CWE - VIEW LIST: CWE-711: Weaknesses in OWASP Top Ten (2004) (1.6)

Home > CWE List > VIEW LIST: CWE-711: Weaknesses in OWASP Top Ten (2004) (1.6)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research
CWE/SANS Top 25
CWSS

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-711: Weaknesses in OWASP Top Ten (2004)

Weaknesses in OWASP Top Ten (2004)

Definition in a New Window

View ID: 711 (View: Graph)

Status: Incomplete

View Data

View Objective

CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1.

View Metrics

	CWEs in this view		Total CWEs
Total	126	out of	791
Views	0	out of	22
Categories	16	out of	106
Weaknesses	107	out of	651
Compound_Elements	3	out of	12

View Audience

Stakeholder	Description
Developers	This view outlines the most important issues as identified by the OWASP Top Ten (2004 version), providing a good starting point for web application developers who want to code more securely, as well as complying with PCI DSS 1.1.
Software Customers	This view outlines the most important issues as identified by the OWASP Top Ten, providing customers with a way of asking their software developers to follow minimum expectations for secure code, in compliance with PCI-DSS 1.1.
Educators	Since the OWASP Top Ten covers the most frequently encountered issues, this view can be used by educators as training material for students. However, the 2007 version (CWE-629) might be more appropriate.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
HasMember	Category	722	OWASP Top Ten 2004 Category A1 - Unvalidated Input	Weaknesses in OWASP Top Ten (2004) (primary)711
HasMember	Category	723	OWASP Top Ten 2004 Category A2 - Broken Access Control	Weaknesses in OWASP Top Ten (2004) (primary)711
HasMember	Category	724	OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management	Weaknesses in OWASP Top Ten (2004) (primary)711
HasMember	Category	725	OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws	Weaknesses in OWASP Top Ten (2004) (primary)711
HasMember	Category	726	OWASP Top Ten 2004 Category A5 - Buffer Overflows	Weaknesses in OWASP Top Ten (2004) (primary)711
HasMember	Category	727	OWASP Top Ten 2004 Category A6 - Injection Flaws	Weaknesses in OWASP Top Ten (2004) (primary)711
HasMember	Category	728	OWASP Top Ten 2004 Category A7 - Improper Error Handling	Weaknesses in OWASP Top Ten (2004) (primary)711
HasMember	Category	729	OWASP Top Ten 2004 Category A8 - Insecure Storage	Weaknesses in OWASP Top Ten (2004) (primary)711
HasMember	Category	730	OWASP Top Ten 2004 Category A9 - Denial of Service	Weaknesses in OWASP Top Ten (2004) (primary)711
HasMember	Category	731	OWASP Top Ten 2004 Category A10 - Insecure Configuration Management	Weaknesses in OWASP Top Ten (2004) (primary)711

Relationship Notes

CWE relationships for this view were obtained by examining the OWASP document and mapping to any items that were specifically mentioned within the text of a category. As a result, this mapping is not complete with respect to all of CWE. In addition, some concepts were mentioned in multiple Top Ten items, which caused them to be mapped to multiple CWE categories. For example, SQL injection is mentioned in both A1 (CWE-722) and A6 (CWE-727) categories.

References

"Top 10 2004". OWASP. 2004-01-27. <http://www.owasp.org/index.php/Top_10_2004>.

PCI Security Standards Council. "About the PCI Data Security Standard (PCI DSS)". <https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml>.

Maintenance Notes

Some parts of CWE are not fully fleshed out in terms of weaknesses. When these areas were mentioned in the Top Ten, category nodes were mapped, although general mapping practice would usually favor mapping only to weaknesses.

