CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > CWE- Individual Dictionary Definition (4.16)  
ID

CWE VIEW: Weaknesses in OWASP Top Ten (2004)

View ID: 711
Vulnerability Mapping: PROHIBITED This CWE ID must not be used to map to real-world vulnerabilities
Type: Graph
Downloads: Booklet | CSV | XML
+ Objective
CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top Ten is available.
+ Audience
Stakeholder Description
Software Developers This view outlines the most important issues as identified by the OWASP Top Ten (2004 version), providing a good starting point for web application developers who want to code more securely, as well as complying with PCI DSS 1.1.
Product Customers This view outlines the most important issues as identified by the OWASP Top Ten, providing customers with a way of asking their software developers to follow minimum expectations for secure code, in compliance with PCI-DSS 1.1.
Educators Since the OWASP Top Ten covers the most frequently encountered issues, this view can be used by educators as training material for students. However, the 2007 version (CWE-629) might be more appropriate.
+ Relationships
The following graph shows the tree-like relationships between weaknesses that exist at different levels of abstraction. At the highest level, categories and pillars exist to group weaknesses. Categories (which are not technically weaknesses) are special CWE entries used to group weaknesses that share a common characteristic. Pillars are weaknesses that are described in the most abstract fashion. Below these top-level entries are weaknesses are varying levels of abstraction. Classes are still very abstract, typically independent of any specific language or technology. Base level weaknesses are used to present a more specific type of weakness. A variant is a weakness that is described at a very low level of detail, typically limited to a specific language or technology. A chain is a set of weaknesses that must be reachable consecutively in order to produce an exploitable vulnerability. While a composite is a set of weaknesses that must all be present simultaneously in order to produce an exploitable vulnerability.
Show Details:
711 - Weaknesses in OWASP Top Ten (2004)
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2004 Category A1 - Unvalidated Input - (722)
711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input)
Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2004.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Struts: Duplicate Validation Forms - (102)
711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 102 (Struts: Duplicate Validation Forms)
The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Struts: Incomplete validate() Method Definition - (103)
711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 103 (Struts: Incomplete validate() Method Definition)
The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Struts: Form Bean Does Not Extend Validation Class - (104)
711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 104 (Struts: Form Bean Does Not Extend Validation Class)
If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Struts: Plug-in Framework not in Use - (106)
711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 106 (Struts: Plug-in Framework not in Use)
When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient input validation.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Struts: Validator Turned Off - (109)
711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 109 (Struts: Validator Turned Off)
Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - (120)
711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'))
The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. Classic Buffer Overflow Unbounded Transfer
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Handling of Missing Special Element - (166)
711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 166 (Improper Handling of Missing Special Element)
The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Handling of Additional Special Element - (167)
711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 167 (Improper Handling of Additional Special Element)
The product receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Incorrect Behavior Order: Early Validation - (179)
711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 179 (Incorrect Behavior Order: Early Validation)
The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Incorrect Behavior Order: Validate Before Canonicalize - (180)
711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 180 (Incorrect Behavior Order: Validate Before Canonicalize)
The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Incorrect Behavior Order: Validate Before Filter - (181)
711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 181 (Incorrect Behavior Order: Validate Before Filter)
The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step. Validate-before-cleanse
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Collapse of Data into Unsafe Value - (182)
711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 182 (Collapse of Data into Unsafe Value)
The product filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Permissive List of Allowed Inputs - (183)
711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 183 (Permissive List of Allowed Inputs)
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses. Allowlist / Allow List Safelist / Safe List Whitelist / White List
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Input Validation - (20)
711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 20 (Improper Input Validation)
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Direct Request ('Forced Browsing') - (425)
711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 425 (Direct Request ('Forced Browsing'))
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. forced browsing
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. External Control of Assumed-Immutable Web Parameter - (472)
711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 472 (External Control of Assumed-Immutable Web Parameter)
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields. Assumed-Immutable Parameter Tampering
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. URL Redirection to Untrusted Site ('Open Redirect') - (601)
711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 601 (URL Redirection to Untrusted Site ('Open Redirect'))
