CWE
Home > CWE List > VIEW LIST: CWE-1000: Research Concepts (1.4)  

CWE-1000: Research Concepts

Individual Definition in a New Window
Research Concepts
Status: Draft
View ID: 1000 (View: Graph)
+ Objective

This view is intended to facilitate research into weaknesses, including their inter-dependencies and their role in vulnerabilities. It classifies weaknesses in a way that largely ignores how they can be detected, where they appear in code, and when they are introduced in the software development life-cycle. Instead, it is mainly organized according to abstractions of software behaviors. It uses a deep hierarchical organization, with more levels of abstraction than other classification schemes. The top-level entries are called Pillars.

Where possible, this view uses abstractions that do not consider particular languages, frameworks, technologies, life-cycle development phases, frequency of occurrence, or types of resources. It explicitly identifies relationships that form chains and composites, which have not been a formal part of past classification efforts. Chains and composites might help explain why mutual exclusivity is difficult to achieve within security error taxonomies.

This view is roughly aligned with MITRE's research into vulnerability theory, especially with respect to behaviors and resources. Ideally, this view will only cover weakness-to-weakness relationships, with minimal overlap and very few categories. This view could be useful for academic research, CWE maintenance, and mapping. It can be leveraged to systematically identify theoretical gaps within CWE and, by extension, the general security community.

+ View Data
CWEs in this viewTotal CWEs
Total651out of777
Views0out of22
Categories9out of105
Weaknesses630out of638
Compound_Elements12out of12
+ View Audience
Academic Researchers

This view provides an organizational structure for weaknesses that is different than the approaches undertaken by taxonomies such as Seven Pernicious Kingdoms.

Applied Researchers

Applied researchers could use the higher-level classes and bases to identify potential areas for future research.

Developers

Developers who have fully integrated security into their SDLC might find this view useful in identifying general patterns of issues within code, instead of relying heavily on "badness lists" that only cover the most severe issues.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
HasMemberWeakness ClassWeakness ClassWeakness Class682Incorrect Calculation
Research Concepts (primary)1000
HasMemberWeakness ClassWeakness ClassWeakness Class118Improper Access of Indexable Resource ('Range Error')
Research Concepts (primary)1000
HasMemberWeakness ClassWeakness ClassWeakness Class330Use of Insufficiently Random Values
Research Concepts (primary)1000
HasMemberWeakness ClassWeakness ClassWeakness Class435Interaction Error
Research Concepts (primary)1000
HasMemberWeakness ClassWeakness ClassWeakness Class664Improper Control of a Resource Through its Lifetime
Research Concepts (primary)1000
HasMemberWeakness ClassWeakness ClassWeakness Class691Insufficient Control Flow Management
Research Concepts (primary)1000
HasMemberWeakness ClassWeakness ClassWeakness Class693Protection Mechanism Failure
Research Concepts (primary)1000
HasMemberWeakness ClassWeakness ClassWeakness Class697Insufficient Comparison
Research Concepts (primary)1000
HasMemberWeakness ClassWeakness ClassWeakness Class703Failure to Handle Exceptional Conditions
Research Concepts (primary)1000
HasMemberWeakness ClassWeakness ClassWeakness Class706Use of Incorrectly-Resolved Name or Reference
Research Concepts (primary)1000
HasMemberWeakness ClassWeakness ClassWeakness Class707Improper Enforcement of Message or Data Structure
Research Concepts (primary)1000
HasMemberWeakness ClassWeakness ClassWeakness Class710Coding Standards Violation
Research Concepts (primary)1000
+ Content History
Modifications
CWE Content Team. MITRE. 2008-09-08. (Internal)
updated Description, Name, Relationships, View_Audience, View_Structure
Previous Entry Names
* Natural Hierarchy (changed 2008-09-09)
Weakness BaseWeakness BaseWeakness Base Absolute Path Traversal - (36)
Weakness BaseWeakness BaseWeakness Base Acceptance of Extraneous Untrusted Data With Trusted Data - (349)
Weakness ClassWeakness ClassWeakness Class Access Control (Authorization) Issues - (284)
Weakness BaseWeakness BaseWeakness Base Access Control Bypass Through User-Controlled Key - (639)
Weakness VariantWeakness VariantWeakness Variant Access Control Bypass Through User-Controlled SQL Primary Key - (566)
Weakness VariantWeakness VariantWeakness Variant Access to Critical Private Variable via Public Method - (767)
Weakness BaseWeakness BaseWeakness Base Addition of Data Structure Sentinel - (464)
Weakness BaseWeakness BaseWeakness Base Algorithmic Complexity - (407)
Weakness VariantWeakness VariantWeakness Variant Allocation of File Descriptors or Handles Without Limits or Throttling - (774)
Weakness BaseWeakness BaseWeakness Base Allocation of Resources Without Limits or Throttling - (770)
Weakness ClassWeakness ClassWeakness Class Always-Incorrect Control Flow Implementation - (670)
Weakness VariantWeakness VariantWeakness Variant Apple '.DS_Store' - (71)
Weakness BaseWeakness BaseWeakness Base Argument Injection or Modification - (88)
Weakness VariantWeakness VariantWeakness Variant Array Declared Public, Final, and Static - (582)
Weakness VariantWeakness VariantWeakness Variant ASP.NET Misconfiguration: Creating Debug Binary - (11)
Weakness VariantWeakness VariantWeakness Variant ASP.NET Misconfiguration: Missing Custom Error Page - (12)
Weakness VariantWeakness VariantWeakness Variant ASP.NET Misconfiguration: Not Using Input Validation Framework - (554)
Weakness VariantWeakness VariantWeakness Variant ASP.NET Misconfiguration: Password in Configuration File - (13)
Weakness VariantWeakness VariantWeakness Variant ASP.NET Misconfiguration: Use of Identity Impersonation - (556)
Weakness VariantWeakness VariantWeakness Variant Assigning instead of Comparing - (481)
Weakness BaseWeakness BaseWeakness Base Assignment of a Fixed Address to a Pointer - (587)
Weakness ClassWeakness ClassWeakness Class Asymmetric Resource Consumption (Amplification) - (405)
Weakness VariantWeakness VariantWeakness Variant Attempt to Access Child of a Non-structure Pointer - (588)
Weakness VariantWeakness VariantWeakness Variant Authentication Bypass by Alternate Name - (289)
Weakness VariantWeakness VariantWeakness Variant Authentication Bypass by Assumed-Immutable Data - (302)
Weakness BaseWeakness BaseWeakness Base Authentication Bypass by Capture-replay - (294)
Weakness BaseWeakness BaseWeakness Base Authentication Bypass by Primary Weakness - (305)
Weakness BaseWeakness BaseWeakness Base Authentication Bypass by Spoofing - (290)
Weakness ClassWeakness ClassWeakness Class Authentication Bypass Issues - (592)
Weakness BaseWeakness BaseWeakness Base Authentication Bypass Using an Alternate Path or Channel - (288)
Weakness VariantWeakness VariantWeakness Variant Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created - (593)
Weakness BaseWeakness BaseWeakness Base Behavioral Change in New Version or Environment - (439)
Weakness BaseWeakness BaseWeakness Base Behavioral Discrepancy Information Leak - (205)
Weakness BaseWeakness BaseWeakness Base Boundary Beginning Violation ('Buffer Underwrite') - (124)
Compound Element: CompositeCompound Element: Composite Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - (120)
Weakness VariantWeakness VariantWeakness Variant Buffer Over-read - (126)
Weakness VariantWeakness VariantWeakness Variant Buffer Under-read - (127)
Weakness VariantWeakness VariantWeakness Variant Call to Non-ubiquitous API - (589)
Weakness VariantWeakness VariantWeakness Variant Call to Thread run() instead of start() - (572)
Weakness ClassWeakness ClassWeakness Class Channel Accessible by Non-Endpoint ('Man-in-the-Middle') - (300)
