Content TeamMITRE
+ Modifications
Modification DateModifierOrganization
2013-07-16MITRE
Updated Reference URL
2013-07-17CWE Content TeamMITRE
updated References
2017-11-08CWE Content TeamMITRE
updated References
2019-01-03CWE Content TeamMITRE
updated Description
2020-02-24CWE Content TeamMITRE
updated View_Audience
2023-06-29CWE Content TeamMITRE
updated Mapping_Notes
Page Last Updated: February 29, 2024