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. Open Redirect Cross-site Redirect Cross-domain Redirect Unvalidated Redirect
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Client-Side Enforcement of Server-Side Security - (602)
711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 602 (Client-Side Enforcement of Server-Side Security)
The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Neutralization of Special Elements used in a Command ('Command Injection') - (77)
711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 77 (Improper Neutralization of Special Elements used in a Command ('Command Injection'))
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. Command injection
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - (79)
711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. XSS HTML Injection CSS
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - (89)
711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. SQL injection SQLi
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2004 Category A2 - Broken Access Control - (723)
711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control)
Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2004.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - (22)
711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Directory traversal Path traversal
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Incorrect Privilege Assignment - (266)
711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 266 (Incorrect Privilege Assignment)
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Privilege Chaining - (268)
711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 268 (Privilege Chaining)
Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.
* Category Category - a CWE entry that contains a set of other entries that share a common characteristic. Permission Issues - (275)
711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 275 (Permission Issues)
Weaknesses in this category are related to improper assignment or handling of permissions.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Unverified Ownership - (283)
711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 283 (Unverified Ownership)
The product does not properly verify that a critical resource is owned by the proper entity.
* Pillar Pillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things. Improper Access Control - (284)
711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 284 (Improper Access Control)
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Authorization
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Authorization - (285)
711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 285 (Improper Authorization)
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. AuthZ
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Use of Insufficiently Random Values - (330)
711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 330 (Use of Insufficiently Random Values)
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Resolution of Path Equivalence - (41)
711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 41 (Improper Resolution of Path Equivalence)
The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Direct Request ('Forced Browsing') - (425)
711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 425 (Direct Request ('Forced Browsing'))
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. forced browsing
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Use of Web Browser Cache Containing Sensitive Information - (525)
711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 525 (Use of Web Browser Cache Containing Sensitive Information)
The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Incorrect Behavior Order: Authorization Before Parsing and Canonicalization - (551)
711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 551 (Incorrect Behavior Order: Authorization Before Parsing and Canonicalization)
If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. ASP.NET Misconfiguration: Use of Identity Impersonation - (556)
711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 556 (ASP.NET Misconfiguration: Use of Identity Impersonation)
Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Authorization Bypass Through User-Controlled Key - (639)
711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 639 (Authorization Bypass Through User-Controlled Key)
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. Insecure Direct Object Reference / IDOR Broken Object Level Authorization / BOLA Horizontal Authorization
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Incorrect Ownership Assignment - (708)
711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 708 (Incorrect Ownership Assignment)
The product assigns an owner to a resource, but the owner is outside of the intended control sphere.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. External Control of File Name or Path - (73)
711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 73 (External Control of File Name or Path)
The product allows user input to control or influence paths or file names that are used in filesystem operations.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. J2EE Misconfiguration: Weak Access Permissions for EJB Methods - (9)
711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 9 (J2EE Misconfiguration: Weak Access Permissions for EJB Methods)
If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management - (724)
711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management)
Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2004.
* Category Category - a CWE entry that contains a set of other entries that share a common characteristic. Credentials Management Errors - (255)
711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 255 (Credentials Management Errors)
Weaknesses in this category are related to the management of credentials.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Use of Hard-coded Password - (259)
711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 259 (Use of Hard-coded Password)
The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Authentication - (287)
711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 287 (Improper Authentication)
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. authentification AuthN AuthC
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Following of a Certificate's Chain of Trust - (296)
711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 296 (Improper Following of a Certificate's Chain of Trust)
