CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > VIEW LIST: CWE-699: Development Concepts (2.6)  

CWE-699: Development Concepts

 
Development Concepts
Definition in a New Window Definition in a New Window
View ID: 699 (View: Graph)Status: Incomplete
+ View Data

View Objective

This view organizes weaknesses around concepts that are frequently used or encountered in software development. Accordingly, this view can align closely with the perspectives of developers, educators, and assessment vendors. It borrows heavily from the organizational structure used by Seven Pernicious Kingdoms, but it also provides a variety of other categories that are intended to simplify navigation, browsing, and mapping.

+ View Metrics
CWEs in this viewTotal CWEs
Total754out of943
Views4out of31
Categories65out of187
Weaknesses680out of717
Compound_Elements5out of8
+ View Audience
StakeholderDescription
Assessment_Vendors
Developers
Educators
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
HasMemberCategoryCategory1Location
Development Concepts (primary)699
HasMemberCategoryCategory504Motivation/Intent
Development Concepts (primary)699
HasMemberViewView629Weaknesses in OWASP Top Ten (2007)
Development Concepts (primary)699
HasMemberViewView631Resource-specific Weaknesses
Development Concepts (primary)699
HasMemberViewView701Weaknesses Introduced During Design
Development Concepts (primary)699
HasMemberViewView702Weaknesses Introduced During Implementation
Development Concepts (primary)699
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2008-09-09MITREInternal CWE Team
Weakness BaseWeakness Base Absolute Path Traversal - (36)
Weakness BaseWeakness Base Acceptance of Extraneous Untrusted Data With Trusted Data - (349)
Weakness BaseWeakness Base Access of Memory Location After End of Buffer - (788)
Weakness BaseWeakness Base Access of Memory Location Before Start of Buffer - (786)
Weakness BaseWeakness Base Access of Resource Using Incompatible Type ('Type Confusion') - (843)
Weakness BaseWeakness Base Access of Uninitialized Pointer - (824)
Weakness VariantWeakness Variant Access to Critical Private Variable via Public Method - (767)
Weakness BaseWeakness Base Addition of Data Structure Sentinel - (464)
Weakness BaseWeakness Base Algorithmic Complexity - (407)
Weakness VariantWeakness Variant Allocation of File Descriptors or Handles Without Limits or Throttling - (774)
Weakness BaseWeakness Base Allocation of Resources Without Limits or Throttling - (770)
Weakness VariantWeakness Variant Apple '.DS_Store' - (71)
Weakness BaseWeakness Base Argument Injection or Modification - (88)
Weakness VariantWeakness Variant Array Declared Public, Final, and Static - (582)
CategoryCategory ASP.NET Environment Issues - (10)
Weakness VariantWeakness Variant ASP.NET Misconfiguration: Creating Debug Binary - (11)
Weakness VariantWeakness Variant ASP.NET Misconfiguration: Missing Custom Error Page - (12)
Weakness VariantWeakness Variant ASP.NET Misconfiguration: Not Using Input Validation Framework - (554)
Weakness VariantWeakness Variant ASP.NET Misconfiguration: Password in Configuration File - (13)
Weakness VariantWeakness Variant ASP.NET Misconfiguration: Use of Identity Impersonation - (556)
Weakness VariantWeakness Variant Assigning instead of Comparing - (481)
Weakness BaseWeakness Base Assignment of a Fixed Address to a Pointer - (587)
Weakness ClassWeakness Class Asymmetric Resource Consumption (Amplification) - (405)
Weakness VariantWeakness Variant Attempt to Access Child of a Non-structure Pointer - (588)
Weakness VariantWeakness Variant Authentication Bypass by Alternate Name - (289)
Weakness VariantWeakness Variant Authentication Bypass by Assumed-Immutable Data - (302)
Weakness BaseWeakness Base Authentication Bypass by Capture-replay - (294)
Weakness BaseWeakness Base Authentication Bypass by Primary Weakness - (305)
Weakness BaseWeakness Base Authentication Bypass by Spoofing - (290)
Weakness ClassWeakness Class Authentication Bypass Issues - (592)
Weakness BaseWeakness Base Authentication Bypass Using an Alternate Path or Channel - (288)
Weakness VariantWeakness Variant Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created - (593)
Weakness BaseWeakness Base Authorization Bypass Through User-Controlled Key - (639)
Weakness VariantWeakness Variant Authorization Bypass Through User-Controlled SQL Primary Key - (566)
Weakness BaseWeakness Base Behavioral Change in New Version or Environment - (439)
CategoryCategory Behavioral Problems - (438)
Weakness VariantWeakness Variant Buffer Access Using Size of Source Buffer - (806)
Weakness BaseWeakness Base Buffer Access with Incorrect Length Value - (805)
Weakness BaseWeakness Base Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - (120)
Weakness VariantWeakness Variant Buffer Over-read - (126)
Weakness VariantWeakness Variant Buffer Under-read - (127)
Weakness BaseWeakness Base Buffer Underwrite ('Buffer Underflow') - (124)
CategoryCategory Business Logic Errors - (840)
CategoryCategory Byte/Object Code - (503)
Weakness VariantWeakness Variant Call to Non-ubiquitous API - (589)
Weakness VariantWeakness Variant Call to Thread run() instead of start() - (572)
Weakness ClassWeakness Class Channel Accessible by Non-Endpoint ('Man-in-the-Middle') - (300)
CategoryCategory Channel and Path Errors - (417)
CategoryCategory Channel Errors - (418)
CategoryCategory Cleansing, Canonicalization, and Comparison Errors - (171)
Weakness VariantWeakness Variant Cleartext Storage in a File or on Disk - (313)
Weakness VariantWeakness Variant Cleartext Storage in the Registry - (314)
Weakness BaseWeakness Base Cleartext Storage of Sensitive Information - (312)
Weakness VariantWeakness Variant Cleartext Storage of Sensitive Information in a Cookie - (315)
Weakness VariantWeakness Variant Cleartext Storage of Sensitive Information in Executable - (318)
Weakness VariantWeakness Variant Cleartext Storage of Sensitive Information in GUI - (317)
Weakness VariantWeakness Variant Cleartext Storage of Sensitive Information in Memory - (316)
Weakness BaseWeakness Base Cleartext Transmission of Sensitive Information - (319)
Weakness BaseWeakness Base Client-Side Enforcement of Server-Side Security - (602)
Weakness VariantWeakness Variant clone() Method Without super.clone() - (580)
Weakness VariantWeakness Variant Cloneable Class Containing Sensitive Information - (498)
CategoryCategory Code - (17)
Weakness BaseWeakness Base Collapse of Data into Unsafe Value - (182)
Weakness VariantWeakness Variant Command Shell in Externally Accessible Directory - (553)
Weakness VariantWeakness Variant Comparing instead of Assigning - (482)
Weakness VariantWeakness Variant Comparison of Classes by Name - (486)
Weakness BaseWeakness Base Comparison of Object References Instead of Object Contents - (595)
Weakness BaseWeakness Base Compiler Removal of Code to Clear Buffers - (14)
CategoryCategory Concurrency Issues - (557)
Weakness ClassWeakness Class Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') - (362)
CategoryCategory Configuration - (16)
Weakness ClassWeakness Class Containment Errors (Container Errors) - (216)
Weakness BaseWeakness Base Context Switching Race Condition - (368)
Weakness ClassWeakness Class Covert Channel - (514)
Weakness BaseWeakness Base Covert Storage Channel - (515)
Weakness BaseWeakness Base Covert Timing Channel - (385)