Content History

Submissions
Submission Date	Submitter	Organization	Source
2008-08-15		Veracode	External Submission
2008-08-15	Suggested creation of view and provided mappings

Weakness Class Access Control (Authorization) Issues - (284)

Weakness Base Access Control Bypass Through User-Controlled Key - (639)

Category ASP.NET Environment Issues - (10)

Weakness Variant ASP.NET Misconfiguration: Use of Identity Impersonation - (556)

Weakness Class Asymmetric Resource Consumption (Amplification) - (405)

Weakness Variant Authentication Bypass by Assumed-Immutable Data - (302)

Weakness Class Authentication Bypass Issues - (592)

Compound Element: Composite Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - (120)

Category Certificate Issues - (295)

Weakness Base Client-Side Enforcement of Server-Side Security - (602)

Weakness Base Collapse of Data Into Unsafe Value - (182)

Weakness Base Compiler Removal of Code to Clear Buffers - (14)

Category Credentials Management - (255)

Weakness Class Detection of Error Condition Without Action - (390)

Weakness Base Direct Request ('Forced Browsing') - (425)

Weakness Class Discrepancy Information Leaks - (203)

Weakness Base Divide By Zero - (369)

Category Error Handling - (388)

Weakness Base Error Message Information Leak - (209)

Weakness Base External Control of Assumed-Immutable Web Parameter - (472)

Weakness Class External Control of File Name or Path - (73)

Weakness Class Failure to Constrain Operations within the Bounds of a Memory Buffer - (119)

Weakness Base Failure to Encrypt Sensitive Data - (311)

Weakness Base Failure to Preserve Web Page Structure ('Cross-site Scripting') - (79)

Weakness Base Failure to Release Memory Before Removing Last Reference ('Memory Leak') - (401)

Weakness Base Failure to Restrict Excessive Authentication Attempts - (307)

Weakness Class Failure to Sanitize Data into a Different Plane ('Injection') - (74)

Weakness Base Files or Directories Accessible to External Parties - (552)

Weakness Base Hard-Coded Password - (259)

Weakness Class Improper Access Control (Authorization) - (285)

Weakness Class Improper Authentication - (287)

Compound Element: Composite Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') - (98)

Weakness Base Improper Following of Chain of Trust for Certificate Validation - (296)

Weakness Base Improper Handling of Additional Special Element - (167)

Weakness Base Improper Handling of Missing Special Element - (166)

Weakness Class Improper Handling of Syntactically Invalid Structure - (228)

Weakness Class Improper Input Validation - (20)

Weakness Base Improper Null Termination - (170)

Weakness Base Improper Output Sanitization for Logs - (117)

Weakness Base Improper Resolution of Path Equivalence - (41)

Weakness Base Improper Resource Shutdown or Release - (404)

Weakness Base Improper Sanitization of Directives in Dynamically Evaluated Code ('Eval Injection') - (95)

Weakness Variant Improper Sanitization of HTTP Headers for Scripting Syntax - (644)

Weakness Class Improper Sanitization of Special Elements used in a Command ('Command Injection') - (77)

Weakness Base Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') - (78)

Weakness Base Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') - (89)

Weakness Base Improper Validation of Certificate Expiration - (298)

Weakness Class Inadequate Encryption Strength - (326)

Weakness Base Incomplete Cleanup - (459)

Weakness Base Incorrect Behavior Order: Authorization Before Parsing and Canonicalization - (551)

Weakness Base Incorrect Behavior Order: Early Validation - (179)

Weakness Base Incorrect Behavior Order: Validate Before Canonicalize - (180)

Weakness Base Incorrect Behavior Order: Validate Before Filter - (181)

Weakness Base Incorrect Ownership Assignment - (708)

Weakness Base Incorrect Privilege Assignment - (266)

Weakness Variant Information Leak Through Access Control List Files - (529)

Weakness Variant Information Leak Through Backup (.~bk) Files - (530)

Weakness Variant Information Leak Through Browser Caching - (525)

Weakness Variant Information Leak Through Cleanup Log Files - (542)

Weakness Variant Information Leak Through Core Dump Files - (528)

Weakness Variant Information Leak Through CVS Repository - (527)

Weakness Variant Information Leak Through Debug Information - (215)

Weakness Variant Information Leak Through Debug Log Files - (534)

Weakness Variant Information Leak Through Directory Listing - (548)

Weakness Variant Information Leak Through Environmental Variables - (526)