The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Improper Validation of Certificate Expiration - (298)
711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 298 (Improper Validation of Certificate Expiration)
A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Authentication Bypass by Assumed-Immutable Data - (302)
711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 302 (Authentication Bypass by Assumed-Immutable Data)
The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Missing Critical Step in Authentication - (304)
711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 304 (Missing Critical Step in Authentication)
The product implements an authentication technique, but it skips a step that weakens the technique.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Restriction of Excessive Authentication Attempts - (307)
711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 307 (Improper Restriction of Excessive Authentication Attempts)
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Use of Password System for Primary Authentication - (309)
711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 309 (Use of Password System for Primary Authentication)
The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Insufficient Verification of Data Authenticity - (345)
711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 345 (Insufficient Verification of Data Authenticity)
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
* Composite Composite - a Compound Element that consists of two or more distinct weaknesses, in which all weaknesses must be present at the same time in order for a potential vulnerability to arise. Removing any of the weaknesses eliminates or sharply reduces the risk. One weakness, X, can be "broken down" into component weaknesses Y and Z. There can be cases in which one weakness might not be essential to a composite, but changes the nature of the composite when it becomes a vulnerability. Session Fixation - (384)
711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 384 (Session Fixation)
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Weak Password Requirements - (521)
711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 521 (Weak Password Requirements)
The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Insufficiently Protected Credentials - (522)
711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 522 (Insufficiently Protected Credentials)
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Use of Web Browser Cache Containing Sensitive Information - (525)
711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 525 (Use of Web Browser Cache Containing Sensitive Information)
The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Insufficient Session Expiration - (613)
711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 613 (Insufficient Session Expiration)
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Unverified Password Change - (620)
711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 620 (Unverified Password Change)
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Weak Password Recovery Mechanism for Forgotten Password - (640)
711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 640 (Weak Password Recovery Mechanism for Forgotten Password)
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Use of Hard-coded Credentials - (798)
711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 798 (Use of Hard-coded Credentials)
The product contains hard-coded credentials, such as a password or cryptographic key.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws - (725)
711 (Weaknesses in OWASP Top Ten (2004)) > 725 (OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws)
Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2004.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of HTTP Headers for Scripting Syntax - (644)
711 (Weaknesses in OWASP Top Ten (2004)) > 725 (OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws) > 644 (Improper Neutralization of HTTP Headers for Scripting Syntax)
The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - (79)
711 (Weaknesses in OWASP Top Ten (2004)) > 725 (OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws) > 79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. XSS HTML Injection CSS
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2004 Category A5 - Buffer Overflows - (726)
711 (Weaknesses in OWASP Top Ten (2004)) > 726 (OWASP Top Ten 2004 Category A5 - Buffer Overflows)
Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2004.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Restriction of Operations within the Bounds of a Memory Buffer - (119)
711 (Weaknesses in OWASP Top Ten (2004)) > 726 (OWASP Top Ten 2004 Category A5 - Buffer Overflows) > 119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. Buffer Overflow buffer overrun memory safety
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - (120)
711 (Weaknesses in OWASP Top Ten (2004)) > 726 (OWASP Top Ten 2004 Category A5 - Buffer Overflows) > 120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'))
The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. Classic Buffer Overflow Unbounded Transfer
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Use of Externally-Controlled Format String - (134)
711 (Weaknesses in OWASP Top Ten (2004)) > 726 (OWASP Top Ten 2004 Category A5 - Buffer Overflows) > 134 (Use of Externally-Controlled Format String)
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2004 Category A6 - Injection Flaws - (727)
711 (Weaknesses in OWASP Top Ten (2004)) > 727 (OWASP Top Ten 2004 Category A6 - Injection Flaws)
Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2004.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Output Neutralization for Logs - (117)
711 (Weaknesses in OWASP Top Ten (2004)) > 727 (OWASP Top Ten 2004 Category A6 - Injection Flaws) > 117 (Improper Output Neutralization for Logs)
The product does not neutralize or incorrectly neutralizes output that is written to logs.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') - (74)
711 (Weaknesses in OWASP Top Ten (2004)) > 727 (OWASP Top Ten 2004 Category A6 - Injection Flaws) > 74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'))
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Neutralization of Special Elements used in a Command ('Command Injection') - (77)
711 (Weaknesses in OWASP Top Ten (2004)) > 727 (OWASP Top Ten 2004 Category A6 - Injection Flaws) > 77 (Improper Neutralization of Special Elements used in a Command ('Command Injection'))
