CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (3.0)  
ID

CWE VIEW: Weaknesses in OWASP Top Ten (2013)

View ID: 928
Type: Graph
Status: Incomplete
Downloads: Booklet | CSV | XML
+ Objective
CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2013.
+ Audience
StakeholderDescription
Software DevelopersThis view outlines the most important issues as identified by the OWASP Top Ten (2013 version), providing a good starting point for web application developers who want to code more securely.
Software CustomersThis view outlines the most important issues as identified by the OWASP Top Ten (2013 version), providing customers with a way of asking their software developers to follow minimum expectations for secure code.
EducatorsSince the OWASP Top Ten covers the most frequently encountered issues, this view can be used by educators as training material for students.
+ Relationships
Show Details:
928 - Weaknesses in OWASP Top Ten (2013)
+CategoryCategoryOWASP Top Ten 2013 Category A1 - Injection - (929)
928 (Weaknesses in OWASP Top Ten (2013)) > 929 (OWASP Top Ten 2013 Category A1 - Injection)
Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2013.
*ClassClassImproper Neutralization of Special Elements used in a Command ('Command Injection') - (77)
928 (Weaknesses in OWASP Top Ten (2013)) > 929 (OWASP Top Ten 2013 Category A1 - Injection) > 77 (Improper Neutralization of Special Elements used in a Command ('Command Injection'))
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
*BaseBaseImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - (78)
928 (Weaknesses in OWASP Top Ten (2013)) > 929 (OWASP Top Ten 2013 Category A1 - Injection) > 78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Shell injectionShell metacharacters
*BaseBaseArgument Injection or Modification - (88)
928 (Weaknesses in OWASP Top Ten (2013)) > 929 (OWASP Top Ten 2013 Category A1 - Injection) > 88 (Argument Injection or Modification)
The software does not sufficiently delimit the arguments being passed to a component in another control sphere, allowing alternate arguments to be provided, leading to potentially security-relevant changes.
+BaseBaseImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - (89)
928 (Weaknesses in OWASP Top Ten (2013)) > 929 (OWASP Top Ten 2013 Category A1 - Injection) > 89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
*VariantVariantSQL Injection: Hibernate - (564)
928 (Weaknesses in OWASP Top Ten (2013)) > 929 (OWASP Top Ten 2013 Category A1 - Injection) > 89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')) > 564 (SQL Injection: Hibernate)
Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.
*BaseBaseImproper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') - (90)
928 (Weaknesses in OWASP Top Ten (2013)) > 929 (OWASP Top Ten 2013 Category A1 - Injection) > 90 (Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection'))
The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
*BaseBaseXML Injection (aka Blind XPath Injection) - (91)
928 (Weaknesses in OWASP Top Ten (2013)) > 929 (OWASP Top Ten 2013 Category A1 - Injection) > 91 (XML Injection (aka Blind XPath Injection))
The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
+CategoryCategoryOWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management - (930)
928 (Weaknesses in OWASP Top Ten (2013)) > 930 (OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management)
Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2013.
*VariantVariantPlaintext Storage of a Password - (256)
928 (Weaknesses in OWASP Top Ten (2013)) > 930 (OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management) > 256 (Plaintext Storage of a Password)
Storing a password in plaintext may result in a system compromise.
*ClassClassImproper Authentication - (287)
928 (Weaknesses in OWASP Top Ten (2013)) > 930 (OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management) > 287 (Improper Authentication)
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.authentificationAuthC
*BaseBaseMissing Encryption of Sensitive Data - (311)
928 (Weaknesses in OWASP Top Ten (2013)) > 930 (OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management) > 311 (Missing Encryption of Sensitive Data)
The software does not encrypt sensitive or critical information before storage or transmission.
*BaseBaseCleartext Transmission of Sensitive Information - (319)
928 (Weaknesses in OWASP Top Ten (2013)) > 930 (OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management) > 319 (Cleartext Transmission of Sensitive Information)
The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
*CompositeCompositeSession Fixation - (384)
928 (Weaknesses in OWASP Top Ten (2013)) > 930 (OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management) > 384 (Session Fixation)
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
*BaseBaseInsufficiently Protected Credentials - (522)
928 (Weaknesses in OWASP Top Ten (2013)) > 930 (OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management) > 522 (Insufficiently Protected Credentials)
This weakness occurs when the application transmits or stores authentication credentials and uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