CategoryCategory Cleansing, Canonicalization, and Comparison Errors - (171)
Weakness BaseWeakness BaseWeakness Base Cleartext Storage of Sensitive Information - (312)
Weakness BaseWeakness BaseWeakness Base Cleartext Transmission of Sensitive Information - (319)
Weakness BaseWeakness BaseWeakness Base Client-Side Enforcement of Server-Side Security - (602)
Weakness VariantWeakness VariantWeakness Variant clone() Method Without super.clone() - (580)
Weakness ClassWeakness ClassWeakness Class Coding Standards Violation - (710)
Weakness BaseWeakness BaseWeakness Base Collapse of Data Into Unsafe Value - (182)
Weakness VariantWeakness VariantWeakness Variant Command Shell in Externally Accessible Directory - (553)
Weakness VariantWeakness VariantWeakness Variant Comparing instead of Assigning - (482)
Weakness VariantWeakness VariantWeakness Variant Comparison of Classes by Name - (486)
Weakness BaseWeakness BaseWeakness Base Comparison of Object References Instead of Object Contents - (595)
Weakness BaseWeakness BaseWeakness Base Compiler Optimization Removal or Modification of Security-critical Code - (733)
Weakness BaseWeakness BaseWeakness Base Compiler Removal of Code to Clear Buffers - (14)
CategoryCategory Concurrency Issues - (557)
Weakness ClassWeakness ClassWeakness Class Containment Errors (Container Errors) - (216)
Weakness BaseWeakness BaseWeakness Base Context Switching Race Condition - (368)
Weakness ClassWeakness ClassWeakness Class Covert Channel - (514)
Weakness BaseWeakness BaseWeakness Base Covert Storage Channel - (515)
Weakness BaseWeakness BaseWeakness Base Covert Timing Channel - (385)
Weakness BaseWeakness BaseWeakness Base Creation of Temporary File in Directory with Incorrect Permissions - (379)
Weakness BaseWeakness BaseWeakness Base Creation of Temporary File With Insecure Permissions - (378)
Weakness VariantWeakness VariantWeakness Variant Critical Public Variable Without Final Modifier - (493)
Weakness VariantWeakness VariantWeakness Variant Critical Variable Declared Public - (766)
Weakness BaseWeakness BaseWeakness Base Cross-boundary Cleansing Information Leak - (212)
Compound Element: CompositeCompound Element: Composite Cross-Site Request Forgery (CSRF) - (352)
CategoryCategory Cryptographic Issues - (310)
Weakness BaseWeakness BaseWeakness Base Dangerous Handler not Disabled During Sensitive Operations - (432)
Weakness BaseWeakness BaseWeakness Base Dangling Database Cursor ('Cursor Injection') - (619)
Weakness VariantWeakness VariantWeakness Variant Data Leak Between Sessions - (488)
Weakness VariantWeakness VariantWeakness Variant Dead Code - (561)
Weakness BaseWeakness BaseWeakness Base Declaration of Catch for Generic Exception - (396)
Weakness BaseWeakness BaseWeakness Base Declaration of Throws for Generic Exception - (397)
Weakness BaseWeakness BaseWeakness Base Deletion of Data Structure Sentinel - (463)
Weakness BaseWeakness BaseWeakness Base Deployment of Wrong Handler - (430)
Weakness VariantWeakness VariantWeakness Variant Deserialization of Untrusted Data - (502)
Weakness ClassWeakness ClassWeakness Class Detection of Error Condition Without Action - (390)
Weakness BaseWeakness BaseWeakness Base Direct Request ('Forced Browsing') - (425)
Weakness BaseWeakness BaseWeakness Base Direct Use of Unsafe JNI - (111)
Weakness ClassWeakness ClassWeakness Class Discrepancy Information Leaks - (203)
Weakness BaseWeakness BaseWeakness Base Divide By Zero - (369)
Weakness VariantWeakness VariantWeakness Variant Double Decoding of the Same Data - (174)
Weakness VariantWeakness VariantWeakness Variant Double Free - (415)
Weakness BaseWeakness BaseWeakness Base Double-Checked Locking - (609)
Weakness VariantWeakness VariantWeakness Variant Doubled Character XSS Manipulations - (85)
Weakness BaseWeakness BaseWeakness Base Download of Code Without Integrity Check - (494)
Weakness BaseWeakness BaseWeakness Base Duplicate Key in Associative List (Alist) - (462)
Weakness ClassWeakness ClassWeakness Class Duplicate Operations on Resource - (675)
Weakness BaseWeakness BaseWeakness Base Dynamic Variable Evaluation - (627)
Weakness VariantWeakness VariantWeakness Variant EJB Bad Practices: Use of AWT Swing - (575)
Weakness VariantWeakness VariantWeakness Variant EJB Bad Practices: Use of Class Loader - (578)
Weakness VariantWeakness VariantWeakness Variant EJB Bad Practices: Use of Java I/O - (576)
Weakness VariantWeakness VariantWeakness Variant EJB Bad Practices: Use of Sockets - (577)
Weakness VariantWeakness VariantWeakness Variant EJB Bad Practices: Use of Synchronization Primitives - (574)
Weakness ClassWeakness ClassWeakness Class Embedded Malicious Code - (506)
Weakness VariantWeakness VariantWeakness Variant Empty Password in Configuration File - (258)
Weakness VariantWeakness VariantWeakness Variant Empty Synchronized Block - (585)
Weakness ClassWeakness ClassWeakness Class Encoding Error - (172)
CategoryCategory Error Handling - (388)
Weakness BaseWeakness BaseWeakness Base Error Message Information Leak - (209)
Weakness BaseWeakness BaseWeakness Base Executable Regular Expression Error - (624)
Weakness ClassWeakness ClassWeakness Class Execution with Unnecessary Privileges - (250)
Weakness BaseWeakness BaseWeakness Base Expected Behavior Violation - (440)
Weakness VariantWeakness VariantWeakness Variant Explicit Call to Finalize() - (586)
Weakness BaseWeakness BaseWeakness Base Exposed Dangerous Method or Function - (749)
Weakness BaseWeakness BaseWeakness Base Exposed Unsafe ActiveX Method - (618)
Weakness ClassWeakness ClassWeakness Class Exposure of Resource to Wrong Sphere - (668)
Weakness VariantWeakness VariantWeakness Variant Expression is Always False - (570)
Weakness VariantWeakness VariantWeakness Variant Expression is Always True - (571)
Weakness VariantWeakness VariantWeakness Variant External Behavioral Inconsistency Information Leak - (207)
Weakness BaseWeakness BaseWeakness Base External Control of Assumed-Immutable Web Parameter - (472)
Weakness ClassWeakness ClassWeakness Class External Control of Critical State Data - (642)
Weakness ClassWeakness ClassWeakness Class External Control of File Name or Path - (73)
Weakness BaseWeakness BaseWeakness Base External Control of System or Configuration Setting - (15)
Weakness ClassWeakness ClassWeakness Class External Influence of Sphere Definition - (673)
Weakness BaseWeakness BaseWeakness Base External Initialization of Trusted Variables - (454)
Weakness ClassWeakness ClassWeakness Class Externally Controlled Reference to a Resource in Another Sphere - (610)
Weakness BaseWeakness BaseWeakness Base Failure to Add Integrity Check Value - (353)
Weakness BaseWeakness BaseWeakness Base Failure to Catch All Exceptions in Servlet - (600)
Weakness VariantWeakness VariantWeakness Variant Failure to Change Working Directory in chroot Jail - (243)
Weakness VariantWeakness VariantWeakness Variant Failure to Clear Heap Memory Before Release ('Heap Inspection') - (244)
Weakness ClassWeakness ClassWeakness Class Failure to Constrain Operations within the Bounds of a Memory Buffer - (119)
Weakness ClassWeakness ClassWeakness Class Failure to Control Generation of Code ('Code Injection') - (94)
Weakness BaseWeakness BaseWeakness Base Failure to Encrypt Sensitive Data - (311)
Weakness ClassWeakness ClassWeakness Class Failure to Follow Specification - (573)
Weakness ClassWeakness ClassWeakness Class Failure to Fulfill API Contract ('API Abuse') - (227)
Weakness VariantWeakness VariantWeakness Variant Failure to Handle Alternate Encoding - (173)
Weakness ClassWeakness ClassWeakness Class Failure to Handle Exceptional Conditions - (703)
Weakness BaseWeakness BaseWeakness Base Failure to Handle Incomplete Element - (239)
Weakness BaseWeakness BaseWeakness Base Failure to Handle Missing Parameter - (234)
Weakness VariantWeakness VariantWeakness Variant Failure to Handle Mixed Encoding - (175)