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. Command injection
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - (78)
711 (Weaknesses in OWASP Top Ten (2004)) > 727 (OWASP Top Ten 2004 Category A6 - Injection Flaws) > 78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Shell injection Shell metacharacters OS Command Injection
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - (89)
711 (Weaknesses in OWASP Top Ten (2004)) > 727 (OWASP Top Ten 2004 Category A6 - Injection Flaws) > 89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. SQL injection SQLi
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. XML Injection (aka Blind XPath Injection) - (91)
711 (Weaknesses in OWASP Top Ten (2004)) > 727 (OWASP Top Ten 2004 Category A6 - Injection Flaws) > 91 (XML Injection (aka Blind XPath Injection))
The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') - (95)
711 (Weaknesses in OWASP Top Ten (2004)) > 727 (OWASP Top Ten 2004 Category A6 - Injection Flaws) > 95 (Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'))
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') - (98)
711 (Weaknesses in OWASP Top Ten (2004)) > 727 (OWASP Top Ten 2004 Category A6 - Injection Flaws) > 98 (Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion'))
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. Remote file include RFI Local file inclusion
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2004 Category A7 - Improper Error Handling - (728)
711 (Weaknesses in OWASP Top Ten (2004)) > 728 (OWASP Top Ten 2004 Category A7 - Improper Error Handling)
Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2004.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Observable Discrepancy - (203)
711 (Weaknesses in OWASP Top Ten (2004)) > 728 (OWASP Top Ten 2004 Category A7 - Improper Error Handling) > 203 (Observable Discrepancy)
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. Side Channel Attack
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Generation of Error Message Containing Sensitive Information - (209)
711 (Weaknesses in OWASP Top Ten (2004)) > 728 (OWASP Top Ten 2004 Category A7 - Improper Error Handling) > 209 (Generation of Error Message Containing Sensitive Information)
The product generates an error message that includes sensitive information about its environment, users, or associated data.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Handling of Syntactically Invalid Structure - (228)
711 (Weaknesses in OWASP Top Ten (2004)) > 728 (OWASP Top Ten 2004 Category A7 - Improper Error Handling) > 228 (Improper Handling of Syntactically Invalid Structure)
The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Unchecked Return Value - (252)
711 (Weaknesses in OWASP Top Ten (2004)) > 728 (OWASP Top Ten 2004 Category A7 - Improper Error Handling) > 252 (Unchecked Return Value)
The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
* Category Category - a CWE entry that contains a set of other entries that share a common characteristic. Error Conditions, Return Values, Status Codes - (389)
711 (Weaknesses in OWASP Top Ten (2004)) > 728 (OWASP Top Ten 2004 Category A7 - Improper Error Handling) > 389 (Error Conditions, Return Values, Status Codes)
This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Detection of Error Condition Without Action - (390)
711 (Weaknesses in OWASP Top Ten (2004)) > 728 (OWASP Top Ten 2004 Category A7 - Improper Error Handling) > 390 (Detection of Error Condition Without Action)
The product detects a specific error, but takes no actions to handle the error.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Unchecked Error Condition - (391)
711 (Weaknesses in OWASP Top Ten (2004)) > 728 (OWASP Top Ten 2004 Category A7 - Improper Error Handling) > 391 (Unchecked Error Condition)
[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Unexpected Status Code or Return Value - (394)
711 (Weaknesses in OWASP Top Ten (2004)) > 728 (OWASP Top Ten 2004 Category A7 - Improper Error Handling) > 394 (Unexpected Status Code or Return Value)
The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Not Failing Securely ('Failing Open') - (636)
711 (Weaknesses in OWASP Top Ten (2004)) > 728 (OWASP Top Ten 2004 Category A7 - Improper Error Handling) > 636 (Not Failing Securely ('Failing Open'))
When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions. Failing Open
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. J2EE Misconfiguration: Missing Custom Error Page - (7)
711 (Weaknesses in OWASP Top Ten (2004)) > 728 (OWASP Top Ten 2004 Category A7 - Improper Error Handling) > 7 (J2EE Misconfiguration: Missing Custom Error Page)
The default error page of a web application should not display sensitive information about the product.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2004 Category A8 - Insecure Storage - (729)
711 (Weaknesses in OWASP Top Ten (2004)) > 729 (OWASP Top Ten 2004 Category A8 - Insecure Storage)
Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2004.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Compiler Removal of Code to Clear Buffers - (14)
711 (Weaknesses in OWASP Top Ten (2004)) > 729 (OWASP Top Ten 2004 Category A8 - Insecure Storage) > 14 (Compiler Removal of Code to Clear Buffers)
Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka "dead store removal."
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Sensitive Information in Resource Not Removed Before Reuse - (226)
711 (Weaknesses in OWASP Top Ten (2004)) > 729 (OWASP Top Ten 2004 Category A8 - Insecure Storage) > 226 (Sensitive Information in Resource Not Removed Before Reuse)
The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Weak Encoding for Password - (261)
711 (Weaknesses in OWASP Top Ten (2004)) > 729 (OWASP Top Ten 2004 Category A8 - Insecure Storage) > 261 (Weak Encoding for Password)
Obscuring a password with a trivial encoding does not protect the password.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Missing Encryption of Sensitive Data - (311)
711 (Weaknesses in OWASP Top Ten (2004)) > 729 (OWASP Top Ten 2004 Category A8 - Insecure Storage) > 311 (Missing Encryption of Sensitive Data)
The product does not encrypt sensitive or critical information before storage or transmission.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Use of Hard-coded Cryptographic Key - (321)
711 (Weaknesses in OWASP Top Ten (2004)) > 729 (OWASP Top Ten 2004 Category A8 - Insecure Storage) > 321 (Use of Hard-coded Cryptographic Key)