*VariantVariantUnprotected Transport of Credentials - (523)
928 (Weaknesses in OWASP Top Ten (2013)) > 930 (OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management) > 523 (Unprotected Transport of Credentials)
Login pages not using adequate measures to protect the user name and password while they are in transit from the client to the server.
*BaseBaseInsufficient Session Expiration - (613)
928 (Weaknesses in OWASP Top Ten (2013)) > 930 (OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management) > 613 (Insufficient Session Expiration)
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
*VariantVariantUnverified Password Change - (620)
928 (Weaknesses in OWASP Top Ten (2013)) > 930 (OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management) > 620 (Unverified Password Change)
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
*BaseBaseWeak Password Recovery Mechanism for Forgotten Password - (640)
928 (Weaknesses in OWASP Top Ten (2013)) > 930 (OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management) > 640 (Weak Password Recovery Mechanism for Forgotten Password)
The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
+CategoryCategoryOWASP Top Ten 2013 Category A3 - Cross-Site Scripting (XSS) - (931)
928 (Weaknesses in OWASP Top Ten (2013)) > 931 (OWASP Top Ten 2013 Category A3 - Cross-Site Scripting (XSS))
Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2013.
*BaseBaseImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - (79)
928 (Weaknesses in OWASP Top Ten (2013)) > 931 (OWASP Top Ten 2013 Category A3 - Cross-Site Scripting (XSS)) > 79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.XSSCSS
+CategoryCategoryOWASP Top Ten 2013 Category A4 - Insecure Direct Object References - (932)
928 (Weaknesses in OWASP Top Ten (2013)) > 932 (OWASP Top Ten 2013 Category A4 - Insecure Direct Object References)
Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2013.
*ClassClassImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - (22)
928 (Weaknesses in OWASP Top Ten (2013)) > 932 (OWASP Top Ten 2013 Category A4 - Insecure Direct Object References) > 22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Directory traversalPath traversal
*BaseBaseAuthorization Bypass Through User-Controlled Key - (639)
928 (Weaknesses in OWASP Top Ten (2013)) > 932 (OWASP Top Ten 2013 Category A4 - Insecure Direct Object References) > 639 (Authorization Bypass Through User-Controlled Key)
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.Insecure Direct Object ReferenceHorizontal Authorization
*BaseBaseImproper Control of Resource Identifiers ('Resource Injection') - (99)
928 (Weaknesses in OWASP Top Ten (2013)) > 932 (OWASP Top Ten 2013 Category A4 - Insecure Direct Object References) > 99 (Improper Control of Resource Identifiers ('Resource Injection'))
The software receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.Insecure Direct Object Reference
+CategoryCategoryOWASP Top Ten 2013 Category A5 - Security Misconfiguration - (933)
928 (Weaknesses in OWASP Top Ten (2013)) > 933 (OWASP Top Ten 2013 Category A5 - Security Misconfiguration)
Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2013.
*CategoryCategoryConfiguration - (16)
928 (Weaknesses in OWASP Top Ten (2013)) > 933 (OWASP Top Ten 2013 Category A5 - Security Misconfiguration) > 16 (Configuration)
Weaknesses in this category are typically introduced during the configuration of the software.
*CategoryCategory7PK - Environment - (2)
928 (Weaknesses in OWASP Top Ten (2013)) > 933 (OWASP Top Ten 2013 Category A5 - Security Misconfiguration) > 2 (7PK - Environment)
This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."
*BaseBaseInformation Exposure Through an Error Message - (209)
928 (Weaknesses in OWASP Top Ten (2013)) > 933 (OWASP Top Ten 2013 Category A5 - Security Misconfiguration) > 209 (Information Exposure Through an Error Message)
The software generates an error message that includes sensitive information about its environment, users, or associated data.
*VariantVariantInformation Exposure Through Debug Information - (215)
928 (Weaknesses in OWASP Top Ten (2013)) > 933 (OWASP Top Ten 2013 Category A5 - Security Misconfiguration) > 215 (Information Exposure Through Debug Information)
The application contains debugging code that can expose sensitive information to untrusted parties.
*VariantVariantInformation Exposure Through Directory Listing - (548)
928 (Weaknesses in OWASP Top Ten (2013)) > 933 (OWASP Top Ten 2013 Category A5 - Security Misconfiguration) > 548 (Information Exposure Through Directory Listing)
A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.
+CategoryCategoryOWASP Top Ten 2013 Category A6 - Sensitive Data Exposure - (934)
928 (Weaknesses in OWASP Top Ten (2013)) > 934 (OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure)
Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2013.
*CategoryCategoryCryptographic Issues - (310)
928 (Weaknesses in OWASP Top Ten (2013)) > 934 (OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure) > 310 (Cryptographic Issues)
Weaknesses in this category are related to the use of cryptography.
*BaseBaseMissing Encryption of Sensitive Data - (311)