Weakness VariantWeakness VariantWeakness Variant Failure to Handle Unicode Encoding - (176)
Weakness VariantWeakness VariantWeakness Variant Failure to Handle URL Encoding (Hex Encoding) - (177)
Weakness VariantWeakness VariantWeakness Variant Failure to Handle Windows ::DATA Alternate Data Stream - (69)
Weakness BaseWeakness BaseWeakness Base Failure to Preserve OS Command Structure ('OS Command Injection') - (78)
Weakness BaseWeakness BaseWeakness Base Failure to Preserve SQL Query Structure ('SQL Injection') - (89)
Weakness BaseWeakness BaseWeakness Base Failure to Preserve Web Page Structure ('Cross-site Scripting') - (79)
Weakness ClassWeakness ClassWeakness Class Failure to Protect Alternate Path - (424)
Weakness BaseWeakness BaseWeakness Base Failure to Provide Specified Functionality - (684)
Weakness BaseWeakness BaseWeakness Base Failure to Release Memory Before Removing Last Reference ('Memory Leak') - (401)
Weakness BaseWeakness BaseWeakness Base Failure to Report Error in Status Code - (392)
Weakness BaseWeakness BaseWeakness Base Failure to Resolve Case Sensitivity - (178)
Weakness VariantWeakness VariantWeakness Variant Failure to Resolve Encoded URI Schemes in a Web Page - (84)
Weakness BaseWeakness BaseWeakness Base Failure to Resolve Equivalent Special Elements into a Different Plane - (76)
Weakness BaseWeakness BaseWeakness Base Failure to Resolve Inconsistent Special Elements - (168)
Weakness BaseWeakness BaseWeakness Base Failure to Restrict Excessive Authentication Attempts - (307)
Weakness VariantWeakness VariantWeakness Variant Failure to Sanitize Alternate XSS Syntax - (87)
Weakness BaseWeakness BaseWeakness Base Failure to Sanitize CRLF Sequences ('CRLF Injection') - (93)
Weakness BaseWeakness BaseWeakness Base Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting') - (113)
Weakness ClassWeakness ClassWeakness Class Failure to Sanitize Data into a Control Plane ('Command Injection') - (77)
Weakness ClassWeakness ClassWeakness Class Failure to Sanitize Data into a Different Plane ('Injection') - (74)
Weakness BaseWeakness BaseWeakness Base Failure to Sanitize Data into LDAP Queries ('LDAP Injection') - (90)
Weakness BaseWeakness BaseWeakness Base Failure to Sanitize Data within XPath Expressions ('XPath injection') - (643)
Weakness BaseWeakness BaseWeakness Base Failure to Sanitize Data within XQuery Expressions ('XQuery Injection') - (652)
Weakness BaseWeakness BaseWeakness Base Failure to Sanitize Delimiters - (140)
Weakness VariantWeakness VariantWeakness Variant Failure to Sanitize Escape, Meta, or Control Sequences - (150)
Weakness VariantWeakness VariantWeakness Variant Failure to Sanitize Expression/Command Delimiters - (146)
Weakness VariantWeakness VariantWeakness Variant Failure to Sanitize Input Leaders - (148)
Weakness VariantWeakness VariantWeakness Variant Failure to Sanitize Invalid Characters in Identifiers in Web Pages - (86)
Weakness VariantWeakness VariantWeakness Variant Failure to Sanitize Line Delimiters - (144)
Weakness VariantWeakness VariantWeakness Variant Failure to Sanitize Null Byte or NUL Character - (158)
Weakness VariantWeakness VariantWeakness Variant Failure to Sanitize Paired Delimiters - (157)
Weakness VariantWeakness VariantWeakness Variant Failure to Sanitize Parameter/Argument Delimiters - (141)
Weakness VariantWeakness VariantWeakness Variant Failure to Sanitize Quoting Syntax - (149)
Weakness VariantWeakness VariantWeakness Variant Failure to Sanitize Record Delimiters - (143)
Weakness VariantWeakness VariantWeakness Variant Failure to Sanitize Script in Attributes in a Web Page - (83)
Weakness VariantWeakness VariantWeakness Variant Failure to Sanitize Section Delimiters - (145)
Weakness BaseWeakness BaseWeakness Base Failure to Sanitize Server-Side Includes (SSI) Within a Web Page - (97)
Weakness ClassWeakness ClassWeakness Class Failure to Sanitize Special Element - (159)
Weakness ClassWeakness ClassWeakness Class Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) - (75)
Weakness VariantWeakness VariantWeakness Variant Failure to Sanitize Value Delimiters - (142)
Weakness BaseWeakness BaseWeakness Base Failure to Use a Standardized Error Handling Mechanism - (544)
Weakness ClassWeakness ClassWeakness Class Failure to Use Complete Mediation - (638)
Weakness ClassWeakness ClassWeakness Class Failure to Use Economy of Mechanism - (637)
Weakness BaseWeakness BaseWeakness Base File and Directory Information Leaks - (538)
Weakness BaseWeakness BaseWeakness Base Files or Directories Accessible to External Parties - (552)
Weakness VariantWeakness VariantWeakness Variant finalize() Method Declared Public - (583)
Weakness VariantWeakness VariantWeakness Variant finalize() Method Without super.finalize() - (568)
Weakness VariantWeakness VariantWeakness Variant Free of Memory not on the Heap - (590)
Weakness VariantWeakness VariantWeakness Variant Free of Pointer not at Start of Buffer - (761)
Weakness VariantWeakness VariantWeakness Variant Function Call With Incorrect Argument Type - (686)
Weakness VariantWeakness VariantWeakness Variant Function Call With Incorrect Number of Arguments - (685)
Weakness VariantWeakness VariantWeakness Variant Function Call With Incorrect Order of Arguments - (683)
Weakness VariantWeakness VariantWeakness Variant Function Call With Incorrect Variable or Reference as Argument - (688)
Weakness VariantWeakness VariantWeakness Variant Function Call With Incorrectly Specified Argument Value - (687)
Weakness BaseWeakness BaseWeakness Base Function Call with Incorrectly Specified Arguments - (628)
Weakness BaseWeakness BaseWeakness Base Hard-Coded Password - (259)
Weakness VariantWeakness VariantWeakness Variant Heap-based Buffer Overflow - (122)
Weakness BaseWeakness BaseWeakness Base Improper Access Control (Authorization) - (285)
Weakness ClassWeakness ClassWeakness Class Improper Access of Indexable Resource ('Range Error') - (118)
Weakness ClassWeakness ClassWeakness Class Improper Authentication - (287)
Weakness BaseWeakness BaseWeakness Base Improper Check for Certificate Revocation - (299)
Weakness BaseWeakness BaseWeakness Base Improper Check for Dropped Privileges - (273)
Weakness ClassWeakness ClassWeakness Class Improper Check for Exceptional Conditions - (754)
Weakness VariantWeakness VariantWeakness Variant Improper Cleanup on Thrown Exception - (460)
Weakness ClassWeakness ClassWeakness Class Improper Control of a Resource Through its Lifetime - (664)
Compound Element: CompositeCompound Element: Composite Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') - (98)
Weakness BaseWeakness BaseWeakness Base Improper Control of Resource Identifiers ('Resource Injection') - (99)
Weakness ClassWeakness ClassWeakness Class Improper Encoding or Escaping of Output - (116)
Weakness ClassWeakness ClassWeakness Class Improper Enforcement of Message or Data Structure - (707)
Weakness BaseWeakness BaseWeakness Base Improper Following of Chain of Trust for Certificate Validation - (296)
Weakness BaseWeakness BaseWeakness Base Improper Handling of Additional Special Element - (167)
Weakness VariantWeakness VariantWeakness Variant Improper Handling of Apple HFS+ Alternate Data Stream Path - (72)
Weakness ClassWeakness ClassWeakness Class Improper Handling of Exceptional Conditions - (755)
Weakness BaseWeakness BaseWeakness Base Improper Handling of Extra Parameters - (235)
Weakness BaseWeakness BaseWeakness Base Improper Handling of Extra Values - (231)
Weakness BaseWeakness BaseWeakness Base Improper Handling of File Names that Identify Virtual Resources - (66)
Weakness BaseWeakness BaseWeakness Base Improper Handling of Highly Compressed Data (Data Amplification) - (409)
Weakness BaseWeakness BaseWeakness Base Improper Handling of Incomplete Structural Elements - (238)
Weakness BaseWeakness BaseWeakness Base Improper Handling of Inconsistent Structural Elements - (240)