Weakness VariantWeakness Variant Creation of chroot Jail Without Changing Working Directory - (243)
Weakness BaseWeakness Base Creation of Temporary File in Directory with Incorrect Permissions - (379)
Weakness BaseWeakness Base Creation of Temporary File With Insecure Permissions - (378)
CategoryCategory Credentials Management - (255)
Weakness VariantWeakness Variant Critical Public Variable Without Final Modifier - (493)
Weakness VariantWeakness Variant Critical Variable Declared Public - (766)
Compound Element: CompositeCompound Element: Composite Cross-Site Request Forgery (CSRF) - (352)
CategoryCategory Cryptographic Issues - (310)
Weakness BaseWeakness Base Dangerous Signal Handler not Disabled During Sensitive Operations - (432)
Weakness BaseWeakness Base Dangling Database Cursor ('Cursor Injection') - (619)
CategoryCategory Data Handling - (19)
CategoryCategory Data Structure Issues - (461)
Weakness VariantWeakness Variant Dead Code - (561)
Weakness BaseWeakness Base Deadlock - (833)
Weakness BaseWeakness Base Declaration of Catch for Generic Exception - (396)
Weakness BaseWeakness Base Declaration of Throws for Generic Exception - (397)
Weakness BaseWeakness Base Deletion of Data Structure Sentinel - (463)
Weakness BaseWeakness Base Deployment of Wrong Handler - (430)
Weakness VariantWeakness Variant Deserialization of Untrusted Data - (502)
Weakness ClassWeakness Class Detection of Error Condition Without Action - (390)
Weakness BaseWeakness Base Direct Request ('Forced Browsing') - (425)
Weakness BaseWeakness Base Direct Use of Unsafe JNI - (111)
Weakness BaseWeakness Base Divide By Zero - (369)
Weakness VariantWeakness Variant Double Decoding of the Same Data - (174)
Weakness VariantWeakness Variant Double Free - (415)
Weakness BaseWeakness Base Double-Checked Locking - (609)
Weakness VariantWeakness Variant Doubled Character XSS Manipulations - (85)
Weakness BaseWeakness Base Download of Code Without Integrity Check - (494)
Weakness BaseWeakness Base Duplicate Key in Associative List (Alist) - (462)
Weakness BaseWeakness Base Dynamic Variable Evaluation - (627)
Weakness VariantWeakness Variant EJB Bad Practices: Use of AWT Swing - (575)
Weakness VariantWeakness Variant EJB Bad Practices: Use of Class Loader - (578)
Weakness VariantWeakness Variant EJB Bad Practices: Use of Java I/O - (576)
Weakness VariantWeakness Variant EJB Bad Practices: Use of Sockets - (577)
Weakness VariantWeakness Variant EJB Bad Practices: Use of Synchronization Primitives - (574)
Weakness ClassWeakness Class Embedded Malicious Code - (506)
Weakness VariantWeakness Variant Empty Password in Configuration File - (258)
Weakness VariantWeakness Variant Empty Synchronized Block - (585)
Weakness ClassWeakness Class Encoding Error - (172)
CategoryCategory Environment - (2)
CategoryCategory Error Conditions, Return Values, Status Codes - (389)
CategoryCategory Error Handling - (388)
Weakness BaseWeakness Base Excessive Iteration - (834)
Weakness BaseWeakness Base Executable Regular Expression Error - (624)
Weakness BaseWeakness Base Execution After Redirect (EAR) - (698)
Weakness ClassWeakness Class Execution with Unnecessary Privileges - (250)
Weakness BaseWeakness Base Expected Behavior Violation - (440)
Weakness BaseWeakness Base Expired Pointer Dereference - (825)
Weakness VariantWeakness Variant Explicit Call to Finalize() - (586)
Weakness BaseWeakness Base Exposed Dangerous Method or Function - (749)
Weakness VariantWeakness Variant Exposed IOCTL with Insufficient Access Control - (782)
Weakness BaseWeakness Base Exposed Unsafe ActiveX Method - (618)
Weakness VariantWeakness Variant Exposure of Access Control List Files to an Unauthorized Control Sphere - (529)
Weakness VariantWeakness Variant Exposure of Backup File to an Unauthorized Control Sphere - (530)
Weakness VariantWeakness Variant Exposure of Core Dump File to an Unauthorized Control Sphere - (528)
Weakness VariantWeakness Variant Exposure of CVS Repository to an Unauthorized Control Sphere - (527)
Weakness VariantWeakness Variant Exposure of Data Element to Wrong Session - (488)
Weakness BaseWeakness Base Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') - (403)
Weakness ClassWeakness Class Exposure of Private Information ('Privacy Violation') - (359)
Weakness ClassWeakness Class Exposure of Resource to Wrong Sphere - (668)
Weakness VariantWeakness Variant Exposure of Sensitive Data Through Data Queries - (202)
Weakness VariantWeakness Variant Exposure of System Data to an Unauthorized Control Sphere - (497)
Weakness VariantWeakness Variant Expression is Always False - (570)
Weakness VariantWeakness Variant Expression is Always True - (571)
CategoryCategory Expression Issues - (569)
Weakness BaseWeakness Base External Control of Assumed-Immutable Web Parameter - (472)
Weakness ClassWeakness Class External Control of Critical State Data - (642)
Weakness ClassWeakness Class External Control of File Name or Path - (73)
Weakness BaseWeakness Base External Control of System or Configuration Setting - (15)
Weakness ClassWeakness Class External Influence of Sphere Definition - (673)
Weakness BaseWeakness Base External Initialization of Trusted Variables or Data Stores - (454)
Weakness ClassWeakness Class Externally Controlled Reference to a Resource in Another Sphere - (610)
Weakness VariantWeakness Variant Failure to Handle Incomplete Element - (239)
Weakness VariantWeakness Variant Failure to Handle Missing Parameter - (234)
Weakness VariantWeakness Variant Failure to Sanitize Paired Delimiters - (157)
Weakness ClassWeakness Class Failure to Sanitize Special Element - (159)
Weakness ClassWeakness Class Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) - (75)
Weakness BaseWeakness Base File and Directory Information Exposure - (538)
CategoryCategory File Descriptor Exhaustion - (769)
Weakness BaseWeakness Base Files or Directories Accessible to External Parties - (552)
Weakness VariantWeakness Variant finalize() Method Declared Public - (583)
Weakness VariantWeakness Variant finalize() Method Without super.finalize() - (568)
Weakness VariantWeakness Variant Free of Memory not on the Heap - (590)
Weakness VariantWeakness Variant Free of Pointer not at Start of Buffer - (761)
Weakness VariantWeakness Variant Function Call With Incorrect Argument Type - (686)
Weakness VariantWeakness Variant Function Call With Incorrect Number of Arguments - (685)
Weakness VariantWeakness Variant Function Call With Incorrect Order of Arguments - (683)
Weakness VariantWeakness Variant Function Call With Incorrect Variable or Reference as Argument - (688)
Weakness VariantWeakness Variant Function Call With Incorrectly Specified Argument Value - (687)
Weakness BaseWeakness Base Function Call with Incorrectly Specified Arguments - (628)
Weakness BaseWeakness Base Guessable CAPTCHA - (804)
CategoryCategory Handler Errors - (429)
Weakness VariantWeakness Variant Heap-based Buffer Overflow - (122)
Weakness ClassWeakness Class Hidden Functionality - (912)
Weakness ClassWeakness Class Improper Access Control - (284)
Weakness ClassWeakness Class Improper Access of Indexable Resource ('Range Error') - (118)
Weakness VariantWeakness Variant Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code - (781)
Weakness ClassWeakness Class Improper Authentication - (287)
Weakness ClassWeakness Class Improper Authorization - (285)
Weakness BaseWeakness Base Improper Certificate Validation - (295)
