CWE - VIEW GRAPH: CWE-711: Weaknesses in OWASP Top Ten (2004) (1.6)

Home > CWE List > VIEW GRAPH: CWE-711: Weaknesses in OWASP Top Ten (2004) (1.6)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research
CWE/SANS Top 25
CWSS

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-711: Weaknesses in OWASP Top Ten (2004)

Weaknesses in OWASP Top Ten (2004)

Definition in a New Window

View ID: 711 (View: Graph)

Status: Incomplete

View Data

View Objective

CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1.

View Metrics

	CWEs in this view		Total CWEs
Total	126	out of	791
Views	0	out of	22
Categories	16	out of	106
Weaknesses	107	out of	651
Compound_Elements	3	out of	12

View Audience

Stakeholder	Description
Developers	This view outlines the most important issues as identified by the OWASP Top Ten (2004 version), providing a good starting point for web application developers who want to code more securely, as well as complying with PCI DSS 1.1.
Software Customers	This view outlines the most important issues as identified by the OWASP Top Ten, providing customers with a way of asking their software developers to follow minimum expectations for secure code, in compliance with PCI-DSS 1.1.
Educators	Since the OWASP Top Ten covers the most frequently encountered issues, this view can be used by educators as training material for students. However, the 2007 version (CWE-629) might be more appropriate.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
HasMember	Category	722	OWASP Top Ten 2004 Category A1 - Unvalidated Input	Weaknesses in OWASP Top Ten (2004) (primary)711
HasMember	Category	723	OWASP Top Ten 2004 Category A2 - Broken Access Control	Weaknesses in OWASP Top Ten (2004) (primary)711
HasMember	Category	724	OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management	Weaknesses in OWASP Top Ten (2004) (primary)711
HasMember	Category	725	OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws	Weaknesses in OWASP Top Ten (2004) (primary)711
HasMember	Category	726	OWASP Top Ten 2004 Category A5 - Buffer Overflows	Weaknesses in OWASP Top Ten (2004) (primary)711
HasMember	Category	727	OWASP Top Ten 2004 Category A6 - Injection Flaws	Weaknesses in OWASP Top Ten (2004) (primary)711
HasMember	Category	728	OWASP Top Ten 2004 Category A7 - Improper Error Handling	Weaknesses in OWASP Top Ten (2004) (primary)711
HasMember	Category	729	OWASP Top Ten 2004 Category A8 - Insecure Storage	Weaknesses in OWASP Top Ten (2004) (primary)711
HasMember	Category	730	OWASP Top Ten 2004 Category A9 - Denial of Service	Weaknesses in OWASP Top Ten (2004) (primary)711
HasMember	Category	731	OWASP Top Ten 2004 Category A10 - Insecure Configuration Management	Weaknesses in OWASP Top Ten (2004) (primary)711

Relationship Notes

CWE relationships for this view were obtained by examining the OWASP document and mapping to any items that were specifically mentioned within the text of a category. As a result, this mapping is not complete with respect to all of CWE. In addition, some concepts were mentioned in multiple Top Ten items, which caused them to be mapped to multiple CWE categories. For example, SQL injection is mentioned in both A1 (CWE-722) and A6 (CWE-727) categories.

References

"Top 10 2004". OWASP. 2004-01-27. <http://www.owasp.org/index.php/Top_10_2004>.

PCI Security Standards Council. "About the PCI Data Security Standard (PCI DSS)". <https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml>.

Maintenance Notes

Some parts of CWE are not fully fleshed out in terms of weaknesses. When these areas were mentioned in the Top Ten, category nodes were mapped, although general mapping practice would usually favor mapping only to weaknesses.