Weakness VariantWeakness VariantWeakness Variant Improper Handling of Insufficient Entropy in TRNG - (333)
Weakness BaseWeakness BaseWeakness Base Improper Handling of Insufficient Permissions or Privileges - (280)
Weakness BaseWeakness BaseWeakness Base Improper Handling of Insufficient Privileges - (274)
Weakness BaseWeakness BaseWeakness Base Improper Handling of Length Parameter Inconsistency - (130)
Weakness BaseWeakness BaseWeakness Base Improper Handling of Missing Special Element - (166)
Weakness BaseWeakness BaseWeakness Base Improper Handling of Missing Values - (230)
Weakness ClassWeakness ClassWeakness Class Improper Handling of Structural Elements - (237)
Weakness ClassWeakness ClassWeakness Class Improper Handling of Syntactically Invalid Structure - (228)
Weakness BaseWeakness BaseWeakness Base Improper Handling of Undefined Parameters - (236)
Weakness BaseWeakness BaseWeakness Base Improper Handling of Undefined Values - (232)
Weakness BaseWeakness BaseWeakness Base Improper Handling of Unexpected Data Type - (241)
Weakness ClassWeakness ClassWeakness Class Improper Handling of Values - (229)
Weakness VariantWeakness VariantWeakness Variant Improper Handling of Windows Device Names - (67)
Weakness BaseWeakness BaseWeakness Base Improper Initialization - (665)
Weakness ClassWeakness ClassWeakness Class Improper Input Validation - (20)
Weakness BaseWeakness BaseWeakness Base Improper Link Resolution Before File Access ('Link Following') - (59)
Weakness BaseWeakness BaseWeakness Base Improper Null Termination - (170)
Weakness BaseWeakness BaseWeakness Base Improper Output Sanitization for Logs - (117)
Weakness ClassWeakness ClassWeakness Class Improper Ownership Management - (282)
Weakness BaseWeakness BaseWeakness Base Improper Preservation of Permissions - (281)
Weakness BaseWeakness BaseWeakness Base Improper Privilege Management - (269)
Weakness BaseWeakness BaseWeakness Base Improper Resolution of Path Equivalence - (41)
Weakness BaseWeakness BaseWeakness Base Improper Resource Shutdown or Release - (404)
Weakness VariantWeakness VariantWeakness Variant Improper Sanitization of Comment Delimiters - (151)
Weakness BaseWeakness BaseWeakness Base Improper Sanitization of Custom Special Characters - (92)
Weakness BaseWeakness BaseWeakness Base Improper Sanitization of Directives in Dynamically Evaluated Code ('Eval Injection') - (95)
Weakness BaseWeakness BaseWeakness Base Improper Sanitization of Directives in Statically Saved Code ('Static Code Injection') - (96)
Weakness VariantWeakness VariantWeakness Variant Improper Sanitization of HTTP Headers for Scripting Syntax - (644)
Weakness VariantWeakness VariantWeakness Variant Improper Sanitization of Input Terminators - (147)
Weakness VariantWeakness VariantWeakness Variant Improper Sanitization of Internal Special Elements - (164)
Weakness VariantWeakness VariantWeakness Variant Improper Sanitization of Leading Special Elements - (160)
Weakness VariantWeakness VariantWeakness Variant Improper Sanitization of Macro Symbols - (152)
Weakness VariantWeakness VariantWeakness Variant Improper Sanitization of Multiple Internal Special Elements - (165)
Weakness VariantWeakness VariantWeakness Variant Improper Sanitization of Multiple Leading Special Elements - (161)
Weakness VariantWeakness VariantWeakness Variant Improper Sanitization of Multiple Trailing Special Elements - (163)
Weakness VariantWeakness VariantWeakness Variant Improper Sanitization of Script in an Error Message Web Page - (81)
Weakness VariantWeakness VariantWeakness Variant Improper Sanitization of Script in Attributes of IMG Tags in a Web Page - (82)
Weakness VariantWeakness VariantWeakness Variant Improper Sanitization of Script-Related HTML Tags in a Web Page (Basic XSS) - (80)
Weakness ClassWeakness ClassWeakness Class Improper Sanitization of Special Elements - (138)
Weakness VariantWeakness VariantWeakness Variant Improper Sanitization of Substitution Characters - (153)
Weakness VariantWeakness VariantWeakness Variant Improper Sanitization of Trailing Special Elements - (162)
Weakness VariantWeakness VariantWeakness Variant Improper Sanitization of Variable Name Delimiters - (154)
Weakness VariantWeakness VariantWeakness Variant Improper Sanitization of Whitespace - (156)
Weakness VariantWeakness VariantWeakness Variant Improper Sanitization of Wildcards or Matching Symbols - (155)
Weakness BaseWeakness BaseWeakness Base Improper Validation of Certificate Expiration - (298)
Weakness BaseWeakness BaseWeakness Base Improper Validation of Host-specific Certificate Data - (297)
Weakness BaseWeakness BaseWeakness Base Improper Validation of Integrity Check Value - (354)
Weakness BaseWeakness BaseWeakness Base Improper Verification of Cryptographic Signature - (347)
Weakness BaseWeakness BaseWeakness Base Improperly Implemented Security Check for Standard - (358)
Weakness BaseWeakness BaseWeakness Base Improperly Trusted Reverse DNS - (350)
Weakness BaseWeakness BaseWeakness Base Incomplete Blacklist - (184)
Compound Element: ChainCompound Element: Chain Incomplete Blacklist to Cross-Site Scripting - (692)
Weakness BaseWeakness BaseWeakness Base Incomplete Cleanup - (459)
Weakness VariantWeakness VariantWeakness Variant Incomplete Identification of Uploaded File Variables (PHP) - (616)
Weakness BaseWeakness BaseWeakness Base Incomplete Internal State Distinction - (372)
Weakness BaseWeakness BaseWeakness Base Incomplete Model of Endpoint Features - (437)
Weakness BaseWeakness BaseWeakness Base Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') - (444)
Weakness ClassWeakness ClassWeakness Class Incorrect Behavior Order - (696)
Weakness BaseWeakness BaseWeakness Base Incorrect Behavior Order: Authorization Before Parsing and Canonicalization - (551)
Weakness BaseWeakness BaseWeakness Base Incorrect Behavior Order: Early Amplification - (408)
Weakness BaseWeakness BaseWeakness Base Incorrect Behavior Order: Early Validation - (179)
Weakness BaseWeakness BaseWeakness Base Incorrect Behavior Order: Validate Before Canonicalize - (180)
Weakness BaseWeakness BaseWeakness Base Incorrect Behavior Order: Validate Before Filter - (181)
Weakness VariantWeakness VariantWeakness Variant Incorrect Block Delimitation - (483)
Weakness ClassWeakness ClassWeakness Class Incorrect Calculation - (682)
Weakness BaseWeakness BaseWeakness Base Incorrect Calculation of Buffer Size - (131)
Weakness BaseWeakness BaseWeakness Base Incorrect Calculation of Multi-Byte String Length - (135)
Weakness BaseWeakness BaseWeakness Base Incorrect Check of Function Return Value - (253)
Weakness ClassWeakness ClassWeakness Class Incorrect Control Flow Scoping - (705)
Weakness BaseWeakness BaseWeakness Base Incorrect Conversion between Numeric Types - (681)
Weakness VariantWeakness VariantWeakness Variant Incorrect Default Permissions - (276)
Weakness VariantWeakness VariantWeakness Variant Incorrect Execution-Assigned Permissions - (279)
Weakness BaseWeakness BaseWeakness Base Incorrect Implementation of Authentication Algorithm - (303)
Weakness BaseWeakness BaseWeakness Base Incorrect Ownership Assignment - (708)
Weakness ClassWeakness ClassWeakness Class Incorrect Permission Assignment for Critical Resource - (732)
Weakness BaseWeakness BaseWeakness Base Incorrect Pointer Scaling - (468)
Weakness BaseWeakness BaseWeakness Base Incorrect Privilege Assignment - (266)
Weakness ClassWeakness ClassWeakness Class Incorrect Regular Expression - (185)
Weakness ClassWeakness ClassWeakness Class Incorrect Resource Transfer Between Spheres - (669)
Weakness BaseWeakness BaseWeakness Base Incorrect Semantic Object Comparison - (596)
Weakness VariantWeakness VariantWeakness Variant Incorrect Short Circuit Evaluation - (768)
Weakness ClassWeakness ClassWeakness Class Incorrect Type Conversion or Cast - (704)
Weakness BaseWeakness BaseWeakness Base Incorrect Use of Privileged APIs - (648)
Weakness ClassWeakness ClassWeakness Class Incorrect User Management - (286)