Weakness VariantWeakness Variant Improper Check for Certificate Revocation - (299)
Weakness BaseWeakness Base Improper Check for Dropped Privileges - (273)
Weakness ClassWeakness Class Improper Check for Unusual or Exceptional Conditions - (754)
Weakness VariantWeakness Variant Improper Cleanup on Thrown Exception - (460)
Weakness VariantWeakness Variant Improper Clearing of Heap Memory Before Release ('Heap Inspection') - (244)
Weakness ClassWeakness Class Improper Control of a Resource Through its Lifetime - (664)
Weakness BaseWeakness Base Improper Control of Document Type Definition - (827)
Weakness BaseWeakness Base Improper Control of Dynamically-Identified Variables - (914)
Weakness ClassWeakness Class Improper Control of Dynamically-Managed Code Resources - (913)
Weakness BaseWeakness Base Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') - (98)
Weakness ClassWeakness Class Improper Control of Generation of Code ('Code Injection') - (94)
Weakness ClassWeakness Class Improper Control of Interaction Frequency - (799)
Weakness BaseWeakness Base Improper Control of Resource Identifiers ('Resource Injection') - (99)
Weakness BaseWeakness Base Improper Cross-boundary Removal of Sensitive Data - (212)
Weakness ClassWeakness Class Improper Encoding or Escaping of Output - (116)
Weakness BaseWeakness Base Improper Enforcement of a Single, Unique Action - (837)
Weakness BaseWeakness Base Improper Enforcement of Behavioral Workflow - (841)
Weakness ClassWeakness Class Improper Enforcement of Message Integrity During Transmission in a Communication Channel - (924)
Weakness VariantWeakness Variant Improper Export of Android Application Components - (926)
Weakness BaseWeakness Base Improper Following of a Certificate's Chain of Trust - (296)
Weakness ClassWeakness Class Improper Following of Specification by Caller - (573)
Weakness ClassWeakness Class Improper Fulfillment of API Contract ('API Abuse') - (227)
Weakness BaseWeakness Base Improper Handling of Additional Special Element - (167)
Weakness VariantWeakness Variant Improper Handling of Alternate Encoding - (173)
Weakness VariantWeakness Variant Improper Handling of Apple HFS+ Alternate Data Stream Path - (72)
Weakness BaseWeakness Base Improper Handling of Case Sensitivity - (178)
Weakness VariantWeakness Variant Improper Handling of Extra Parameters - (235)
Weakness VariantWeakness Variant Improper Handling of Extra Values - (231)
Weakness BaseWeakness Base Improper Handling of File Names that Identify Virtual Resources - (66)
Weakness BaseWeakness Base Improper Handling of Highly Compressed Data (Data Amplification) - (409)
Weakness VariantWeakness Variant Improper Handling of Incomplete Structural Elements - (238)
Weakness BaseWeakness Base Improper Handling of Inconsistent Special Elements - (168)
Weakness VariantWeakness Variant Improper Handling of Inconsistent Structural Elements - (240)
Weakness VariantWeakness Variant Improper Handling of Insufficient Entropy in TRNG - (333)
Weakness BaseWeakness Base Improper Handling of Insufficient Permissions or Privileges - (280)
Weakness BaseWeakness Base Improper Handling of Insufficient Privileges - (274)
Weakness VariantWeakness Variant Improper Handling of Length Parameter Inconsistency - (130)
Weakness BaseWeakness Base Improper Handling of Missing Special Element - (166)
Weakness VariantWeakness Variant Improper Handling of Missing Values - (230)
Weakness VariantWeakness Variant Improper Handling of Mixed Encoding - (175)
Weakness BaseWeakness Base Improper Handling of Parameters - (233)
Weakness BaseWeakness Base Improper Handling of Structural Elements - (237)
Weakness ClassWeakness Class Improper Handling of Syntactically Invalid Structure - (228)
Weakness VariantWeakness Variant Improper Handling of Undefined Parameters - (236)
Weakness VariantWeakness Variant Improper Handling of Undefined Values - (232)
Weakness BaseWeakness Base Improper Handling of Unexpected Data Type - (241)
Weakness VariantWeakness Variant Improper Handling of Unicode Encoding - (176)
Weakness VariantWeakness Variant Improper Handling of URL Encoding (Hex Encoding) - (177)
Weakness BaseWeakness Base Improper Handling of Values - (229)
Weakness VariantWeakness Variant Improper Handling of Windows ::DATA Alternate Data Stream - (69)
Weakness VariantWeakness Variant Improper Handling of Windows Device Names - (67)
Weakness BaseWeakness Base Improper Initialization - (665)
Weakness ClassWeakness Class Improper Input Validation - (20)
Weakness ClassWeakness Class Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - (22)
Weakness BaseWeakness Base Improper Link Resolution Before File Access ('Link Following') - (59)
Weakness BaseWeakness Base Improper Locking - (667)
Weakness VariantWeakness Variant Improper Neutralization of Alternate XSS Syntax - (87)
Weakness VariantWeakness Variant Improper Neutralization of Comment Delimiters - (151)
Weakness BaseWeakness Base Improper Neutralization of CRLF Sequences ('CRLF Injection') - (93)
Weakness BaseWeakness Base Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') - (113)
Weakness BaseWeakness Base Improper Neutralization of Data within XPath Expressions ('XPath Injection') - (643)
Weakness BaseWeakness Base Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') - (652)
Weakness BaseWeakness Base Improper Neutralization of Delimiters - (140)
Weakness BaseWeakness Base Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') - (95)
Weakness BaseWeakness Base Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') - (96)
Weakness VariantWeakness Variant Improper Neutralization of Encoded URI Schemes in a Web Page - (84)
Weakness BaseWeakness Base Improper Neutralization of Equivalent Special Elements - (76)
Weakness VariantWeakness Variant Improper Neutralization of Escape, Meta, or Control Sequences - (150)
Weakness VariantWeakness Variant Improper Neutralization of Expression/Command Delimiters - (146)
Weakness VariantWeakness Variant Improper Neutralization of HTTP Headers for Scripting Syntax - (644)
Weakness BaseWeakness Base Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - (79)
Weakness VariantWeakness Variant Improper Neutralization of Input Leaders - (148)
Weakness VariantWeakness Variant Improper Neutralization of Input Terminators - (147)
Weakness VariantWeakness Variant Improper Neutralization of Internal Special Elements - (164)
Weakness VariantWeakness Variant Improper Neutralization of Invalid Characters in Identifiers in Web Pages - (86)
Weakness VariantWeakness Variant Improper Neutralization of Leading Special Elements - (160)
Weakness VariantWeakness Variant Improper Neutralization of Line Delimiters - (144)
Weakness VariantWeakness Variant Improper Neutralization of Macro Symbols - (152)
Weakness VariantWeakness Variant Improper Neutralization of Multiple Internal Special Elements - (165)
Weakness VariantWeakness Variant Improper Neutralization of Multiple Leading Special Elements - (161)
Weakness VariantWeakness Variant Improper Neutralization of Multiple Trailing Special Elements - (163)
Weakness VariantWeakness Variant Improper Neutralization of Null Byte or NUL Character - (158)
Weakness VariantWeakness Variant Improper Neutralization of Parameter/Argument Delimiters - (141)
Weakness VariantWeakness Variant Improper Neutralization of Quoting Syntax - (149)
Weakness VariantWeakness Variant Improper Neutralization of Record Delimiters - (143)