Content History

Submissions
Submission Date	Submitter	Organization	Source
2008-08-15		Veracode	External Submission
2008-08-15	Suggested creation of view and provided mappings

Expand All | Collapse All

711 - Weaknesses in OWASP Top Ten (2004)

CategoryOWASP Top Ten 2004 Category A1 - Unvalidated Input - (722)OWASP Top Ten 2004 Category A1 - Unvalidated Input - (722)

Weakness BaseClient-Side Enforcement of Server-Side Security - (602)Client-Side Enforcement of Server-Side Security - (602)

Weakness BaseCollapse of Data Into Unsafe Value - (182)Collapse of Data Into Unsafe Value - (182)

Weakness BaseExternal Control of Assumed-Immutable Web Parameter - (472)External Control of Assumed-Immutable Web Parameter - (472)

Weakness BaseImproper Handling of Additional Special Element - (167)Improper Handling of Additional Special Element - (167)

Weakness BaseImproper Handling of Missing Special Element - (166)Improper Handling of Missing Special Element - (166)

Weakness ClassImproper Input Validation - (20)Improper Input Validation - (20)

Weakness BaseIncorrect Behavior Order: Early Validation - (179)Incorrect Behavior Order: Early Validation - (179)

Weakness BaseIncorrect Behavior Order: Validate Before Canonicalize - (180)Incorrect Behavior Order: Validate Before Canonicalize - (180)

Weakness BaseIncorrect Behavior Order: Validate Before Filter - (181)Incorrect Behavior Order: Validate Before Filter - (181)

Weakness BasePermissive Whitelist - (183)Permissive Whitelist - (183)

Weakness VariantStruts: Duplicate Validation Forms - (102)Struts: Duplicate Validation Forms - (102)

Weakness VariantStruts: Form Bean Does Not Extend Validation Class - (104)Struts: Form Bean Does Not Extend Validation Class - (104)

Weakness VariantStruts: Incomplete validate() Method Definition - (103)Struts: Incomplete validate() Method Definition - (103)

Weakness VariantStruts: Plug-in Framework not in Use - (106)Struts: Plug-in Framework not in Use - (106)

Weakness VariantStruts: Validator Turned Off - (109)Struts: Validator Turned Off - (109)

Weakness VariantURL Redirection to Untrusted Site ('Open Redirect') - (601)URL Redirection to Untrusted Site ('Open Redirect') - (601)

Compound Element: CompositeBuffer Copy without Checking Size of Input ('Classic Buffer Overflow') - (120)Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - (120)

Weakness ClassFailure to Fulfill API Contract ('API Abuse') - (227)Failure to Fulfill API Contract ('API Abuse') - (227)

Weakness BaseUse of Inherently Dangerous Function - (242)Use of Inherently Dangerous Function - (242)

Weakness BaseDirect Request ('Forced Browsing') - (425)Direct Request ('Forced Browsing') - (425)

Weakness BaseFailure to Preserve Web Page Structure ('Cross-site Scripting') - (79)Failure to Preserve Web Page Structure ('Cross-site Scripting') - (79)

Weakness ClassImproper Sanitization of Special Elements used in a Command ('Command Injection') - (77)Improper Sanitization of Special Elements used in a Command ('Command Injection') - (77)

Weakness BaseImproper Sanitization of Special Elements used in an SQL Command ('SQL Injection') - (89)Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') - (89)

CategoryOWASP Top Ten 2004 Category A10 - Insecure Configuration Management - (731)OWASP Top Ten 2004 Category A10 - Insecure Configuration Management - (731)

CategoryASP.NET Environment Issues - (10)ASP.NET Environment Issues - (10)

CategoryCertificate Issues - (295)Certificate Issues - (295)

Weakness BaseFiles or Directories Accessible to External Parties - (552)Files or Directories Accessible to External Parties - (552)

Weakness BaseIncomplete Cleanup - (459)Incomplete Cleanup - (459)

Weakness VariantInformation Leak Through Access Control List Files - (529)Information Leak Through Access Control List Files - (529)

Weakness VariantInformation Leak Through Backup (.~bk) Files - (530)Information Leak Through Backup (.~bk) Files - (530)

Weakness VariantInformation Leak Through CVS Repository - (527)Information Leak Through CVS Repository - (527)

Weakness VariantInformation Leak Through Cleanup Log Files - (542)Information Leak Through Cleanup Log Files - (542)

Weakness VariantInformation Leak Through Core Dump Files - (528)Information Leak Through Core Dump Files - (528)

Weakness VariantInformation Leak Through Debug Information - (215)Information Leak Through Debug Information - (215)

Weakness VariantInformation Leak Through Debug Log Files - (534)Information Leak Through Debug Log Files - (534)