Weakness ClassWeakness ClassWeakness Class Indicator of Poor Code Quality - (398)
Weakness ClassWeakness ClassWeakness Class Information Leak (Information Disclosure) - (200)
Weakness VariantWeakness VariantWeakness Variant Information Leak of System Data - (497)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through Access Control List Files - (529)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through Backup (.~bk) Files - (530)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through Browser Caching - (525)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through Caching - (524)
Weakness VariantWeakness VariantWeakness Variant Information Leak through Class Cloning - (498)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through Cleanup Log Files - (542)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through Comments - (615)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through Core Dump Files - (528)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through CVS Repository - (527)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through Debug Information - (215)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through Debug Log Files - (534)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through Directory Listing - (548)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through Environmental Variables - (526)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through Include Source Code - (541)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through Indexing of Private Data - (612)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through Java Runtime Error Message - (537)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through Log Files - (532)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through Persistent Cookies - (539)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through Query Strings in GET Request - (598)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through Sent Data - (201)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through Server Error Message - (550)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through Server Log Files - (533)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through Servlet Runtime Error Message - (536)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through Shell Error Message - (535)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through Source Code - (540)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through Test Code - (531)
Weakness VariantWeakness VariantWeakness Variant Information Leak through WSDL File - (651)
Weakness VariantWeakness VariantWeakness Variant Information Leak Through XML External Entity File Disclosure - (611)
Weakness ClassWeakness ClassWeakness Class Information Loss or Omission - (221)
Weakness BaseWeakness BaseWeakness Base Insecure Default Variable Initialization - (453)
Weakness VariantWeakness VariantWeakness Variant Insecure Inherited Permissions - (277)
Weakness VariantWeakness VariantWeakness Variant Insecure Preserved Inherited Permissions - (278)
Weakness BaseWeakness BaseWeakness Base Insecure Temporary File - (377)
Weakness ClassWeakness ClassWeakness Class Insufficient Comparison - (697)
Weakness BaseWeakness BaseWeakness Base Insufficient Compartmentalization - (653)
Weakness ClassWeakness ClassWeakness Class Insufficient Control Flow Management - (691)
Weakness BaseWeakness BaseWeakness Base Insufficient Control of Network Message Volume (Network Amplification) - (406)
Weakness ClassWeakness ClassWeakness Class Insufficient Encapsulation - (485)
Weakness BaseWeakness BaseWeakness Base Insufficient Entropy - (331)
Weakness VariantWeakness VariantWeakness Variant Insufficient Entropy in PRNG - (332)
Weakness VariantWeakness VariantWeakness Variant Insufficient Filtering of File and Other Resource Names for Executable Content - (641)
Weakness BaseWeakness BaseWeakness Base Insufficient Locking - (667)
Weakness BaseWeakness BaseWeakness Base Insufficient Psychological Acceptability - (655)
Weakness BaseWeakness BaseWeakness Base Insufficient Resource Locking - (413)
Weakness BaseWeakness BaseWeakness Base Insufficient Resource Pool - (410)
Weakness BaseWeakness BaseWeakness Base Insufficient Session Expiration - (613)
Weakness BaseWeakness BaseWeakness Base Insufficient Synchronization - (662)
Weakness BaseWeakness BaseWeakness Base Insufficient Type Distinction - (351)
Weakness BaseWeakness BaseWeakness Base Insufficient UI Warning of Dangerous Operations - (357)
Weakness ClassWeakness ClassWeakness Class Insufficient Verification of Data Authenticity - (345)
Weakness BaseWeakness BaseWeakness Base Insufficiently Protected Credentials - (522)
CategoryCategory Integer Coercion Error - (192)
Weakness BaseWeakness BaseWeakness Base Integer Overflow or Wraparound - (190)
Compound Element: ChainCompound Element: Chain Integer Overflow to Buffer Overflow - (680)
Weakness BaseWeakness BaseWeakness Base Integer Underflow (Wrap or Wraparound) - (191)
Weakness BaseWeakness BaseWeakness Base Intended Information Leak - (213)
Weakness ClassWeakness ClassWeakness Class Interaction Error - (435)
Weakness VariantWeakness VariantWeakness Variant Internal Behavioral Inconsistency Information Leak - (206)
Weakness BaseWeakness BaseWeakness Base Interpretation Conflict - (436)
Weakness VariantWeakness VariantWeakness Variant J2EE Bad Practices: Direct Management of Connections - (245)
Weakness VariantWeakness VariantWeakness Variant J2EE Bad Practices: Direct Use of Sockets - (246)
Weakness VariantWeakness VariantWeakness Variant J2EE Bad Practices: Direct Use of Threads - (383)
Weakness VariantWeakness VariantWeakness Variant J2EE Bad Practices: Non-serializable Object Stored in Session - (579)
Weakness VariantWeakness VariantWeakness Variant J2EE Bad Practices: Use of System.exit() - (382)
Weakness VariantWeakness VariantWeakness Variant J2EE Framework: Saving Unserializable Objects to Disk - (594)
Weakness VariantWeakness VariantWeakness Variant J2EE Misconfiguration: Data Transmission Without Encryption - (5)
Weakness VariantWeakness VariantWeakness Variant J2EE Misconfiguration: Entity Bean Declared Remote - (8)
Weakness VariantWeakness VariantWeakness Variant J2EE Misconfiguration: Insufficient Session-ID Length - (6)
Weakness VariantWeakness VariantWeakness Variant J2EE Misconfiguration: Missing Custom Error Page - (7)
Weakness VariantWeakness VariantWeakness Variant J2EE Misconfiguration: Plaintext Password in Configuration File - (555)
Weakness VariantWeakness VariantWeakness Variant J2EE Misconfiguration: Weak Access Permissions for EJB Methods - (9)
Weakness BaseWeakness BaseWeakness Base Key Exchange without Entity Authentication - (322)
Weakness ClassWeakness ClassWeakness Class Lack of Administrator Control over Security - (671)
Weakness BaseWeakness BaseWeakness Base Least Privilege Violation - (272)
Weakness BaseWeakness BaseWeakness Base Leftover Debug Code - (489)
Weakness BaseWeakness BaseWeakness Base Logic/Time Bomb - (511)
Weakness BaseWeakness BaseWeakness Base Misinterpretation of Input - (115)
Weakness VariantWeakness VariantWeakness Variant Mismatched Memory Management Routines - (762)
Weakness BaseWeakness BaseWeakness Base Missing Check for Certificate Revocation after Initial Check - (370)
Weakness BaseWeakness BaseWeakness Base Missing Critical Step in Authentication - (304)
Weakness ClassWeakness ClassWeakness Class Missing Custom Error Page - (756)
Weakness VariantWeakness VariantWeakness Variant Missing Default Case in Switch Statement - (478)
Weakness BaseWeakness BaseWeakness Base Missing Handler - (431)
Weakness BaseWeakness BaseWeakness Base Missing Initialization - (456)
Weakness BaseWeakness BaseWeakness Base Missing Lock Check - (414)
Weakness VariantWeakness VariantWeakness Variant Missing Password Field Masking - (549)