Weakness VariantWeakness Variant Improper Neutralization of Script in an Error Message Web Page - (81)
Weakness VariantWeakness Variant Improper Neutralization of Script in Attributes in a Web Page - (83)
Weakness VariantWeakness Variant Improper Neutralization of Script in Attributes of IMG Tags in a Web Page - (82)
Weakness VariantWeakness Variant Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - (80)
Weakness VariantWeakness Variant Improper Neutralization of Section Delimiters - (145)
Weakness VariantWeakness Variant Improper Neutralization of Server-Side Includes (SSI) Within a Web Page - (97)
Weakness ClassWeakness Class Improper Neutralization of Special Elements - (138)
Weakness ClassWeakness Class Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') - (74)
Weakness ClassWeakness Class Improper Neutralization of Special Elements used in a Command ('Command Injection') - (77)
Weakness BaseWeakness Base Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') - (917)
Weakness BaseWeakness Base Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') - (90)
Weakness BaseWeakness Base Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - (78)
Weakness BaseWeakness Base Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - (89)
Weakness VariantWeakness Variant Improper Neutralization of Substitution Characters - (153)
Weakness VariantWeakness Variant Improper Neutralization of Trailing Special Elements - (162)
Weakness VariantWeakness Variant Improper Neutralization of Value Delimiters - (142)
Weakness VariantWeakness Variant Improper Neutralization of Variable Name Delimiters - (154)
Weakness VariantWeakness Variant Improper Neutralization of Whitespace - (156)
Weakness VariantWeakness Variant Improper Neutralization of Wildcards or Matching Symbols - (155)
Weakness BaseWeakness Base Improper Null Termination - (170)
Weakness BaseWeakness Base Improper Output Neutralization for Logs - (117)
Weakness ClassWeakness Class Improper Ownership Management - (282)
Weakness BaseWeakness Base Improper Preservation of Permissions - (281)
Weakness BaseWeakness Base Improper Privilege Management - (269)
Weakness ClassWeakness Class Improper Protection of Alternate Path - (424)
Weakness BaseWeakness Base Improper Release of Memory Before Removing Last Reference ('Memory Leak') - (401)
Weakness BaseWeakness Base Improper Resolution of Path Equivalence - (41)
Weakness BaseWeakness Base Improper Resource Locking - (413)
Weakness BaseWeakness Base Improper Resource Shutdown or Release - (404)
Weakness ClassWeakness Class Improper Restriction of Communication Channel to Intended Endpoints - (923)
Weakness BaseWeakness Base Improper Restriction of Excessive Authentication Attempts - (307)
Weakness BaseWeakness Base Improper Restriction of Names for Files and Other Resources - (641)
Weakness ClassWeakness Class Improper Restriction of Operations within the Bounds of a Memory Buffer - (119)
Weakness BaseWeakness Base Improper Restriction of Power Consumption - (920)
Weakness VariantWeakness Variant Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') - (776)
Weakness VariantWeakness Variant Improper Restriction of XML External Entity Reference ('XXE') - (611)
Weakness BaseWeakness Base Improper Synchronization - (662)
Weakness BaseWeakness Base Improper Update of Reference Count - (911)
Weakness BaseWeakness Base Improper Validation of Array Index - (129)
Weakness VariantWeakness Variant Improper Validation of Certificate Expiration - (298)
Weakness VariantWeakness Variant Improper Validation of Certificate with Host Mismatch - (297)
Weakness VariantWeakness Variant Improper Validation of Function Hook Arguments - (622)
Weakness BaseWeakness Base Improper Validation of Integrity Check Value - (354)
Weakness BaseWeakness Base Improper Verification of Cryptographic Signature - (347)
Weakness VariantWeakness Variant Improper Verification of Intent by Broadcast Receiver - (925)
Weakness BaseWeakness Base Improper Verification of Source of a Communication Channel - (940)
Weakness BaseWeakness Base Improperly Controlled Modification of Dynamically-Determined Object Attributes - (915)
Weakness BaseWeakness Base Improperly Implemented Security Check for Standard - (358)
Weakness ClassWeakness Class Inadequate Encryption Strength - (326)
CategoryCategory Inadvertently Introduced Weakness - (518)
Weakness BaseWeakness Base Inappropriate Encoding for Output Context - (838)
Weakness ClassWeakness Class Inclusion of Functionality from Untrusted Control Sphere - (829)
Weakness BaseWeakness Base Inclusion of Web Functionality from an Untrusted Source - (830)
Weakness BaseWeakness Base Incomplete Blacklist - (184)
Weakness BaseWeakness Base Incomplete Cleanup - (459)
Weakness VariantWeakness Variant Incomplete Identification of Uploaded File Variables (PHP) - (616)
Weakness BaseWeakness Base Incomplete Internal State Distinction - (372)
Weakness BaseWeakness Base Incomplete Model of Endpoint Features - (437)
Weakness BaseWeakness Base Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') - (444)
Weakness ClassWeakness Class Incorrect Authorization - (863)
Weakness ClassWeakness Class Incorrect Behavior Order - (696)
Weakness BaseWeakness Base Incorrect Behavior Order: Authorization Before Parsing and Canonicalization - (551)
Weakness BaseWeakness Base Incorrect Behavior Order: Early Amplification - (408)
Weakness BaseWeakness Base Incorrect Behavior Order: Early Validation - (179)
Weakness BaseWeakness Base Incorrect Behavior Order: Validate Before Canonicalize - (180)
Weakness BaseWeakness Base Incorrect Behavior Order: Validate Before Filter - (181)
Weakness VariantWeakness Variant Incorrect Block Delimitation - (483)
Weakness ClassWeakness Class Incorrect Calculation - (682)
Weakness BaseWeakness Base Incorrect Calculation of Buffer Size - (131)
Weakness BaseWeakness Base Incorrect Calculation of Multi-Byte String Length - (135)
Weakness BaseWeakness Base Incorrect Check of Function Return Value - (253)
Weakness BaseWeakness Base Incorrect Conversion between Numeric Types - (681)
Weakness VariantWeakness Variant Incorrect Default Permissions - (276)
Weakness VariantWeakness Variant Incorrect Execution-Assigned Permissions - (279)
Weakness BaseWeakness Base Incorrect Implementation of Authentication Algorithm - (303)
Weakness BaseWeakness Base Incorrect Ownership Assignment - (708)
Weakness ClassWeakness Class Incorrect Permission Assignment for Critical Resource - (732)
Weakness BaseWeakness Base Incorrect Pointer Scaling - (468)
Weakness BaseWeakness Base Incorrect Privilege Assignment - (266)
Weakness BaseWeakness Base Incorrect Provision of Specified Functionality - (684)
Weakness ClassWeakness Class Incorrect Regular Expression - (185)
Weakness ClassWeakness Class Incorrect Resource Transfer Between Spheres - (669)
Weakness BaseWeakness Base Incorrect Semantic Object Comparison - (596)
Weakness VariantWeakness Variant Incorrect Short Circuit Evaluation - (768)
Weakness BaseWeakness Base Incorrect Synchronization - (821)
Weakness ClassWeakness Class Incorrect Type Conversion or Cast - (704)
Weakness BaseWeakness Base Incorrect Use of Privileged APIs - (648)
Weakness ClassWeakness Class Incorrect User Management - (286)
Weakness BaseWeakness Base Incorrectly Specified Destination in a Communication Channel - (941)
Weakness ClassWeakness Class Indicator of Poor Code Quality - (398)
Weakness ClassWeakness Class Information Exposure - (200)