Weakness VariantInformation Leak Through Directory Listing - (548)Information Leak Through Directory Listing - (548)

Weakness VariantInformation Leak Through Environmental Variables - (526)Information Leak Through Environmental Variables - (526)

Weakness VariantInformation Leak Through Include Source Code - (541)Information Leak Through Include Source Code - (541)

Weakness VariantInformation Leak Through Log Files - (532)Information Leak Through Log Files - (532)

Weakness VariantInformation Leak Through Server Log Files - (533)Information Leak Through Server Log Files - (533)

Weakness VariantInformation Leak Through Source Code - (540)Information Leak Through Source Code - (540)

Weakness VariantInformation Leak Through Test Code - (531)Information Leak Through Test Code - (531)

CategoryJ2EE Environment Issues - (4)J2EE Environment Issues - (4)

Weakness BaseLeftover Debug Code - (489)Leftover Debug Code - (489)

Weakness VariantSensitive Data Under Web Root - (219)Sensitive Data Under Web Root - (219)

Weakness BaseError Message Information Leak - (209)Error Message Information Leak - (209)

CategoryPermission Issues - (275)Permission Issues - (275)

CategoryOWASP Top Ten 2004 Category A2 - Broken Access Control - (723)OWASP Top Ten 2004 Category A2 - Broken Access Control - (723)

Weakness VariantASP.NET Misconfiguration: Use of Identity Impersonation - (556)ASP.NET Misconfiguration: Use of Identity Impersonation - (556)

Weakness ClassAccess Control (Authorization) Issues - (284)Access Control (Authorization) Issues - (284)

Weakness BaseAccess Control Bypass Through User-Controlled Key - (639)Access Control Bypass Through User-Controlled Key - (639)

Weakness BaseDirect Request ('Forced Browsing') - (425)Direct Request ('Forced Browsing') - (425)

Weakness ClassExternal Control of File Name or Path - (73)External Control of File Name or Path - (73)

Weakness ClassImproper Access Control (Authorization) - (285)Improper Access Control (Authorization) - (285)

Weakness BaseImproper Resolution of Path Equivalence - (41)Improper Resolution of Path Equivalence - (41)

Weakness BaseIncorrect Behavior Order: Authorization Before Parsing and Canonicalization - (551)Incorrect Behavior Order: Authorization Before Parsing and Canonicalization - (551)

Weakness BaseIncorrect Ownership Assignment - (708)Incorrect Ownership Assignment - (708)

Weakness BaseIncorrect Privilege Assignment - (266)Incorrect Privilege Assignment - (266)

Weakness VariantInformation Leak Through Browser Caching - (525)Information Leak Through Browser Caching - (525)

Weakness VariantJ2EE Misconfiguration: Weak Access Permissions for EJB Methods - (9)J2EE Misconfiguration: Weak Access Permissions for EJB Methods - (9)

Weakness ClassPath Traversal - (22)Path Traversal - (22)

CategoryPermission Issues - (275)Permission Issues - (275)

Weakness BasePrivilege Chaining - (268)Privilege Chaining - (268)

Weakness BaseUnverified Ownership - (283)Unverified Ownership - (283)

Weakness ClassUse of Insufficiently Random Values - (330)Use of Insufficiently Random Values - (330)

CategoryOWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management - (724)OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management - (724)

Weakness ClassAuthentication Bypass Issues - (592)Authentication Bypass Issues - (592)

Weakness VariantAuthentication Bypass by Assumed-Immutable Data - (302)Authentication Bypass by Assumed-Immutable Data - (302)

CategoryCredentials Management - (255)Credentials Management - (255)

Weakness BaseFailure to Restrict Excessive Authentication Attempts - (307)Failure to Restrict Excessive Authentication Attempts - (307)

Weakness BaseHard-Coded Password - (259)Hard-Coded Password - (259)

Weakness ClassImproper Authentication - (287)Improper Authentication - (287)

Weakness BaseImproper Following of Chain of Trust for Certificate Validation - (296)Improper Following of Chain of Trust for Certificate Validation - (296)

Weakness BaseImproper Validation of Certificate Expiration - (298)Improper Validation of Certificate Expiration - (298)

Weakness BaseInsufficient Session Expiration - (613)Insufficient Session Expiration - (613)