Weakness BaseWeakness BaseWeakness Base Missing Reference to Active Allocated Resource - (771)
Weakness VariantWeakness VariantWeakness Variant Missing Reference to Active File Descriptor or Handle - (773)
Weakness VariantWeakness VariantWeakness Variant Missing Release of File Descriptor or Handle after Effective Lifetime - (775)
Weakness BaseWeakness BaseWeakness Base Missing Release of Resource after Effective Lifetime - (772)
Weakness BaseWeakness BaseWeakness Base Missing Required Cryptographic Step - (325)
Weakness BaseWeakness BaseWeakness Base Missing XML Validation - (112)
Weakness BaseWeakness BaseWeakness Base Modification of Assumed-Immutable Data (MAID) - (471)
Weakness BaseWeakness BaseWeakness Base Multiple Binds to the Same Port - (605)
Weakness BaseWeakness BaseWeakness Base Multiple Interpretations of UI Input - (450)
Weakness VariantWeakness VariantWeakness Variant Multiple Locks of a Critical Resource - (764)
Weakness VariantWeakness VariantWeakness Variant Multiple Unlocks of a Critical Resource - (765)
Weakness BaseWeakness BaseWeakness Base Mutable Objects Passed by Reference - (374)
Weakness VariantWeakness VariantWeakness Variant .NET Misconfiguration: Use of Impersonation - (520)
Weakness VariantWeakness VariantWeakness Variant No Authentication for Critical Function - (306)
Weakness BaseWeakness BaseWeakness Base Non-exit on Failed Initialization - (455)
Weakness BaseWeakness BaseWeakness Base Non-Replicating Malicious Code - (508)
Weakness ClassWeakness ClassWeakness Class Not Failing Securely ('Failing Open') - (636)
Weakness VariantWeakness VariantWeakness Variant Not Using a Random IV with CBC Mode - (329)
Weakness VariantWeakness VariantWeakness Variant Not Using Password Aging - (262)
Weakness VariantWeakness VariantWeakness Variant Null Byte Interaction Error (Poison Null Byte) - (626)
Weakness BaseWeakness BaseWeakness Base NULL Pointer Dereference - (476)
Weakness BaseWeakness BaseWeakness Base Numeric Truncation Error - (197)
Weakness BaseWeakness BaseWeakness Base Object Model Violation: Just One of Equals and Hashcode Defined - (581)
Weakness BaseWeakness BaseWeakness Base Obscured Security-relevant Information by Alternate Name - (224)
Weakness BaseWeakness BaseWeakness Base Obsolete Feature in UI - (448)
Weakness BaseWeakness BaseWeakness Base Off-by-one Error - (193)
Weakness VariantWeakness VariantWeakness Variant Often Misused: Path Manipulation - (249)
Weakness BaseWeakness BaseWeakness Base Omission of Security-relevant Information - (223)
Weakness BaseWeakness BaseWeakness Base Omitted Break Statement in Switch - (484)
Weakness BaseWeakness BaseWeakness Base Operation on Resource in Wrong Phase of Lifetime - (666)
Weakness BaseWeakness BaseWeakness Base Origin Validation Error - (346)
Weakness BaseWeakness BaseWeakness Base Out-of-bounds Read - (125)
Weakness BaseWeakness BaseWeakness Base Overly Restrictive Account Lockout Mechanism - (645)
Weakness BaseWeakness BaseWeakness Base Overly Restrictive Regular Expression - (186)
Weakness ClassWeakness ClassWeakness Class Parameter Problems - (233)
Weakness BaseWeakness BaseWeakness Base Partial Comparison - (187)
Weakness BaseWeakness BaseWeakness Base Passing Mutable Objects to an Untrusted Method - (375)
Weakness BaseWeakness BaseWeakness Base Password Aging with Long Expiration - (263)
Weakness VariantWeakness VariantWeakness Variant Password in Configuration File - (260)
Weakness VariantWeakness VariantWeakness Variant Path Equivalence: ' filename (Leading Space) - (47)
Weakness VariantWeakness VariantWeakness Variant Path Equivalence: '/./' (Single Dot Directory) - (55)
Weakness VariantWeakness VariantWeakness Variant Path Equivalence: '//multiple/leading/slash' - (50)
Weakness VariantWeakness VariantWeakness Variant Path Equivalence: '/multiple//internal/slash' - (51)
Weakness VariantWeakness VariantWeakness Variant Path Equivalence: '/multiple/trailing/slash//' - (52)
Weakness VariantWeakness VariantWeakness Variant Path Equivalence: '\multiple\\internal\backslash' - (53)
Weakness VariantWeakness VariantWeakness Variant Path Equivalence: 'fakedir/../realdir/filename' - (57)
Weakness VariantWeakness VariantWeakness Variant Path Equivalence: 'file name' (Internal Whitespace) - (48)
Weakness VariantWeakness VariantWeakness Variant Path Equivalence: 'filedir*' (Wildcard) - (56)
Weakness VariantWeakness VariantWeakness Variant Path Equivalence: 'filedir\' (Trailing Backslash) - (54)
Weakness VariantWeakness VariantWeakness Variant Path Equivalence: 'filename ' (Trailing Space) - (46)
Weakness VariantWeakness VariantWeakness Variant Path Equivalence: 'file.name' (Internal Dot) - (44)
Weakness VariantWeakness VariantWeakness Variant Path Equivalence: 'file...name' (Multiple Internal Dot) - (45)
Weakness VariantWeakness VariantWeakness Variant Path Equivalence: 'filename....' (Multiple Trailing Dot) - (43)
Weakness VariantWeakness VariantWeakness Variant Path Equivalence: 'filename.' (Trailing Dot) - (42)
Weakness VariantWeakness VariantWeakness Variant Path Equivalence: 'filename/' (Trailing Slash) - (49)
Weakness VariantWeakness VariantWeakness Variant Path Equivalence: Windows 8.3 Filename - (58)
Weakness ClassWeakness ClassWeakness Class Path Traversal - (22)
Weakness VariantWeakness VariantWeakness Variant Path Traversal: '....' (Multiple Dot) - (33)
Weakness VariantWeakness VariantWeakness Variant Path Traversal: '...' (Triple Dot) - (32)
Weakness VariantWeakness VariantWeakness Variant Path Traversal: '....//' - (34)
Weakness VariantWeakness VariantWeakness Variant Path Traversal: '.../...//' - (35)
Weakness VariantWeakness VariantWeakness Variant Path Traversal: '/../filedir' - (25)
Weakness VariantWeakness VariantWeakness Variant Path Traversal: '/absolute/pathname/here' - (37)
Weakness VariantWeakness VariantWeakness Variant Path Traversal: '/dir/../filename' - (26)
Weakness VariantWeakness VariantWeakness Variant Path Traversal: '../filedir' - (24)
Weakness VariantWeakness VariantWeakness Variant Path Traversal: '\..\filename' - (29)
Weakness VariantWeakness VariantWeakness Variant Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - (40)
Weakness VariantWeakness VariantWeakness Variant Path Traversal: '\absolute\pathname\here' - (38)
Weakness VariantWeakness VariantWeakness Variant Path Traversal: '\dir\..\filename' - (30)
Weakness VariantWeakness VariantWeakness Variant Path Traversal: '..\filedir' - (28)
Weakness VariantWeakness VariantWeakness Variant Path Traversal: 'C:dirname' - (39)
Weakness VariantWeakness VariantWeakness Variant Path Traversal: 'dir/../../filename' - (27)
Weakness VariantWeakness VariantWeakness Variant Path Traversal: 'dir\..\..\filename' - (31)
CategoryCategory Permission Issues - (275)
Compound Element: CompositeCompound Element: Composite Permission Race Condition During Resource Copy - (689)
CategoryCategory Permissions, Privileges, and Access Controls - (264)
Weakness BaseWeakness BaseWeakness Base Permissive Regular Expression - (625)
Weakness BaseWeakness BaseWeakness Base Permissive Whitelist - (183)
Weakness VariantWeakness VariantWeakness Variant PHP External Variable Modification - (473)
Weakness VariantWeakness VariantWeakness Variant Plaintext Storage in a Cookie - (315)
Weakness VariantWeakness VariantWeakness Variant Plaintext Storage in a File or on Disk - (313)
Weakness VariantWeakness VariantWeakness Variant Plaintext Storage in Executable - (318)
Weakness VariantWeakness VariantWeakness Variant Plaintext Storage in GUI - (317)
Weakness VariantWeakness VariantWeakness Variant Plaintext Storage in Memory - (316)
Weakness VariantWeakness VariantWeakness Variant Plaintext Storage in the Registry - (314)
Weakness VariantWeakness VariantWeakness Variant Plaintext Storage of a Password - (256)
Weakness ClassWeakness ClassWeakness Class Predictability Problems - (340)
Weakness BaseWeakness BaseWeakness Base Predictable Exact Value from Previous Values - (342)
