CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > CWE- Individual Dictionary Definition (4.16)  
ID

CWE VIEW: Weaknesses in OWASP Top Ten (2007)

View ID: 629
Vulnerability Mapping: PROHIBITED This CWE ID must not be used to map to real-world vulnerabilities
Type: Graph
Downloads: Booklet | CSV | XML
+ Objective
CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top Ten is available.
+ Audience
Stakeholder Description
Software Developers This view outlines the most important issues as identified by the OWASP Top Ten (2007 version), providing a good starting point for web application developers who want to code more securely.
Product Customers This view outlines the most important issues as identified by the OWASP Top Ten (2007 version), providing customers with a way of asking their software developers to follow minimum expectations for secure code.
Educators Since the OWASP Top Ten covers the most frequently encountered issues, this view can be used by educators as training material for students.
+ Relationships
The following graph shows the tree-like relationships between weaknesses that exist at different levels of abstraction. At the highest level, categories and pillars exist to group weaknesses. Categories (which are not technically weaknesses) are special CWE entries used to group weaknesses that share a common characteristic. Pillars are weaknesses that are described in the most abstract fashion. Below these top-level entries are weaknesses are varying levels of abstraction. Classes are still very abstract, typically independent of any specific language or technology. Base level weaknesses are used to present a more specific type of weakness. A variant is a weakness that is described at a very low level of detail, typically limited to a specific language or technology. A chain is a set of weaknesses that must be reachable consecutively in order to produce an exploitable vulnerability. While a composite is a set of weaknesses that must all be present simultaneously in order to produce an exploitable vulnerability.
Show Details:
629 - Weaknesses in OWASP Top Ten (2007)
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2007 Category A1 - Cross Site Scripting (XSS) - (712)
629 (Weaknesses in OWASP Top Ten (2007)) > 712 (OWASP Top Ten 2007 Category A1 - Cross Site Scripting (XSS))
Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2007.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - (79)
629 (Weaknesses in OWASP Top Ten (2007)) > 712 (OWASP Top Ten 2007 Category A1 - Cross Site Scripting (XSS)) > 79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. XSS HTML Injection CSS
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2007 Category A2 - Injection Flaws - (713)
629 (Weaknesses in OWASP Top Ten (2007)) > 713 (OWASP Top Ten 2007 Category A2 - Injection Flaws)
Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2007.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Neutralization of Special Elements used in a Command ('Command Injection') - (77)
629 (Weaknesses in OWASP Top Ten (2007)) > 713 (OWASP Top Ten 2007 Category A2 - Injection Flaws) > 77 (Improper Neutralization of Special Elements used in a Command ('Command Injection'))
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. Command injection
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - (89)
629 (Weaknesses in OWASP Top Ten (2007)) > 713 (OWASP Top Ten 2007 Category A2 - Injection Flaws) > 89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. SQL injection SQLi
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') - (90)
629 (Weaknesses in OWASP Top Ten (2007)) > 713 (OWASP Top Ten 2007 Category A2 - Injection Flaws) > 90 (Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection'))
The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. XML Injection (aka Blind XPath Injection) - (91)
629 (Weaknesses in OWASP Top Ten (2007)) > 713 (OWASP Top Ten 2007 Category A2 - Injection Flaws) > 91 (XML Injection (aka Blind XPath Injection))
The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of CRLF Sequences ('CRLF Injection') - (93)
629 (Weaknesses in OWASP Top Ten (2007)) > 713 (OWASP Top Ten 2007 Category A2 - Injection Flaws) > 93 (Improper Neutralization of CRLF Sequences ('CRLF Injection'))
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2007 Category A3 - Malicious File Execution - (714)
629 (Weaknesses in OWASP Top Ten (2007)) > 714 (OWASP Top Ten 2007 Category A3 - Malicious File Execution)
Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2007.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Unrestricted Upload of File with Dangerous Type - (434)
629 (Weaknesses in OWASP Top Ten (2007)) > 714 (OWASP Top Ten 2007 Category A3 - Malicious File Execution) > 434 (Unrestricted Upload of File with Dangerous Type)
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. Unrestricted File Upload
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - (78)
629 (Weaknesses in OWASP Top Ten (2007)) > 714 (OWASP Top Ten 2007 Category A3 - Malicious File Execution) > 78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Shell injection Shell metacharacters OS Command Injection
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') - (95)
629 (Weaknesses in OWASP Top Ten (2007)) > 714 (OWASP Top Ten 2007 Category A3 - Malicious File Execution) > 95 (Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'))
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') - (98)
629 (Weaknesses in OWASP Top Ten (2007)) > 714 (OWASP Top Ten 2007 Category A3 - Malicious File Execution) > 98 (Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion'))
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. Remote file include RFI Local file inclusion
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference - (715)
629 (Weaknesses in OWASP Top Ten (2007)) > 715 (OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference)
Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2007.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - (22)
629 (Weaknesses in OWASP Top Ten (2007)) > 715 (OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference) > 22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Directory traversal Path traversal
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. External Control of Assumed-Immutable Web Parameter - (472)
629 (Weaknesses in OWASP Top Ten (2007)) > 715 (OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference) > 472 (External Control of Assumed-Immutable Web Parameter)
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields. Assumed-Immutable Parameter Tampering
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Authorization Bypass Through User-Controlled Key - (639)
629 (Weaknesses in OWASP Top Ten (2007)) > 715 (OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference) > 639 (Authorization Bypass Through User-Controlled Key)
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. Insecure Direct Object Reference / IDOR Broken Object Level Authorization / BOLA Horizontal Authorization
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2007 Category A5 - Cross Site Request Forgery (CSRF) - (716)
629 (Weaknesses in OWASP Top Ten (2007)) > 716 (OWASP Top Ten 2007 Category A5 - Cross Site Request Forgery (CSRF))
Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2007.