Weakness Variant Information Leak Through Include Source Code - (541)

Weakness Variant Information Leak Through Log Files - (532)

Weakness Variant Information Leak Through Persistent Cookies - (539)

Weakness Variant Information Leak Through Query Strings in GET Request - (598)

Weakness Variant Information Leak Through Server Log Files - (533)

Weakness Variant Information Leak Through Source Code - (540)

Weakness Variant Information Leak Through Test Code - (531)

Weakness Base Insufficient Resource Pool - (410)

Weakness Base Insufficient Session Expiration - (613)

Weakness Class Insufficient Verification of Data Authenticity - (345)

Weakness Base Insufficiently Protected Credentials - (522)

Weakness Variant J2EE Bad Practices: Use of System.exit() - (382)

Category J2EE Environment Issues - (4)

Weakness Variant J2EE Misconfiguration: Missing Custom Error Page - (7)

Weakness Variant J2EE Misconfiguration: Weak Access Permissions for EJB Methods - (9)

Weakness Base Leftover Debug Code - (489)

Weakness Base Missing Critical Step in Authentication - (304)

Weakness Class Not Failing Securely ('Failing Open') - (636)

Weakness Base NULL Pointer Dereference - (476)

Category OWASP Top Ten 2004 Category A1 - Unvalidated Input - (722)

Category OWASP Top Ten 2004 Category A10 - Insecure Configuration Management - (731)

Category OWASP Top Ten 2004 Category A2 - Broken Access Control - (723)

Category OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management - (724)

Category OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws - (725)

Category OWASP Top Ten 2004 Category A5 - Buffer Overflows - (726)

Category OWASP Top Ten 2004 Category A6 - Injection Flaws - (727)

Category OWASP Top Ten 2004 Category A7 - Improper Error Handling - (728)

Category OWASP Top Ten 2004 Category A8 - Insecure Storage - (729)

Category OWASP Top Ten 2004 Category A9 - Denial of Service - (730)

Weakness Class Path Traversal - (22)

Category Permission Issues - (275)

Weakness Base Permissive Whitelist - (183)

Weakness Base Privilege Chaining - (268)

Weakness Variant Sensitive Data Storage in Improperly Locked Memory - (591)

Weakness Variant Sensitive Data Under Web Root - (219)

Weakness Base Sensitive Information Uncleared Before Release - (226)

Compound Element: Composite Session Fixation - (384)

Weakness Variant Struts: Duplicate Validation Forms - (102)

Weakness Variant Struts: Form Bean Does Not Extend Validation Class - (104)

Weakness Variant Struts: Incomplete validate() Method Definition - (103)

Weakness Variant Struts: Plug-in Framework not in Use - (106)

Weakness Variant Struts: Validator Turned Off - (109)

Weakness Base Uncaught Exception - (248)

Weakness Base Unchecked Error Condition - (391)

Weakness Base Unchecked Return Value - (252)

Weakness Base Uncontrolled Format String - (134)

Weakness Base Uncontrolled Recursion - (674)

Weakness Base Uncontrolled Resource Consumption ('Resource Exhaustion') - (400)

Weakness Base Unexpected Status Code or Return Value - (394)

Weakness Base Unrestricted Externally Accessible Lock - (412)

Weakness Base Unverified Ownership - (283)

Weakness Variant Unverified Password Change - (620)

Weakness Variant URL Redirection to Untrusted Site ('Open Redirect') - (601)

Weakness Base Use of a Broken or Risky Cryptographic Algorithm - (327)

Weakness Base Use of Hard-coded Cryptographic Key - (321)

Weakness Class Use of Insufficiently Random Values - (330)

Weakness Base Use of Password System for Primary Authentication - (309)

Weakness Variant Weak Cryptography for Passwords - (261)

Weakness Base Weak Password Recovery Mechanism for Forgotten Password - (640)

Weakness Base Weak Password Requirements - (521)

Weakness Base XML Injection (aka Blind XPath Injection) - (91)

Page Last Updated: October 29, 2009


	CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us