Weakness BaseWeakness BaseWeakness Base Predictable from Observable State - (341)
Weakness BaseWeakness BaseWeakness Base Predictable Seed in PRNG - (337)
Weakness BaseWeakness BaseWeakness Base Predictable Value Range from Previous Values - (343)
Weakness VariantWeakness VariantWeakness Variant Privacy Leak through Data Queries - (202)
Weakness ClassWeakness ClassWeakness Class Privacy Violation - (359)
Weakness VariantWeakness VariantWeakness Variant Private Array-Typed Field Returned From A Public Method - (495)
CategoryCategory Privilege / Sandbox Issues - (265)
Weakness BaseWeakness BaseWeakness Base Privilege Chaining - (268)
Weakness BaseWeakness BaseWeakness Base Privilege Context Switching Error - (270)
Weakness BaseWeakness BaseWeakness Base Privilege Defined With Unsafe Actions - (267)
Weakness ClassWeakness ClassWeakness Class Privilege Dropping / Lowering Errors - (271)
Weakness ClassWeakness ClassWeakness Class PRNG Seed Error - (335)
Weakness BaseWeakness BaseWeakness Base Process Control - (114)
Weakness VariantWeakness VariantWeakness Variant Process Environment Information Leak - (214)
Weakness BaseWeakness BaseWeakness Base Product UI does not Warn User of Unsafe Actions - (356)
Weakness BaseWeakness BaseWeakness Base Product-External Error Message Information Leak - (211)
Weakness BaseWeakness BaseWeakness Base Product-Generated Error Message Information Leak - (210)
Weakness ClassWeakness ClassWeakness Class Protection Mechanism Failure - (693)
Weakness VariantWeakness VariantWeakness Variant Public cloneable() Method Without Final ('Object Hijack') - (491)
Weakness VariantWeakness VariantWeakness Variant Public Data Assigned to Private Array-Typed Field - (496)
Weakness VariantWeakness VariantWeakness Variant Public Static Field Not Marked Final - (500)
Weakness VariantWeakness VariantWeakness Variant Public Static Final Field References Mutable Object - (607)
Weakness ClassWeakness ClassWeakness Class Race Condition - (362)
Weakness BaseWeakness BaseWeakness Base Race Condition During Access to Alternate Channel - (421)
Weakness BaseWeakness BaseWeakness Base Race Condition Enabling Link Following - (363)
Weakness BaseWeakness BaseWeakness Base Race Condition in Switch - (365)
Weakness BaseWeakness BaseWeakness Base Race Condition within a Thread - (366)
Weakness VariantWeakness VariantWeakness Variant Reachable Assertion - (617)
Weakness BaseWeakness BaseWeakness Base Redirect Without Exit - (698)
Weakness VariantWeakness VariantWeakness Variant Reflection Attack in an Authentication Protocol - (301)
Weakness BaseWeakness BaseWeakness Base Relative Path Traversal - (23)
Weakness BaseWeakness BaseWeakness Base Release of Invalid Pointer or Reference - (763)
Weakness BaseWeakness BaseWeakness Base Reliance on a Single Factor in a Security Decision - (654)
Weakness BaseWeakness BaseWeakness Base Reliance on Data/Memory Layout - (188)
Weakness VariantWeakness VariantWeakness Variant Reliance on DNS Lookups in a Security Decision - (247)
Weakness VariantWeakness VariantWeakness Variant Reliance on File Name or Extension of Externally-Supplied File - (646)
Weakness BaseWeakness BaseWeakness Base Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking - (649)
Weakness VariantWeakness VariantWeakness Variant Reliance on Package-level Scope - (487)
Weakness BaseWeakness BaseWeakness Base Reliance on Security through Obscurity - (656)
Weakness ClassWeakness ClassWeakness Class Reliance on Undefined, Unspecified, or Implementation-Defined Behavior - (758)
Weakness BaseWeakness BaseWeakness Base Replicating Malicious Code (Virus or Worm) - (509)
Weakness BaseWeakness BaseWeakness Base Response Discrepancy Information Leak - (204)
Weakness BaseWeakness BaseWeakness Base Return Inside Finally Block - (584)
Weakness BaseWeakness BaseWeakness Base Return of Pointer Value Outside of Expected Range - (466)
Weakness BaseWeakness BaseWeakness Base Return of Stack Variable Address - (562)
Weakness BaseWeakness BaseWeakness Base Return of Wrong Status Code - (393)
Weakness BaseWeakness BaseWeakness Base Reusing a Nonce, Key Pair in Encryption - (323)
Weakness BaseWeakness BaseWeakness Base Reversible One-Way Hash - (328)
Weakness BaseWeakness BaseWeakness Base Same Seed in PRNG - (336)
Weakness ClassWeakness ClassWeakness Class Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') - (757)
Weakness VariantWeakness VariantWeakness Variant Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - (614)
Weakness VariantWeakness VariantWeakness Variant Sensitive Data Storage in Improperly Locked Memory - (591)
Weakness VariantWeakness VariantWeakness Variant Sensitive Data Under FTP Root - (220)
Weakness VariantWeakness VariantWeakness Variant Sensitive Data Under Web Root - (219)
Weakness BaseWeakness BaseWeakness Base Sensitive Information Uncleared Before Release - (226)
Weakness VariantWeakness VariantWeakness Variant Serializable Class Containing Sensitive Data - (499)
Compound Element: CompositeCompound Element: Composite Session Fixation - (384)
Weakness BaseWeakness BaseWeakness Base Signal Handler Race Condition - (364)
Weakness VariantWeakness VariantWeakness Variant Signed to Unsigned Conversion Error - (195)
Weakness BaseWeakness BaseWeakness Base Small Seed Space in PRNG - (339)
Weakness BaseWeakness BaseWeakness Base Small Space of Random Values - (334)
Weakness BaseWeakness BaseWeakness Base Spyware - (512)
Weakness VariantWeakness VariantWeakness Variant SQL Injection: Hibernate - (564)
Weakness VariantWeakness VariantWeakness Variant Stack-based Buffer Overflow - (121)
CategoryCategory State Issues - (371)
Weakness BaseWeakness BaseWeakness Base State Synchronization Error - (373)
Weakness BaseWeakness BaseWeakness Base Storing Passwords in a Recoverable Format - (257)
Weakness VariantWeakness VariantWeakness Variant Struts: Duplicate Validation Forms - (102)
Weakness VariantWeakness VariantWeakness Variant Struts: Form Bean Does Not Extend Validation Class - (104)
Weakness VariantWeakness VariantWeakness Variant Struts: Form Field Without Validator - (105)
Weakness VariantWeakness VariantWeakness Variant Struts: Incomplete validate() Method Definition - (103)
Weakness VariantWeakness VariantWeakness Variant Struts: Non-private Field in ActionForm Class - (608)
Weakness VariantWeakness VariantWeakness Variant Struts: Plug-in Framework not in Use - (106)
Weakness VariantWeakness VariantWeakness Variant Struts: Unused Validation Form - (107)
Weakness VariantWeakness VariantWeakness Variant Struts: Unvalidated Action Form - (108)
Weakness VariantWeakness VariantWeakness Variant Struts: Validator Turned Off - (109)
Weakness VariantWeakness VariantWeakness Variant Struts: Validator Without Form Field - (110)
Weakness VariantWeakness VariantWeakness Variant Suspicious Comment - (546)
Weakness BaseWeakness BaseWeakness Base Symbolic Name not Mapping to Correct Object - (386)
Weakness ClassWeakness ClassWeakness Class Technology-Specific Input Validation Problems - (100)
Weakness BaseWeakness BaseWeakness Base The UI Performs the Wrong Action - (449)
Weakness BaseWeakness BaseWeakness Base Time-of-check Time-of-use (TOCTOU) Race Condition - (367)
Weakness BaseWeakness BaseWeakness Base Timing Discrepancy Information Leak - (208)
Weakness ClassWeakness ClassWeakness Class Transmission of Private Resources into a New Sphere ('Resource Leak') - (402)
Weakness BaseWeakness BaseWeakness Base Trapdoor - (510)
Weakness BaseWeakness BaseWeakness Base Trojan Horse - (507)
Weakness BaseWeakness BaseWeakness Base Truncation of Security-relevant Information - (222)
Weakness BaseWeakness BaseWeakness Base Trust Boundary Violation - (501)
Weakness VariantWeakness VariantWeakness Variant Trust of OpenSSL Certificate Without Validation - (599)
Weakness BaseWeakness BaseWeakness Base Trust of System Event Data - (360)
Weakness VariantWeakness VariantWeakness Variant Trusting HTTP Permission Methods on the Server Side - (650)