* Composite Composite - a Compound Element that consists of two or more distinct weaknesses, in which all weaknesses must be present at the same time in order for a potential vulnerability to arise. Removing any of the weaknesses eliminates or sharply reduces the risk. One weakness, X, can be "broken down" into component weaknesses Y and Z. There can be cases in which one weakness might not be essential to a composite, but changes the nature of the composite when it becomes a vulnerability. Cross-Site Request Forgery (CSRF) - (352)
629 (Weaknesses in OWASP Top Ten (2007)) > 716 (OWASP Top Ten 2007 Category A5 - Cross Site Request Forgery (CSRF)) > 352 (Cross-Site Request Forgery (CSRF))
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. Session Riding Cross Site Reference Forgery XSRF
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling - (717)
629 (Weaknesses in OWASP Top Ten (2007)) > 717 (OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling)
Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2007.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Exposure of Sensitive Information to an Unauthorized Actor - (200)
629 (Weaknesses in OWASP Top Ten (2007)) > 717 (OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling) > 200 (Exposure of Sensitive Information to an Unauthorized Actor)
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Information Disclosure Information Leak
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Observable Discrepancy - (203)
629 (Weaknesses in OWASP Top Ten (2007)) > 717 (OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling) > 203 (Observable Discrepancy)
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. Side Channel Attack
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Generation of Error Message Containing Sensitive Information - (209)
629 (Weaknesses in OWASP Top Ten (2007)) > 717 (OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling) > 209 (Generation of Error Message Containing Sensitive Information)
The product generates an error message that includes sensitive information about its environment, users, or associated data.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Insertion of Sensitive Information Into Debugging Code - (215)
629 (Weaknesses in OWASP Top Ten (2007)) > 717 (OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling) > 215 (Insertion of Sensitive Information Into Debugging Code)
The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2007 Category A7 - Broken Authentication and Session Management - (718)
629 (Weaknesses in OWASP Top Ten (2007)) > 718 (OWASP Top Ten 2007 Category A7 - Broken Authentication and Session Management)
Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2007.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Authentication - (287)
629 (Weaknesses in OWASP Top Ten (2007)) > 718 (OWASP Top Ten 2007 Category A7 - Broken Authentication and Session Management) > 287 (Improper Authentication)
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. authentification AuthN AuthC
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Reflection Attack in an Authentication Protocol - (301)
629 (Weaknesses in OWASP Top Ten (2007)) > 718 (OWASP Top Ten 2007 Category A7 - Broken Authentication and Session Management) > 301 (Reflection Attack in an Authentication Protocol)
Simple authentication protocols are subject to reflection attacks if a malicious user can use the target machine to impersonate a trusted user.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Insufficiently Protected Credentials - (522)
629 (Weaknesses in OWASP Top Ten (2007)) > 718 (OWASP Top Ten 2007 Category A7 - Broken Authentication and Session Management) > 522 (Insufficiently Protected Credentials)
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage - (719)
629 (Weaknesses in OWASP Top Ten (2007)) > 719 (OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage)
Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2007.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Missing Encryption of Sensitive Data - (311)
629 (Weaknesses in OWASP Top Ten (2007)) > 719 (OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage) > 311 (Missing Encryption of Sensitive Data)
The product does not encrypt sensitive or critical information before storage or transmission.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Use of Hard-coded Cryptographic Key - (321)
629 (Weaknesses in OWASP Top Ten (2007)) > 719 (OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage) > 321 (Use of Hard-coded Cryptographic Key)
The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Missing Cryptographic Step - (325)
629 (Weaknesses in OWASP Top Ten (2007)) > 719 (OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage) > 325 (Missing Cryptographic Step)
The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Inadequate Encryption Strength - (326)
629 (Weaknesses in OWASP Top Ten (2007)) > 719 (OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage) > 326 (Inadequate Encryption Strength)
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2007 Category A9 - Insecure Communications - (720)
629 (Weaknesses in OWASP Top Ten (2007)) > 720 (OWASP Top Ten 2007 Category A9 - Insecure Communications)
Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2007.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Missing Encryption of Sensitive Data - (311)
629 (Weaknesses in OWASP Top Ten (2007)) > 720 (OWASP Top Ten 2007 Category A9 - Insecure Communications) > 311 (Missing Encryption of Sensitive Data)
The product does not encrypt sensitive or critical information before storage or transmission.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Use of Hard-coded Cryptographic Key - (321)
629 (Weaknesses in OWASP Top Ten (2007)) > 720 (OWASP Top Ten 2007 Category A9 - Insecure Communications) > 321 (Use of Hard-coded Cryptographic Key)
The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Missing Cryptographic Step - (325)
629 (Weaknesses in OWASP Top Ten (2007)) > 720 (OWASP Top Ten 2007 Category A9 - Insecure Communications) > 325 (Missing Cryptographic Step)
The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Inadequate Encryption Strength - (326)
629 (Weaknesses in OWASP Top Ten (2007)) > 720 (OWASP Top Ten 2007 Category A9 - Insecure Communications) > 326 (Inadequate Encryption Strength)
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access - (721)
629 (Weaknesses in OWASP Top Ten (2007)) > 721 (OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access)
Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2007.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Authorization - (285)
629 (Weaknesses in OWASP Top Ten (2007)) > 721 (OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access) > 285 (Improper Authorization)
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. AuthZ
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Authentication Bypass Using an Alternate Path or Channel - (288)
629 (Weaknesses in OWASP Top Ten (2007)) > 721 (OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access) > 288 (Authentication Bypass Using an Alternate Path or Channel)
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Direct Request ('Forced Browsing') - (425)
629 (Weaknesses in OWASP Top Ten (2007)) > 721 (OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access) > 425 (Direct Request ('Forced Browsing'))
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. forced browsing
+ Vulnerability Mapping Notes