The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Inadequate Encryption Strength - (326)
711 (Weaknesses in OWASP Top Ten (2004)) > 729 (OWASP Top Ten 2004 Category A8 - Insecure Storage) > 326 (Inadequate Encryption Strength)
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Use of a Broken or Risky Cryptographic Algorithm - (327)
711 (Weaknesses in OWASP Top Ten (2004)) > 729 (OWASP Top Ten 2004 Category A8 - Insecure Storage) > 327 (Use of a Broken or Risky Cryptographic Algorithm)
The product uses a broken or risky cryptographic algorithm or protocol.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Use of Persistent Cookies Containing Sensitive Information - (539)
711 (Weaknesses in OWASP Top Ten (2004)) > 729 (OWASP Top Ten 2004 Category A8 - Insecure Storage) > 539 (Use of Persistent Cookies Containing Sensitive Information)
The web application uses persistent cookies, but the cookies contain sensitive information.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Sensitive Data Storage in Improperly Locked Memory - (591)
711 (Weaknesses in OWASP Top Ten (2004)) > 729 (OWASP Top Ten 2004 Category A8 - Insecure Storage) > 591 (Sensitive Data Storage in Improperly Locked Memory)
The product stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Use of GET Request Method With Sensitive Query Strings - (598)
711 (Weaknesses in OWASP Top Ten (2004)) > 729 (OWASP Top Ten 2004 Category A8 - Insecure Storage) > 598 (Use of GET Request Method With Sensitive Query Strings)
The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2004 Category A9 - Denial of Service - (730)
711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service)
Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2004.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Null Termination - (170)
711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service) > 170 (Improper Null Termination)
The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Uncaught Exception - (248)
711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service) > 248 (Uncaught Exception)
An exception is thrown from a function, but it is not caught.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Divide By Zero - (369)
711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service) > 369 (Divide By Zero)
The product divides a value by zero.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. J2EE Bad Practices: Use of System.exit() - (382)
711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service) > 382 (J2EE Bad Practices: Use of System.exit())
A J2EE application uses System.exit(), which also shuts down its container.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Uncontrolled Resource Consumption - (400)
711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service) > 400 (Uncontrolled Resource Consumption)
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. Resource Exhaustion
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Missing Release of Memory after Effective Lifetime - (401)
711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service) > 401 (Missing Release of Memory after Effective Lifetime)
The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. Memory Leak
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Resource Shutdown or Release - (404)
711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service) > 404 (Improper Resource Shutdown or Release)
The product does not release or incorrectly releases a resource before it is made available for re-use.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Asymmetric Resource Consumption (Amplification) - (405)
711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service) > 405 (Asymmetric Resource Consumption (Amplification))
The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Insufficient Resource Pool - (410)
711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service) > 410 (Insufficient Resource Pool)
The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Unrestricted Externally Accessible Lock - (412)
711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service) > 412 (Unrestricted Externally Accessible Lock)
The product properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. NULL Pointer Dereference - (476)
711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service) > 476 (NULL Pointer Dereference)
The product dereferences a pointer that it expects to be valid but is NULL. NPD null deref NPE nil pointer dereference
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Uncontrolled Recursion - (674)
711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service) > 674 (Uncontrolled Recursion)
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. Stack Exhaustion
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2004 Category A10 - Insecure Configuration Management - (731)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management)
Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2004.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Generation of Error Message Containing Sensitive Information - (209)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 209 (Generation of Error Message Containing Sensitive Information)
The product generates an error message that includes sensitive information about its environment, users, or associated data.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Insertion of Sensitive Information Into Debugging Code - (215)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 215 (Insertion of Sensitive Information Into Debugging Code)
The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Storage of File with Sensitive Data Under Web Root - (219)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 219 (Storage of File with Sensitive Data Under Web Root)
The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.
* Category Category - a CWE entry that contains a set of other entries that share a common characteristic. Permission Issues - (275)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 275 (Permission Issues)
Weaknesses in this category are related to improper assignment or handling of permissions.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Certificate Validation - (295)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 295 (Improper Certificate Validation)
The product does not validate, or incorrectly validates, a certificate.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. J2EE Misconfiguration: Data Transmission Without Encryption - (5)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 5 (J2EE Misconfiguration: Data Transmission Without Encryption)
Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. J2EE Misconfiguration: Plaintext Password in Configuration File - (555)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 555 (J2EE Misconfiguration: Plaintext Password in Configuration File)
The J2EE application stores a plaintext password in a configuration file.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. J2EE Misconfiguration: Insufficient Session-ID Length - (6)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 6 (J2EE Misconfiguration: Insufficient Session-ID Length)
The J2EE application is configured to use an insufficient session ID length.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. J2EE Misconfiguration: Missing Custom Error Page - (7)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 7 (J2EE Misconfiguration: Missing Custom Error Page)
The default error page of a web application should not display sensitive information about the product.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. J2EE Misconfiguration: Entity Bean Declared Remote - (8)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 8 (J2EE Misconfiguration: Entity Bean Declared Remote)
When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. J2EE Misconfiguration: Weak Access Permissions for EJB Methods - (9)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 9 (J2EE Misconfiguration: Weak Access Permissions for EJB Methods)
If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Incomplete Cleanup - (459)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 459 (Incomplete Cleanup)
The product does not properly "clean up" and remove temporary or supporting resources after they have been used. Insufficient Cleanup
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Active Debug Code - (489)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 489 (Active Debug Code)
The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information. Leftover debug code
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. ASP.NET Misconfiguration: Creating Debug Binary - (11)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 11 (ASP.NET Misconfiguration: Creating Debug Binary)
Debugging messages help attackers learn about the system and plan a form of attack.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. ASP.NET Misconfiguration: Missing Custom Error Page - (12)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 12 (ASP.NET Misconfiguration: Missing Custom Error Page)
An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. ASP.NET Misconfiguration: Password in Configuration File - (13)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 13 (ASP.NET Misconfiguration: Password in Configuration File)
Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. .NET Misconfiguration: Use of Impersonation - (520)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 520 (.NET Misconfiguration: Use of Impersonation)
Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. ASP.NET Misconfiguration: Not Using Input Validation Framework - (554)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 554 (ASP.NET Misconfiguration: Not Using Input Validation Framework)
The ASP.NET application does not use an input validation framework.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. ASP.NET Misconfiguration: Use of Identity Impersonation - (556)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 556 (ASP.NET Misconfiguration: Use of Identity Impersonation)
Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Cleartext Storage of Sensitive Information in an Environment Variable - (526)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 526 (Cleartext Storage of Sensitive Information in an Environment Variable)
The product uses an environment variable to store unencrypted sensitive information.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Exposure of Version-Control Repository to an Unauthorized Control Sphere - (527)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 527 (Exposure of Version-Control Repository to an Unauthorized Control Sphere)
The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Exposure of Core Dump File to an Unauthorized Control Sphere - (528)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 528 (Exposure of Core Dump File to an Unauthorized Control Sphere)
The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Exposure of Access Control List Files to an Unauthorized Control Sphere - (529)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 529 (Exposure of Access Control List Files to an Unauthorized Control Sphere)
The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Exposure of Backup File to an Unauthorized Control Sphere - (530)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 530 (Exposure of Backup File to an Unauthorized Control Sphere)
A backup file is stored in a directory or archive that is made accessible to unauthorized actors.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Inclusion of Sensitive Information in Test Code - (531)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 531 (Inclusion of Sensitive Information in Test Code)
Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Insertion of Sensitive Information into Log File - (532)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 532 (Insertion of Sensitive Information into Log File)
The product writes sensitive information to a log file.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Inclusion of Sensitive Information in Source Code - (540)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 540 (Inclusion of Sensitive Information in Source Code)
Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Inclusion of Sensitive Information in an Include File - (541)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 541 (Inclusion of Sensitive Information in an Include File)
If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Exposure of Information Through Directory Listing - (548)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 548 (Exposure of Information Through Directory Listing)
A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Files or Directories Accessible to External Parties - (552)
711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 552 (Files or Directories Accessible to External Parties)
The product makes files or directories accessible to unauthorized actors, even though they should not be.
+ Vulnerability Mapping Notes