Weakness VariantWeakness VariantWeakness Variant Trusting Self-reported DNS Name - (292)
Compound Element: CompositeCompound Element: Composite Trusting Self-reported IP Address - (291)
Weakness BaseWeakness BaseWeakness Base UI Discrepancy for Security Feature - (446)
Weakness BaseWeakness BaseWeakness Base UI Misrepresentation of Critical Information - (451)
Weakness BaseWeakness BaseWeakness Base Uncaught Exception - (248)
Weakness BaseWeakness BaseWeakness Base Unchecked Array Indexing - (129)
Weakness BaseWeakness BaseWeakness Base Unchecked Error Condition - (391)
Weakness BaseWeakness BaseWeakness Base Unchecked Input for Loop Condition - (606)
Weakness BaseWeakness BaseWeakness Base Unchecked Return Value - (252)
Compound Element: ChainCompound Element: Chain Unchecked Return Value to NULL Pointer Dereference - (690)
Weakness BaseWeakness BaseWeakness Base Uncontrolled Format String - (134)
Weakness BaseWeakness BaseWeakness Base Uncontrolled Recursion - (674)
Weakness BaseWeakness BaseWeakness Base Uncontrolled Resource Consumption ('Resource Exhaustion') - (400)
Weakness BaseWeakness BaseWeakness Base Uncontrolled Search Path Element - (427)
Weakness BaseWeakness BaseWeakness Base Undefined Behavior for Input to API - (475)
Weakness BaseWeakness BaseWeakness Base Unexpected Sign Extension - (194)
Weakness BaseWeakness BaseWeakness Base Unexpected Status Code or Return Value - (394)
Weakness BaseWeakness BaseWeakness Base Unimplemented or Unsupported Feature in UI - (447)
Weakness BaseWeakness BaseWeakness Base Unintended Proxy/Intermediary - (441)
Weakness BaseWeakness BaseWeakness Base UNIX File Descriptor Leak - (403)
Weakness VariantWeakness VariantWeakness Variant UNIX Hard Link - (62)
Compound Element: CompositeCompound Element: Composite UNIX Symbolic Link (Symlink) Following - (61)
Weakness VariantWeakness VariantWeakness Variant Unparsed Raw Web Content Delivery - (433)
Weakness BaseWeakness BaseWeakness Base Unprotected Alternate Channel - (420)
Weakness BaseWeakness BaseWeakness Base Unprotected Primary Channel - (419)
Weakness VariantWeakness VariantWeakness Variant Unprotected Transport of Credentials - (523)
Weakness VariantWeakness VariantWeakness Variant Unprotected Windows Messaging Channel ('Shatter') - (422)
Weakness BaseWeakness BaseWeakness Base Unquoted Search Path or Element - (428)
Compound Element: CompositeCompound Element: Composite Unrestricted File Upload - (434)
Weakness BaseWeakness BaseWeakness Base Unrestricted Lock on Critical Resource - (412)
Weakness VariantWeakness VariantWeakness Variant Unsafe ActiveX Control Marked Safe For Scripting - (623)
Weakness VariantWeakness VariantWeakness Variant Unsafe Function Call from a Signal Handler - (479)
Weakness VariantWeakness VariantWeakness Variant Unsigned to Signed Conversion Error - (196)
Weakness BaseWeakness BaseWeakness Base Unsynchronized Access to Shared Data - (567)
Compound Element: CompositeCompound Element: Composite Untrusted Search Path - (426)
Weakness VariantWeakness VariantWeakness Variant Unused Variable - (563)
Weakness VariantWeakness VariantWeakness Variant Unvalidated Function Hook Arguments - (622)
Weakness BaseWeakness BaseWeakness Base Unverified Ownership - (283)
Weakness VariantWeakness VariantWeakness Variant Unverified Password Change - (620)
Weakness VariantWeakness VariantWeakness Variant URL Redirection to Untrusted Site ('Open Redirect') - (601)
Weakness BaseWeakness BaseWeakness Base Use After Free - (416)
Weakness BaseWeakness BaseWeakness Base Use of a Broken or Risky Cryptographic Algorithm - (327)
Weakness BaseWeakness BaseWeakness Base Use of a Key Past its Expiration Date - (324)
Weakness BaseWeakness BaseWeakness Base Use of a Non-reentrant Function in an Unsynchronized Context - (663)
Weakness ClassWeakness ClassWeakness Class Use of a One-Way Hash with a Predictable Salt - (760)
Weakness ClassWeakness ClassWeakness Class Use of a One-Way Hash without a Salt - (759)
Weakness BaseWeakness BaseWeakness Base Use of a Resource after Expiration or Release - (672)
Weakness BaseWeakness BaseWeakness Base Use of Client-Side Authentication - (603)
Weakness BaseWeakness BaseWeakness Base Use of Cookies in Security Decision - (565)
Weakness BaseWeakness BaseWeakness Base Use of Cryptographically Weak PRNG - (338)
Weakness VariantWeakness VariantWeakness Variant Use of Dynamic Class Loading - (545)
Weakness BaseWeakness BaseWeakness Base Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') - (470)
Weakness BaseWeakness BaseWeakness Base Use of Function with Inconsistent Implementations - (474)
Weakness VariantWeakness VariantWeakness Variant Use of getlogin() in Multithreaded Application - (558)
Weakness BaseWeakness BaseWeakness Base Use of Hard-coded Cryptographic Key - (321)
Weakness VariantWeakness VariantWeakness Variant Use of Hard-coded, Security-relevant Constants - (547)
Weakness BaseWeakness BaseWeakness Base Use of Incorrect Byte Ordering - (198)
Weakness BaseWeakness BaseWeakness Base Use of Incorrect Operator - (480)
Weakness ClassWeakness ClassWeakness Class Use of Incorrectly-Resolved Name or Reference - (706)
Weakness BaseWeakness BaseWeakness Base Use of Inherently Dangerous Function - (242)
Weakness VariantWeakness VariantWeakness Variant Use of Inner Class Containing Sensitive Data - (492)
Weakness ClassWeakness ClassWeakness Class Use of Insufficiently Random Values - (330)
Weakness BaseWeakness BaseWeakness Base Use of Invariant Value in Dynamically Changing Context - (344)
Weakness BaseWeakness BaseWeakness Base Use of Less Trusted Source - (348)
Weakness BaseWeakness BaseWeakness Base Use of Low-Level Functionality - (695)
Weakness BaseWeakness BaseWeakness Base Use of Multiple Resources with Duplicate Identifier - (694)
Weakness VariantWeakness VariantWeakness Variant Use of Non-Canonical URL Paths for Authorization Decisions - (647)
Weakness BaseWeakness BaseWeakness Base Use of NullPointerException Catch to Detect NULL Pointer Dereference - (395)
Weakness BaseWeakness BaseWeakness Base Use of Obsolete Functions - (477)
Weakness BaseWeakness BaseWeakness Base Use of Password System for Primary Authentication - (309)
Weakness BaseWeakness BaseWeakness Base Use of Pointer Subtraction to Determine Size - (469)
Weakness BaseWeakness BaseWeakness Base Use of Potentially Dangerous Function - (676)
Weakness BaseWeakness BaseWeakness Base Use of Single-factor Authentication - (308)
Weakness VariantWeakness VariantWeakness Variant Use of Singleton Pattern in a Non-thread-safe Manner - (543)
Weakness VariantWeakness VariantWeakness Variant Use of sizeof() on a Pointer Type - (467)
Weakness VariantWeakness VariantWeakness Variant Use of umask() with chmod-style Argument - (560)
Weakness VariantWeakness VariantWeakness Variant Use of Uninitialized Variable - (457)
Weakness VariantWeakness VariantWeakness Variant Use of Wrong Operator in String Comparison - (597)
Weakness VariantWeakness VariantWeakness Variant Using Referer Field for Authentication - (293)
Weakness BaseWeakness BaseWeakness Base Variable Extraction Error - (621)
Weakness ClassWeakness ClassWeakness Class Violation of Secure Design Principles - (657)
Weakness VariantWeakness VariantWeakness Variant Weak Cryptography for Passwords - (261)
Weakness ClassWeakness ClassWeakness Class Weak Encryption - (326)
Weakness BaseWeakness BaseWeakness Base Weak Password Recovery Mechanism for Forgotten Password - (640)
Weakness BaseWeakness BaseWeakness Base Weak Password Requirements - (521)
Weakness VariantWeakness VariantWeakness Variant Windows Hard Link - (65)
Weakness VariantWeakness VariantWeakness Variant Windows Shortcut Following (.LNK) - (64)
Weakness BaseWeakness BaseWeakness Base Wrap-around Error - (128)
Weakness BaseWeakness BaseWeakness Base Write-what-where Condition - (123)
Weakness BaseWeakness BaseWeakness Base XML Injection (aka Blind XPath Injection) - (91)
Page Last Updated: May 26, 2009