Weakness ClassInsufficient Verification of Data Authenticity - (345)Insufficient Verification of Data Authenticity - (345)

Weakness BaseInsufficiently Protected Credentials - (522)Insufficiently Protected Credentials - (522)

Weakness BaseMissing Critical Step in Authentication - (304)Missing Critical Step in Authentication - (304)

Compound Element: CompositeSession Fixation - (384)Session Fixation - (384)

Weakness BaseExternal Control of Assumed-Immutable Web Parameter - (472)External Control of Assumed-Immutable Web Parameter - (472)

Weakness BaseOrigin Validation Error - (346)Origin Validation Error - (346)

Weakness BaseUnintended Proxy/Intermediary - (441)Unintended Proxy/Intermediary - (441)

Weakness VariantUnverified Password Change - (620)Unverified Password Change - (620)

Weakness BaseUse of Password System for Primary Authentication - (309)Use of Password System for Primary Authentication - (309)

Weakness BaseWeak Password Recovery Mechanism for Forgotten Password - (640)Weak Password Recovery Mechanism for Forgotten Password - (640)

Weakness BaseWeak Password Requirements - (521)Weak Password Requirements - (521)

Weakness VariantInformation Leak Through Browser Caching - (525)Information Leak Through Browser Caching - (525)

CategoryOWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws - (725)OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws - (725)

Weakness BaseFailure to Preserve Web Page Structure ('Cross-site Scripting') - (79)Failure to Preserve Web Page Structure ('Cross-site Scripting') - (79)

Weakness VariantImproper Sanitization of HTTP Headers for Scripting Syntax - (644)Improper Sanitization of HTTP Headers for Scripting Syntax - (644)

CategoryOWASP Top Ten 2004 Category A5 - Buffer Overflows - (726)OWASP Top Ten 2004 Category A5 - Buffer Overflows - (726)

Compound Element: CompositeBuffer Copy without Checking Size of Input ('Classic Buffer Overflow') - (120)Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - (120)

Weakness ClassFailure to Fulfill API Contract ('API Abuse') - (227)Failure to Fulfill API Contract ('API Abuse') - (227)

Weakness BaseUse of Inherently Dangerous Function - (242)Use of Inherently Dangerous Function - (242)

Weakness ClassFailure to Constrain Operations within the Bounds of a Memory Buffer - (119)Failure to Constrain Operations within the Bounds of a Memory Buffer - (119)

Weakness BaseUncontrolled Format String - (134)Uncontrolled Format String - (134)

CategoryOWASP Top Ten 2004 Category A6 - Injection Flaws - (727)OWASP Top Ten 2004 Category A6 - Injection Flaws - (727)

Weakness ClassFailure to Sanitize Data into a Different Plane ('Injection') - (74)Failure to Sanitize Data into a Different Plane ('Injection') - (74)

Compound Element: CompositeImproper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') - (98)Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') - (98)

Weakness ClassContainment Errors (Container Errors) - (216)Containment Errors (Container Errors) - (216)

Weakness BaseDirect Request ('Forced Browsing') - (425)Direct Request ('Forced Browsing') - (425)

Weakness BaseMissing Initialization - (456)Missing Initialization - (456)

Weakness VariantPHP External Variable Modification - (473)PHP External Variable Modification - (473)

Weakness BaseImproper Output Sanitization for Logs - (117)Improper Output Sanitization for Logs - (117)

Weakness BaseImproper Sanitization of Directives in Dynamically Evaluated Code ('Eval Injection') - (95)Improper Sanitization of Directives in Dynamically Evaluated Code ('Eval Injection') - (95)

Weakness ClassImproper Sanitization of Special Elements used in a Command ('Command Injection') - (77)Improper Sanitization of Special Elements used in a Command ('Command Injection') - (77)

Weakness BaseImproper Sanitization of Special Elements used in an OS Command ('OS Command Injection') - (78)Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') - (78)

Weakness BaseImproper Sanitization of Special Elements used in an SQL Command ('SQL Injection') - (89)Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') - (89)

Weakness BaseXML Injection (aka Blind XPath Injection) - (91)XML Injection (aka Blind XPath Injection) - (91)