Usage: PROHIBITED

(this CWE ID must not be used to map to real-world vulnerabilities)

Reason: View

Rationale:

This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.

Comments:

Use this View or other Views to search and navigate for the appropriate weakness.
+ Notes

Relationship

CWE relationships for this view were obtained by examining the OWASP document and mapping to any items that were specifically mentioned within the text of a category. As a result, this mapping is not complete with respect to all of CWE. In addition, some concepts were mentioned in multiple Top Ten items, which caused them to be mapped to multiple CWE categories. For example, SQL injection is mentioned in both A1 (CWE-722) and A6 (CWE-727) categories.

Relationship

As of 2008, some parts of CWE were not fully clarified out in terms of weaknesses. When these areas were mentioned in the OWASP Top Ten, category entries were mapped, although general mapping practice would usually favor mapping only to weaknesses.
+ References
[REF-570] "Top 10 2004". OWASP. 2004-01-27. <http://www.owasp.org/index.php/Top_10_2004>.
[REF-571] PCI Security Standards Council. "About the PCI Data Security Standard (PCI DSS)". <https://listings.pcisecuritystandards.org/pci_security/>. URL validated: 2023-04-07.
+ View Metrics
CWEs in this view Total CWEs
Weaknesses 117 out of 940
Categories 13 out of 374
Views 0 out of 51
Total 130 out of 1365
+ Content History
+ Submissions
Submission Date Submitter Organization
2008-08-15
(CWE 1.0, 2008-09-09)
Veracode
Suggested creation of view and provided mappings
+ Modifications
Modification Date Modifier Organization
2017-11-08 CWE Content Team MITRE
updated References
2019-01-03 CWE Content Team MITRE
updated Description
2020-02-24 CWE Content Team MITRE
updated View_Audience
2021-03-15 CWE Content Team MITRE
updated Description, Maintenance_Notes, Relationship_Notes
2023-04-27 CWE Content Team MITRE
updated References
2023-06-29 CWE Content Team MITRE
updated Mapping_Notes
Page Last Updated: November 19, 2024