Weakness VariantWeakness Variant Information Exposure of Internal State Through Behavioral Inconsistency - (206)
Weakness BaseWeakness Base Information Exposure Through an Error Message - (209)
Weakness VariantWeakness Variant Information Exposure Through an External Behavioral Inconsistency - (207)
Weakness BaseWeakness Base Information Exposure Through Behavioral Discrepancy - (205)
Weakness VariantWeakness Variant Information Exposure Through Browser Caching - (525)
Weakness VariantWeakness Variant Information Exposure Through Caching - (524)
Weakness VariantWeakness Variant Information Exposure Through Cleanup Log Files - (542)
Weakness VariantWeakness Variant Information Exposure Through Comments - (615)
Weakness VariantWeakness Variant Information Exposure Through Debug Information - (215)
Weakness VariantWeakness Variant Information Exposure Through Debug Log Files - (534)
Weakness VariantWeakness Variant Information Exposure Through Directory Listing - (548)
Weakness ClassWeakness Class Information Exposure Through Discrepancy - (203)
Weakness VariantWeakness Variant Information Exposure Through Environmental Variables - (526)
Weakness BaseWeakness Base Information Exposure Through Externally-generated Error Message - (211)
Weakness VariantWeakness Variant Information Exposure Through Include Source Code - (541)
Weakness VariantWeakness Variant Information Exposure Through Indexing of Private Data - (612)
Weakness VariantWeakness Variant Information Exposure Through Java Runtime Error Message - (537)
Weakness VariantWeakness Variant Information Exposure Through Log Files - (532)
Weakness VariantWeakness Variant Information Exposure Through Persistent Cookies - (539)
Weakness VariantWeakness Variant Information Exposure Through Process Environment - (214)
Weakness VariantWeakness Variant Information Exposure Through Query Strings in GET Request - (598)
Weakness BaseWeakness Base Information Exposure Through Self-generated Error Message - (210)
Weakness VariantWeakness Variant Information Exposure Through Sent Data - (201)
Weakness VariantWeakness Variant Information Exposure Through Server Error Message - (550)
Weakness VariantWeakness Variant Information Exposure Through Server Log Files - (533)
Weakness VariantWeakness Variant Information Exposure Through Servlet Runtime Error Message - (536)
Weakness VariantWeakness Variant Information Exposure Through Shell Error Message - (535)
Weakness VariantWeakness Variant Information Exposure Through Source Code - (540)
Weakness VariantWeakness Variant Information Exposure Through Test Code - (531)
Weakness BaseWeakness Base Information Exposure Through Timing Discrepancy - (208)
Weakness VariantWeakness Variant Information Exposure Through WSDL File - (651)
Weakness ClassWeakness Class Information Loss or Omission - (221)
CategoryCategory Information Management Errors - (199)
CategoryCategory Initialization and Cleanup Errors - (452)
Weakness BaseWeakness Base Insecure Default Variable Initialization - (453)
Weakness VariantWeakness Variant Insecure Inherited Permissions - (277)
Weakness VariantWeakness Variant Insecure Preserved Inherited Permissions - (278)
Weakness ClassWeakness Class Insecure Storage of Sensitive Information - (922)
Weakness BaseWeakness Base Insecure Temporary File - (377)
Weakness ClassWeakness Class Insufficient Comparison - (697)
Weakness BaseWeakness Base Insufficient Compartmentalization - (653)
Weakness ClassWeakness Class Insufficient Control Flow Management - (691)
Weakness BaseWeakness Base Insufficient Control of Network Message Volume (Network Amplification) - (406)
Weakness ClassWeakness Class Insufficient Encapsulation - (485)
Weakness BaseWeakness Base Insufficient Entropy - (331)
Weakness VariantWeakness Variant Insufficient Entropy in PRNG - (332)
Weakness BaseWeakness Base Insufficient Logging - (778)
Weakness BaseWeakness Base Insufficient Psychological Acceptability - (655)
Weakness BaseWeakness Base Insufficient Resource Pool - (410)
Weakness BaseWeakness Base Insufficient Session Expiration - (613)
Weakness BaseWeakness Base Insufficient Type Distinction - (351)
Weakness BaseWeakness Base Insufficient UI Warning of Dangerous Operations - (357)
Weakness ClassWeakness Class Insufficient Verification of Data Authenticity - (345)
Weakness BaseWeakness Base Insufficiently Protected Credentials - (522)
CategoryCategory Integer Coercion Error - (192)
Weakness BaseWeakness Base Integer Overflow or Wraparound - (190)
Weakness BaseWeakness Base Integer Underflow (Wrap or Wraparound) - (191)
Weakness BaseWeakness Base Intentional Information Exposure - (213)
CategoryCategory Intentionally Introduced Nonmalicious Weakness - (513)
CategoryCategory Intentionally Introduced Weakness - (505)
Weakness ClassWeakness Class Interaction Error - (435)
Weakness BaseWeakness Base Interpretation Conflict - (436)
Weakness VariantWeakness Variant J2EE Bad Practices: Direct Management of Connections - (245)
Weakness VariantWeakness Variant J2EE Bad Practices: Direct Use of Sockets - (246)
Weakness VariantWeakness Variant J2EE Bad Practices: Direct Use of Threads - (383)
Weakness VariantWeakness Variant J2EE Bad Practices: Non-serializable Object Stored in Session - (579)
Weakness VariantWeakness Variant J2EE Bad Practices: Use of System.exit() - (382)
CategoryCategory J2EE Environment Issues - (4)
Weakness VariantWeakness Variant J2EE Framework: Saving Unserializable Objects to Disk - (594)
Weakness VariantWeakness Variant J2EE Misconfiguration: Data Transmission Without Encryption - (5)
Weakness VariantWeakness Variant J2EE Misconfiguration: Entity Bean Declared Remote - (8)
Weakness VariantWeakness Variant J2EE Misconfiguration: Insufficient Session-ID Length - (6)
Weakness VariantWeakness Variant J2EE Misconfiguration: Missing Custom Error Page - (7)
Weakness VariantWeakness Variant J2EE Misconfiguration: Plaintext Password in Configuration File - (555)
Weakness VariantWeakness Variant J2EE Misconfiguration: Weak Access Permissions for EJB Methods - (9)
CategoryCategory J2EE Time and State Issues - (381)
Weakness BaseWeakness Base Key Exchange without Entity Authentication - (322)
CategoryCategory Key Management Errors - (320)
Weakness ClassWeakness Class Lack of Administrator Control over Security - (671)
Weakness BaseWeakness Base Least Privilege Violation - (272)
Weakness BaseWeakness Base Leftover Debug Code - (489)
CategoryCategory Location - (1)
Weakness BaseWeakness Base Logging of Excessive Data - (779)
Weakness BaseWeakness Base Logic/Time Bomb - (511)
Weakness BaseWeakness Base Loop with Unreachable Exit Condition ('Infinite Loop') - (835)
CategoryCategory Mac Virtual File Problems - (70)
Weakness BaseWeakness Base Misinterpretation of Input - (115)
Weakness VariantWeakness Variant Mismatched Memory Management Routines - (762)
Weakness VariantWeakness Variant Missing Authentication for Critical Function - (306)
Weakness ClassWeakness Class Missing Authorization - (862)
Weakness BaseWeakness Base Missing Check for Certificate Revocation after Initial Check - (370)
Weakness BaseWeakness Base Missing Critical Step in Authentication - (304)
Weakness ClassWeakness Class Missing Custom Error Page - (756)
Weakness VariantWeakness Variant Missing Default Case in Switch Statement - (478)
Weakness BaseWeakness Base Missing Encryption of Sensitive Data - (311)
Weakness BaseWeakness Base Missing Handler - (431)
Weakness BaseWeakness Base Missing Initialization of a Variable - (456)