Usage: PROHIBITED

(this CWE ID must not be used to map to real-world vulnerabilities)

Reason: View

Rationale:

This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.

Comments:

Use this View or other Views to search and navigate for the appropriate weakness.
+ Notes

Relationship

The relationships in this view are a direct extraction of the CWE mappings that are in the 2007 OWASP document. CWE has changed since the release of that document.
+ References
[REF-43] OWASP. "OWASP TOP 10". 2007-05-18. <https://github.com/owasp-top/owasp-top-2007>.
+ View Metrics
CWEs in this view Total CWEs
Weaknesses 28 out of 940
Categories 10 out of 374
Views 0 out of 51
Total 38 out of 1365
+ Content History
+ Submissions
Submission Date Submitter Organization
2007-10-01
(CWE Draft 7, 2007-10-01)
CWE Content Team MITRE
+ Modifications
Modification Date Modifier Organization
2008-09-08 CWE Content Team MITRE
updated Description, Name, Relationships, References, Relationship_Notes, View_Audience, View_Structure
2017-01-19 CWE Content Team MITRE
updated Relationships
2017-11-08 CWE Content Team MITRE
updated References
2019-01-03 CWE Content Team MITRE
updated Description
2020-02-24 CWE Content Team MITRE
updated View_Audience
2023-04-27 CWE Content Team MITRE
updated References
2023-06-29 CWE Content Team MITRE
updated Mapping_Notes
+ Previous Entry Names
Change Date Previous Entry Name
2008-09-09 Weaknesses in OWASP Top Ten
Page Last Updated: November 19, 2024