928 (Weaknesses in OWASP Top Ten (2013)) > 934 (OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure) > 311 (Missing Encryption of Sensitive Data)
The software does not encrypt sensitive or critical information before storage or transmission.
*BaseBaseCleartext Storage of Sensitive Information - (312)
928 (Weaknesses in OWASP Top Ten (2013)) > 934 (OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure) > 312 (Cleartext Storage of Sensitive Information)
The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
*BaseBaseCleartext Transmission of Sensitive Information - (319)
928 (Weaknesses in OWASP Top Ten (2013)) > 934 (OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure) > 319 (Cleartext Transmission of Sensitive Information)
The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
*CategoryCategoryKey Management Errors - (320)
928 (Weaknesses in OWASP Top Ten (2013)) > 934 (OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure) > 320 (Key Management Errors)
Weaknesses in this category are related to errors in the management of cryptographic keys.
*BaseBaseMissing Required Cryptographic Step - (325)
928 (Weaknesses in OWASP Top Ten (2013)) > 934 (OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure) > 325 (Missing Required Cryptographic Step)
The software does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by that algorithm.
*ClassClassInadequate Encryption Strength - (326)
928 (Weaknesses in OWASP Top Ten (2013)) > 934 (OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure) > 326 (Inadequate Encryption Strength)
The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
*BaseBaseUse of a Broken or Risky Cryptographic Algorithm - (327)
928 (Weaknesses in OWASP Top Ten (2013)) > 934 (OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure) > 327 (Use of a Broken or Risky Cryptographic Algorithm)
The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.
*BaseBaseReversible One-Way Hash - (328)
928 (Weaknesses in OWASP Top Ten (2013)) > 934 (OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure) > 328 (Reversible One-Way Hash)
The product uses a hashing algorithm that produces a hash value that can be used to determine the original input, or to find an input that can produce the same hash, more efficiently than brute force techniques.
+CategoryCategoryOWASP Top Ten 2013 Category A7 - Missing Function Level Access Control - (935)
928 (Weaknesses in OWASP Top Ten (2013)) > 935 (OWASP Top Ten 2013 Category A7 - Missing Function Level Access Control)
Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2013.
*ClassClassImproper Authorization - (285)
928 (Weaknesses in OWASP Top Ten (2013)) > 935 (OWASP Top Ten 2013 Category A7 - Missing Function Level Access Control) > 285 (Improper Authorization)
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.AuthZ
*ClassClassImproper Authentication - (287)
928 (Weaknesses in OWASP Top Ten (2013)) > 935 (OWASP Top Ten 2013 Category A7 - Missing Function Level Access Control) > 287 (Improper Authentication)
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.authentificationAuthC
+CategoryCategoryOWASP Top Ten 2013 Category A8 - Cross-Site Request Forgery (CSRF) - (936)
928 (Weaknesses in OWASP Top Ten (2013)) > 936 (OWASP Top Ten 2013 Category A8 - Cross-Site Request Forgery (CSRF))
Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2013.
*CompositeCompositeCross-Site Request Forgery (CSRF) - (352)
928 (Weaknesses in OWASP Top Ten (2013)) > 936 (OWASP Top Ten 2013 Category A8 - Cross-Site Request Forgery (CSRF)) > 352 (Cross-Site Request Forgery (CSRF))
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Session RidingCross Site Reference ForgeryXSRF
*CategoryCategoryOWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities - (937)
928 (Weaknesses in OWASP Top Ten (2013)) > 937 (OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities)
Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
+CategoryCategoryOWASP Top Ten 2013 Category A10 - Unvalidated Redirects and Forwards - (938)
928 (Weaknesses in OWASP Top Ten (2013)) > 938 (OWASP Top Ten 2013 Category A10 - Unvalidated Redirects and Forwards)
Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2013.
*VariantVariantURL Redirection to Untrusted Site ('Open Redirect') - (601)
928 (Weaknesses in OWASP Top Ten (2013)) > 938 (OWASP Top Ten 2013 Category A10 - Unvalidated Redirects and Forwards) > 601 (URL Redirection to Untrusted Site ('Open Redirect'))
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.Open RedirectCross-site RedirectCross-domain Redirect
+ Notes

Relationship

The relationships in this view are a direct extraction of the CWE mappings that are in the 2013 OWASP document. CWE has changed since the release of that document.
+ References
[REF-926] "Top 10 2013". OWASP. 2013-06-12. <https://www.owasp.org/index.php/Top_10_2013>.
+ View Metrics
CWEs in this viewTotal CWEs
Weaknesses32out of 714
Categories14out of 237
Views0out of 31
Total46out of982
+ Content History
Submissions
Submission DateSubmitterOrganization
2013-07-16CWE Content TeamMITRE
Modifications
Modification DateModifierOrganization
2017-11-08CWE Content TeamMITRE
updated References

More information is available — Please select a different filter.
Page Last Updated: January 18, 2018