Weakness BaseWeakness Base Missing Initialization of Resource - (909)
Weakness BaseWeakness Base Missing Lock Check - (414)
Weakness VariantWeakness Variant Missing Password Field Masking - (549)
Weakness VariantWeakness Variant Missing Reference to Active File Descriptor or Handle - (773)
Weakness VariantWeakness Variant Missing Release of File Descriptor or Handle after Effective Lifetime - (775)
Weakness BaseWeakness Base Missing Report of Error Condition - (392)
Weakness BaseWeakness Base Missing Required Cryptographic Step - (325)
Weakness BaseWeakness Base Missing Standardized Error Handling Mechanism - (544)
Weakness BaseWeakness Base Missing Support for Integrity Check - (353)
Weakness BaseWeakness Base Missing Synchronization - (820)
Weakness VariantWeakness Variant Missing Validation of OpenSSL Certificate - (599)
Weakness BaseWeakness Base Missing XML Validation - (112)
CategoryCategory Mobile Code Issues - (490)
Weakness BaseWeakness Base Modification of Assumed-Immutable Data (MAID) - (471)
CategoryCategory Motivation/Intent - (504)
Weakness BaseWeakness Base Multiple Binds to the Same Port - (605)
Weakness BaseWeakness Base Multiple Interpretations of UI Input - (450)
Weakness VariantWeakness Variant Multiple Locks of a Critical Resource - (764)
Weakness VariantWeakness Variant Multiple Unlocks of a Critical Resource - (765)
CategoryCategory .NET Environment Issues - (519)
Weakness VariantWeakness Variant .NET Misconfiguration: Use of Impersonation - (520)
Weakness BaseWeakness Base Non-exit on Failed Initialization - (455)
Weakness BaseWeakness Base Non-Replicating Malicious Code - (508)
Weakness ClassWeakness Class Not Failing Securely ('Failing Open') - (636)
Weakness VariantWeakness Variant Not Using a Random IV with CBC Mode - (329)
Weakness ClassWeakness Class Not Using Complete Mediation - (638)
Weakness VariantWeakness Variant Not Using Password Aging - (262)
Weakness VariantWeakness Variant Null Byte Interaction Error (Poison Null Byte) - (626)
Weakness BaseWeakness Base NULL Pointer Dereference - (476)
CategoryCategory Numeric Errors - (189)
Weakness BaseWeakness Base Numeric Range Comparison Without Minimum Check - (839)
Weakness BaseWeakness Base Numeric Truncation Error - (197)
Weakness BaseWeakness Base Object Model Violation: Just One of Equals and Hashcode Defined - (581)
Weakness BaseWeakness Base Obscured Security-relevant Information by Alternate Name - (224)
Weakness BaseWeakness Base Obsolete Feature in UI - (448)
Weakness BaseWeakness Base Off-by-one Error - (193)
CategoryCategory Often Misused: Arguments and Parameters - (559)
CategoryCategory Often Misused: String Management - (251)
Weakness BaseWeakness Base Omission of Security-relevant Information - (223)
Weakness BaseWeakness Base Omitted Break Statement in Switch - (484)
Weakness BaseWeakness Base Operation on a Resource after Expiration or Release - (672)
Weakness BaseWeakness Base Operation on Resource in Wrong Phase of Lifetime - (666)
Weakness VariantWeakness Variant Operator Precedence Logic Error - (783)
Weakness BaseWeakness Base Origin Validation Error - (346)
CategoryCategory Other Intentional, Nonmalicious Weakness - (517)
Weakness BaseWeakness Base Out-of-bounds Read - (125)
Weakness BaseWeakness Base Out-of-bounds Write - (787)
Weakness BaseWeakness Base Overly Restrictive Account Lockout Mechanism - (645)
Weakness BaseWeakness Base Overly Restrictive Regular Expression - (186)
Weakness BaseWeakness Base Partial Comparison - (187)
Weakness BaseWeakness Base Passing Mutable Objects to an Untrusted Method - (374)
Weakness BaseWeakness Base Password Aging with Long Expiration - (263)
Weakness VariantWeakness Variant Password in Configuration File - (260)
Weakness VariantWeakness Variant Path Equivalence: ' filename' (Leading Space) - (47)
Weakness VariantWeakness Variant Path Equivalence: '/./' (Single Dot Directory) - (55)
Weakness VariantWeakness Variant Path Equivalence: '//multiple/leading/slash' - (50)
Weakness VariantWeakness Variant Path Equivalence: '/multiple//internal/slash' - (51)
Weakness VariantWeakness Variant Path Equivalence: '/multiple/trailing/slash//' - (52)
Weakness VariantWeakness Variant Path Equivalence: '\multiple\\internal\backslash' - (53)
Weakness VariantWeakness Variant Path Equivalence: 'fakedir/../realdir/filename' - (57)
Weakness VariantWeakness Variant Path Equivalence: 'file name' (Internal Whitespace) - (48)
Weakness VariantWeakness Variant Path Equivalence: 'filedir*' (Wildcard) - (56)
Weakness VariantWeakness Variant Path Equivalence: 'filedir\' (Trailing Backslash) - (54)
Weakness VariantWeakness Variant Path Equivalence: 'filename ' (Trailing Space) - (46)
Weakness VariantWeakness Variant Path Equivalence: 'file.name' (Internal Dot) - (44)
Weakness VariantWeakness Variant Path Equivalence: 'file...name' (Multiple Internal Dot) - (45)
Weakness VariantWeakness Variant Path Equivalence: 'filename....' (Multiple Trailing Dot) - (43)
Weakness VariantWeakness Variant Path Equivalence: 'filename.' (Trailing Dot) - (42)
Weakness VariantWeakness Variant Path Equivalence: 'filename/' (Trailing Slash) - (49)
Weakness VariantWeakness Variant Path Equivalence: Windows 8.3 Filename - (58)
Weakness VariantWeakness Variant Path Traversal: '....' (Multiple Dot) - (33)
Weakness VariantWeakness Variant Path Traversal: '...' (Triple Dot) - (32)
Weakness VariantWeakness Variant Path Traversal: '....//' - (34)
Weakness VariantWeakness Variant Path Traversal: '.../...//' - (35)
Weakness VariantWeakness Variant Path Traversal: '/../filedir' - (25)
Weakness VariantWeakness Variant Path Traversal: '/absolute/pathname/here' - (37)
Weakness VariantWeakness Variant Path Traversal: '/dir/../filename' - (26)
Weakness VariantWeakness Variant Path Traversal: '../filedir' - (24)
Weakness VariantWeakness Variant Path Traversal: '\..\filename' - (29)
Weakness VariantWeakness Variant Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - (40)
Weakness VariantWeakness Variant Path Traversal: '\absolute\pathname\here' - (38)
Weakness VariantWeakness Variant Path Traversal: '\dir\..\filename' - (30)
Weakness VariantWeakness Variant Path Traversal: '..\filedir' - (28)
Weakness VariantWeakness Variant Path Traversal: 'C:dirname' - (39)
Weakness VariantWeakness Variant Path Traversal: 'dir/../../filename' - (27)
Weakness VariantWeakness Variant Path Traversal: 'dir\..\..\filename' - (31)
CategoryCategory Pathname Traversal and Equivalence Errors - (21)
CategoryCategory Permission Issues - (275)
Compound Element: CompositeCompound Element: Composite Permission Race Condition During Resource Copy - (689)
CategoryCategory Permissions, Privileges, and Access Controls - (264)
Weakness BaseWeakness Base Permissive Regular Expression - (625)
Weakness BaseWeakness Base Permissive Whitelist - (183)
Weakness VariantWeakness Variant PHP External Variable Modification - (473)
Weakness BaseWeakness Base Placement of User into Incorrect Group - (842)
Weakness VariantWeakness Variant Plaintext Storage of a Password - (256)
CategoryCategory Pointer Issues - (465)
Weakness ClassWeakness Class Predictability Problems - (340)
Weakness BaseWeakness Base Predictable Exact Value from Previous Values - (342)
Weakness BaseWeakness Base Predictable from Observable State - (341)
Weakness BaseWeakness Base Predictable Seed in PRNG - (337)
Weakness BaseWeakness Base Predictable Value Range from Previous Values - (343)