CategoryOWASP Top Ten 2004 Category A7 - Improper Error Handling - (728)OWASP Top Ten 2004 Category A7 - Improper Error Handling - (728)

Weakness ClassDetection of Error Condition Without Action - (390)Detection of Error Condition Without Action - (390)

Weakness ClassDiscrepancy Information Leaks - (203)Discrepancy Information Leaks - (203)

CategoryError Handling - (388)Error Handling - (388)

Weakness BaseError Message Information Leak - (209)Error Message Information Leak - (209)

Weakness ClassImproper Handling of Syntactically Invalid Structure - (228)Improper Handling of Syntactically Invalid Structure - (228)

Weakness VariantJ2EE Misconfiguration: Missing Custom Error Page - (7)J2EE Misconfiguration: Missing Custom Error Page - (7)

Weakness ClassNot Failing Securely ('Failing Open') - (636)Not Failing Securely ('Failing Open') - (636)

Weakness BaseUnchecked Error Condition - (391)Unchecked Error Condition - (391)

Weakness BaseUnchecked Return Value - (252)Unchecked Return Value - (252)

Weakness BaseUnexpected Status Code or Return Value - (394)Unexpected Status Code or Return Value - (394)

CategoryOWASP Top Ten 2004 Category A8 - Insecure Storage - (729)OWASP Top Ten 2004 Category A8 - Insecure Storage - (729)

Weakness BaseCompiler Removal of Code to Clear Buffers - (14)Compiler Removal of Code to Clear Buffers - (14)

Weakness BaseFailure to Encrypt Sensitive Data - (311)Failure to Encrypt Sensitive Data - (311)

Weakness ClassInadequate Encryption Strength - (326)Inadequate Encryption Strength - (326)

Weakness VariantInformation Leak Through Persistent Cookies - (539)Information Leak Through Persistent Cookies - (539)

Weakness VariantInformation Leak Through Query Strings in GET Request - (598)Information Leak Through Query Strings in GET Request - (598)

Weakness VariantSensitive Data Storage in Improperly Locked Memory - (591)Sensitive Data Storage in Improperly Locked Memory - (591)

Weakness BaseSensitive Information Uncleared Before Release - (226)Sensitive Information Uncleared Before Release - (226)

Weakness BaseUse of Hard-coded Cryptographic Key - (321)Use of Hard-coded Cryptographic Key - (321)

Weakness BaseUse of a Broken or Risky Cryptographic Algorithm - (327)Use of a Broken or Risky Cryptographic Algorithm - (327)

Weakness VariantWeak Cryptography for Passwords - (261)Weak Cryptography for Passwords - (261)

CategoryOWASP Top Ten 2004 Category A9 - Denial of Service - (730)OWASP Top Ten 2004 Category A9 - Denial of Service - (730)

Weakness ClassAsymmetric Resource Consumption (Amplification) - (405)Asymmetric Resource Consumption (Amplification) - (405)

Weakness BaseDivide By Zero - (369)Divide By Zero - (369)

Weakness BaseFailure to Release Memory Before Removing Last Reference ('Memory Leak') - (401)Failure to Release Memory Before Removing Last Reference ('Memory Leak') - (401)

Weakness BaseImproper Null Termination - (170)Improper Null Termination - (170)

Weakness BaseImproper Resource Shutdown or Release - (404)Improper Resource Shutdown or Release - (404)

Weakness BaseInsufficient Resource Pool - (410)Insufficient Resource Pool - (410)

Weakness VariantJ2EE Bad Practices: Use of System.exit() - (382)J2EE Bad Practices: Use of System.exit() - (382)

Weakness BaseNULL Pointer Dereference - (476)NULL Pointer Dereference - (476)

Weakness BaseUncaught Exception - (248)Uncaught Exception - (248)

Weakness BaseUncontrolled Recursion - (674)Uncontrolled Recursion - (674)

Weakness BaseUncontrolled Resource Consumption ('Resource Exhaustion') - (400)Uncontrolled Resource Consumption ('Resource Exhaustion') - (400)

Weakness BaseUnrestricted Externally Accessible Lock - (412)Unrestricted Externally Accessible Lock - (412)

Page Last Updated: October 29, 2009


	CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us