Weakness BaseWeakness Base Premature Release of Resource During Expected Lifetime - (826)
Weakness VariantWeakness Variant Private Array-Typed Field Returned From A Public Method - (495)
CategoryCategory Privilege / Sandbox Issues - (265)
Weakness BaseWeakness Base Privilege Chaining - (268)
Weakness BaseWeakness Base Privilege Context Switching Error - (270)
Weakness BaseWeakness Base Privilege Defined With Unsafe Actions - (267)
Weakness ClassWeakness Class Privilege Dropping / Lowering Errors - (271)
Weakness ClassWeakness Class PRNG Seed Error - (335)
Weakness BaseWeakness Base Process Control - (114)
Weakness BaseWeakness Base Product UI does not Warn User of Unsafe Actions - (356)
Weakness ClassWeakness Class Protection Mechanism Failure - (693)
Weakness VariantWeakness Variant Public cloneable() Method Without Final ('Object Hijack') - (491)
Weakness VariantWeakness Variant Public Data Assigned to Private Array-Typed Field - (496)
Weakness VariantWeakness Variant Public Static Field Not Marked Final - (500)
Weakness VariantWeakness Variant Public Static Final Field References Mutable Object - (607)
Weakness BaseWeakness Base Race Condition During Access to Alternate Channel - (421)
Weakness BaseWeakness Base Race Condition Enabling Link Following - (363)
Weakness BaseWeakness Base Race Condition in Switch - (365)
Weakness BaseWeakness Base Race Condition within a Thread - (366)
Weakness VariantWeakness Variant Reachable Assertion - (617)
Weakness VariantWeakness Variant Reflection Attack in an Authentication Protocol - (301)
Weakness VariantWeakness Variant Regular Expression without Anchors - (777)
Weakness BaseWeakness Base Relative Path Traversal - (23)
Weakness BaseWeakness Base Release of Invalid Pointer or Reference - (763)
Weakness BaseWeakness Base Reliance on a Single Factor in a Security Decision - (654)
Weakness BaseWeakness Base Reliance on Cookies without Validation and Integrity Checking - (565)
Weakness VariantWeakness Variant Reliance on Cookies without Validation and Integrity Checking in a Security Decision - (784)
Weakness BaseWeakness Base Reliance on Data/Memory Layout - (188)
Weakness VariantWeakness Variant Reliance on File Name or Extension of Externally-Supplied File - (646)
Weakness VariantWeakness Variant Reliance on IP Address for Authentication - (291)
Weakness BaseWeakness Base Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking - (649)
Weakness VariantWeakness Variant Reliance on Package-level Scope - (487)
Weakness VariantWeakness Variant Reliance on Reverse DNS Resolution for a Security-Critical Action - (350)
Weakness BaseWeakness Base Reliance on Security Through Obscurity - (656)
Weakness BaseWeakness Base Reliance on Untrusted Inputs in a Security Decision - (807)
Weakness BaseWeakness Base Replicating Malicious Code (Virus or Worm) - (509)
CategoryCategory Representation Errors - (137)
CategoryCategory Resource Locking Problems - (411)
CategoryCategory Resource Management Errors - (399)
ViewView Resource-specific Weaknesses - (631)
Weakness BaseWeakness Base Response Discrepancy Information Exposure - (204)
Weakness BaseWeakness Base Return Inside Finally Block - (584)
Weakness BaseWeakness Base Return of Pointer Value Outside of Expected Range - (466)
Weakness BaseWeakness Base Return of Stack Variable Address - (562)
Weakness BaseWeakness Base Return of Wrong Status Code - (393)
Weakness BaseWeakness Base Returning a Mutable Object to an Untrusted Caller - (375)
Weakness BaseWeakness Base Reusing a Nonce, Key Pair in Encryption - (323)
Weakness BaseWeakness Base Reversible One-Way Hash - (328)
Weakness BaseWeakness Base Same Seed in PRNG - (336)
CategoryCategory Security Features - (254)
Weakness VariantWeakness Variant Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - (614)
Weakness VariantWeakness Variant Sensitive Data Storage in Improperly Locked Memory - (591)
Weakness VariantWeakness Variant Sensitive Data Under FTP Root - (220)
Weakness VariantWeakness Variant Sensitive Data Under Web Root - (219)
Weakness BaseWeakness Base Sensitive Information Uncleared Before Release - (226)
Weakness VariantWeakness Variant Serializable Class Containing Sensitive Data - (499)
Weakness BaseWeakness Base Server-Side Request Forgery (SSRF) - (918)
Compound Element: CompositeCompound Element: Composite Session Fixation - (384)
CategoryCategory Signal Errors - (387)
Weakness BaseWeakness Base Signal Handler Function Associated with Multiple Signals - (831)
Weakness BaseWeakness Base Signal Handler Race Condition - (364)
Weakness VariantWeakness Variant Signal Handler Use of a Non-reentrant Function - (479)
Weakness BaseWeakness Base Signal Handler with Functionality that is not Asynchronous-Safe - (828)
Weakness VariantWeakness Variant Signed to Unsigned Conversion Error - (195)
Weakness BaseWeakness Base Small Seed Space in PRNG - (339)
Weakness BaseWeakness Base Small Space of Random Values - (334)
CategoryCategory Source Code - (18)
Weakness BaseWeakness Base Spyware - (512)
Weakness VariantWeakness Variant SQL Injection: Hibernate - (564)
Weakness VariantWeakness Variant Stack-based Buffer Overflow - (121)
CategoryCategory State Issues - (371)
Weakness BaseWeakness Base Storage of Sensitive Data in a Mechanism without Access Control - (921)
Weakness BaseWeakness Base Storing Passwords in a Recoverable Format - (257)
CategoryCategory String Errors - (133)
CategoryCategory Struts Validation Problems - (101)
Weakness VariantWeakness Variant Struts: Duplicate Validation Forms - (102)
Weakness VariantWeakness Variant Struts: Form Bean Does Not Extend Validation Class - (104)
Weakness VariantWeakness Variant Struts: Form Field Without Validator - (105)
Weakness VariantWeakness Variant Struts: Incomplete validate() Method Definition - (103)
Weakness VariantWeakness Variant Struts: Non-private Field in ActionForm Class - (608)
Weakness VariantWeakness Variant Struts: Plug-in Framework not in Use - (106)
Weakness VariantWeakness Variant Struts: Unused Validation Form - (107)
Weakness VariantWeakness Variant Struts: Unvalidated Action Form - (108)
Weakness VariantWeakness Variant Struts: Validator Turned Off - (109)
Weakness VariantWeakness Variant Struts: Validator Without Form Field - (110)
Weakness VariantWeakness Variant Suspicious Comment - (546)
Weakness BaseWeakness Base Symbolic Name not Mapping to Correct Object - (386)
CategoryCategory Technology-specific Environment Issues - (3)
CategoryCategory Technology-Specific Input Validation Problems - (100)
CategoryCategory Technology-Specific Special Elements - (169)
CategoryCategory Technology-Specific Time and State Issues - (380)
CategoryCategory Temporary File Issues - (376)
Weakness BaseWeakness Base The UI Performs the Wrong Action - (449)
CategoryCategory Time and State - (361)
Weakness BaseWeakness Base Time-of-check Time-of-use (TOCTOU) Race Condition - (367)
Weakness ClassWeakness Class Transmission of Private Resources into a New Sphere ('Resource Leak') - (402)
Weakness BaseWeakness Base Trapdoor - (510)
Weakness BaseWeakness Base Trojan Horse - (507)
Weakness BaseWeakness Base Truncation of Security-relevant Information - (222)
Weakness BaseWeakness Base Trust Boundary Violation - (501)
Weakness BaseWeakness Base Trust of System Event Data - (360)
Weakness VariantWeakness Variant Trusting HTTP Permission Methods on the Server Side - (650)
CategoryCategory Type Errors - (136)
Weakness BaseWeakness Base UI Discrepancy for Security Feature - (446)
Weakness BaseWeakness Base Uncaught Exception - (248)
Weakness BaseWeakness Base Uncaught Exception in Servlet - (600)
Weakness BaseWeakness Base Unchecked Error Condition - (391)
Weakness BaseWeakness Base Unchecked Input for Loop Condition - (606)
Weakness BaseWeakness Base Unchecked Return Value - (252)
Weakness BaseWeakness Base Uncontrolled Format String - (134)
Weakness VariantWeakness Variant Uncontrolled Memory Allocation - (789)
Weakness BaseWeakness Base Uncontrolled Recursion - (674)
Weakness BaseWeakness Base Uncontrolled Resource Consumption ('Resource Exhaustion') - (400)
Weakness BaseWeakness Base Uncontrolled Search Path Element - (427)
Weakness BaseWeakness Base Undefined Behavior for Input to API - (475)
Weakness BaseWeakness Base Unexpected Sign Extension - (194)
Weakness BaseWeakness Base Unexpected Status Code or Return Value - (394)
Weakness BaseWeakness Base Unimplemented or Unsupported Feature in UI - (447)
Weakness ClassWeakness Class Unintended Proxy or Intermediary ('Confused Deputy') - (441)
Weakness VariantWeakness Variant UNIX Hard Link - (62)
CategoryCategory UNIX Path Link Problems - (60)
Compound Element: CompositeCompound Element: Composite UNIX Symbolic Link (Symlink) Following - (61)
Weakness BaseWeakness Base Unlock of a Resource that is not Locked - (832)
Weakness ClassWeakness Class Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism') - (637)
Weakness VariantWeakness Variant Unparsed Raw Web Content Delivery - (433)
Weakness BaseWeakness Base Unprotected Alternate Channel - (420)
Weakness BaseWeakness Base Unprotected Primary Channel - (419)
Weakness VariantWeakness Variant Unprotected Transport of Credentials - (523)
Weakness VariantWeakness Variant Unprotected Windows Messaging Channel ('Shatter') - (422)
Weakness BaseWeakness Base Unquoted Search Path or Element - (428)
Weakness BaseWeakness Base Unrestricted Externally Accessible Lock - (412)
Weakness BaseWeakness Base Unrestricted Upload of File with Dangerous Type - (434)
Weakness VariantWeakness Variant Unsafe ActiveX Control Marked Safe For Scripting - (623)
Weakness VariantWeakness Variant Unsigned to Signed Conversion Error - (196)
Weakness BaseWeakness Base Unsynchronized Access to Shared Data in a Multithreaded Context - (567)
Weakness BaseWeakness Base Untrusted Pointer Dereference - (822)
Compound Element: CompositeCompound Element: Composite Untrusted Search Path - (426)
Weakness VariantWeakness Variant Unused Variable - (563)
Weakness BaseWeakness Base Unverified Ownership - (283)
Weakness VariantWeakness Variant Unverified Password Change - (620)
Weakness VariantWeakness Variant URL Redirection to Untrusted Site ('Open Redirect') - (601)
Weakness BaseWeakness Base Use After Free - (416)
Weakness BaseWeakness Base Use of a Broken or Risky Cryptographic Algorithm - (327)
Weakness BaseWeakness Base Use of a Key Past its Expiration Date - (324)
Weakness BaseWeakness Base Use of a Non-reentrant Function in a Concurrent Context - (663)
Weakness BaseWeakness Base Use of Client-Side Authentication - (603)
Weakness BaseWeakness Base Use of Cryptographically Weak PRNG - (338)
Weakness VariantWeakness Variant Use of Dynamic Class Loading - (545)
Weakness BaseWeakness Base Use of Expired File Descriptor - (910)
Weakness BaseWeakness Base Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') - (470)
Weakness BaseWeakness Base Use of Function with Inconsistent Implementations - (474)
Weakness VariantWeakness Variant Use of getlogin() in Multithreaded Application - (558)
Weakness BaseWeakness Base Use of Hard-coded Credentials - (798)
Weakness BaseWeakness Base Use of Hard-coded Cryptographic Key - (321)
Weakness BaseWeakness Base Use of Hard-coded Password - (259)
Weakness VariantWeakness Variant Use of Hard-coded, Security-relevant Constants - (547)
Weakness VariantWeakness Variant Use of Implicit Intent for Sensitive Communication - (927)
Weakness BaseWeakness Base Use of Incorrect Byte Ordering - (198)
Weakness BaseWeakness Base Use of Incorrect Operator - (480)
Weakness BaseWeakness Base Use of Inherently Dangerous Function - (242)
Weakness VariantWeakness Variant Use of Inner Class Containing Sensitive Data - (492)
Weakness ClassWeakness Class Use of Insufficiently Random Values - (330)
Weakness BaseWeakness Base Use of Invariant Value in Dynamically Changing Context - (344)
Weakness BaseWeakness Base Use of Less Trusted Source - (348)
Weakness BaseWeakness Base Use of Low-Level Functionality - (695)
Weakness BaseWeakness Base Use of Multiple Resources with Duplicate Identifier - (694)
Weakness VariantWeakness Variant Use of Non-Canonical URL Paths for Authorization Decisions - (647)
Weakness BaseWeakness Base Use of NullPointerException Catch to Detect NULL Pointer Dereference - (395)
Weakness BaseWeakness Base Use of Obsolete Functions - (477)
Weakness BaseWeakness Base Use of Out-of-range Pointer Offset - (823)
Weakness BaseWeakness Base Use of Password Hash Instead of Password for Authentication - (836)
Weakness BaseWeakness Base Use of Password Hash With Insufficient Computational Effort - (916)
Weakness BaseWeakness Base Use of Password System for Primary Authentication - (309)
Weakness VariantWeakness Variant Use of Path Manipulation Function without Maximum-sized Buffer - (785)
Weakness BaseWeakness Base Use of Pointer Subtraction to Determine Size - (469)
Weakness BaseWeakness Base Use of Potentially Dangerous Function - (676)
Weakness VariantWeakness Variant Use of RSA Algorithm without OAEP - (780)
Weakness BaseWeakness Base Use of Single-factor Authentication - (308)
Weakness VariantWeakness Variant Use of Singleton Pattern Without Synchronization in a Multithreaded Context - (543)
Weakness VariantWeakness Variant Use of sizeof() on a Pointer Type - (467)
Weakness VariantWeakness Variant Use of umask() with chmod-style Argument - (560)
Weakness BaseWeakness Base Use of Uninitialized Resource - (908)
Weakness VariantWeakness Variant Use of Uninitialized Variable - (457)
Weakness VariantWeakness Variant Use of Wrong Operator in String Comparison - (597)
Weakness BaseWeakness Base User Interface (UI) Misrepresentation of Critical Information - (451)
CategoryCategory User Interface Errors - (445)
CategoryCategory User Interface Security Issues - (355)
Weakness VariantWeakness Variant Using Referer Field for Authentication - (293)
Weakness BaseWeakness Base Variable Extraction Error - (621)
Weakness ClassWeakness Class Violation of Secure Design Principles - (657)
Weakness VariantWeakness Variant Weak Cryptography for Passwords - (261)
Weakness BaseWeakness Base Weak Password Recovery Mechanism for Forgotten Password - (640)
Weakness BaseWeakness Base Weak Password Requirements - (521)
ViewView Weaknesses in OWASP Top Ten (2007) - (629)
ViewView Weaknesses Introduced During Design - (701)
ViewView Weaknesses Introduced During Implementation - (702)
CategoryCategory Web Problems - (442)
Weakness VariantWeakness Variant Windows Hard Link - (65)
CategoryCategory Windows Path Link Problems - (63)
Weakness VariantWeakness Variant Windows Shortcut Following (.LNK) - (64)
CategoryCategory Windows Virtual File Problems - (68)
Weakness BaseWeakness Base Wrap-around Error - (128)
Weakness BaseWeakness Base Write-what-where Condition - (123)
Weakness BaseWeakness Base XML Injection (aka Blind XPath Injection) - (91)
Page Last Updated: February 18, 2014