| Manipulating Web Input to File System Calls |
|
CWE-15
|
External Control of System or Configuration Setting
|
|
CWE-22
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|
|
CWE-23
|
Relative Path Traversal
|
|
CWE-59
|
Improper Link Resolution Before File Access ('Link Following')
|
|
CWE-73
|
External Control of File Name or Path
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-77
|
Improper Neutralization of Special Elements used in a Command ('Command Injection')
|
|
CWE-264
|
Permissions, Privileges, and Access Controls
|
|
CWE-272
|
Least Privilege Violation
|
|
CWE-285
|
Improper Authorization
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-348
|
Use of Less Trusted Source
|
|
CWE-715
|
OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference
|
|
| Bypassing ATA Password Security |
|
| Blue Boxing |
|
| Session Credential Falsification through Prediction |
|
CWE-6
|
J2EE Misconfiguration: Insufficient Session-ID Length
|
|
CWE-200
|
Exposure of Sensitive Information to an Unauthorized Actor
|
|
CWE-285
|
Improper Authorization
|
|
CWE-290
|
Authentication Bypass by Spoofing
|
|
CWE-330
|
Use of Insufficiently Random Values
|
|
CWE-331
|
Insufficient Entropy
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-384
|
Session Fixation
|
|
CWE-488
|
Exposure of Data Element to Wrong Session
|
|
CWE-539
|
Use of Persistent Cookies Containing Sensitive Information
|
|
CWE-693
|
Protection Mechanism Failure
|
|
CWE-719
|
OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage
|
|
| Manipulating User-Controlled Variables |
|
CWE-15
|
External Control of System or Configuration Setting
|
|
CWE-94
|
Improper Control of Generation of Code ('Code Injection')
|
|
CWE-96
|
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
|
|
CWE-285
|
Improper Authorization
|
|
CWE-302
|
Authentication Bypass by Assumed-Immutable Data
|
|
CWE-473
|
PHP External Variable Modification
|
|
CWE-1321
|
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
|
| Using Malicious Files |
|
CWE-59
|
Improper Link Resolution Before File Access ('Link Following')
|
|
CWE-264
|
Permissions, Privileges, and Access Controls
|
|
CWE-270
|
Privilege Context Switching Error
|
|
CWE-272
|
Least Privilege Violation
|
|
CWE-275
|
Permission Issues
|
|
CWE-282
|
Improper Ownership Management
|
|
CWE-285
|
Improper Authorization
|
|
CWE-693
|
Protection Mechanism Failure
|
|
CWE-732
|
Incorrect Permission Assignment for Critical Resource
|
|
| Reusing Session IDs (aka Session Replay) |
|
CWE-200
|
Exposure of Sensitive Information to an Unauthorized Actor
|
|
CWE-285
|
Improper Authorization
|
|
CWE-290
|
Authentication Bypass by Spoofing
|
|
CWE-294
|
Authentication Bypass by Capture-replay
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-384
|
Session Fixation
|
|
CWE-488
|
Exposure of Data Element to Wrong Session
|
|
CWE-539
|
Use of Persistent Cookies Containing Sensitive Information
|
|
CWE-664
|
Improper Control of a Resource Through its Lifetime
|
|
CWE-732
|
Incorrect Permission Assignment for Critical Resource
|
|
| Collect Data from Registries |
|
| Forceful Browsing |
|
CWE-285
|
Improper Authorization
|
|
CWE-425
|
Direct Request ('Forced Browsing')
|
|
CWE-693
|
Protection Mechanism Failure
|
|
| Accessing Functionality Not Properly Constrained by ACLs |
|
CWE-276
|
Incorrect Default Permissions
|
|
CWE-285
|
Improper Authorization
|
|
CWE-434
|
Unrestricted Upload of File with Dangerous Type
|
|
CWE-693
|
Protection Mechanism Failure
|
|
CWE-721
|
OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access
|
|
CWE-732
|
Incorrect Permission Assignment for Critical Resource
|
|
CWE-1191
|
Exposed Chip Debug and Test Interface With Insufficient or Missing Authorization
|
|
CWE-1193
|
Power-On of Untrusted Execution Core Before Enabling Fabric Access Control
|
|
CWE-1220
|
Insufficient Granularity of Access Control
|
|
CWE-1224
|
Improper Restriction of Write-Once Bit Fields
|
|
CWE-1244
|
Improper Access to Sensitive Information Using Debug and Test Interfaces
|
|
CWE-1252
|
CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations
|
|
CWE-1257
|
Improper Access Control Applied to Mirrored or Aliased Memory Regions
|
|
CWE-1262
|
Register Interface Allows Software Access to Sensitive Data or Security Settings
|
|
CWE-1268
|
Policy Privileges are not Assigned Consistently Between Control and Data Agents
|
|
CWE-1283
|
Mutable Attestation or Measurement Reporting Data
|
|
CWE-1311
|
Improper Translation of Security Attributes by Fabric Bridge
|
|
CWE-1312
|
Missing Protection for Mirrored Regions in On-Chip Fabric Firewall
|
|
CWE-1313
|
Hardware Allows Activation of Test or Debug Logic at Runtime
|
|
CWE-1314
|
Missing Write Protection for Parametric Data Values
|
|
CWE-1315
|
Improper Setting of Bus Controlling Capability in Fabric End-point
|
|
CWE-1318
|
Missing Support for Security Features in On-chip Fabrics or Buses
|
|
CWE-1320
|
Improper Protection for Out of Bounds Signal Level Alerts
|
|
CWE-1321
|
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
|
CWE-1326
|
Missing Immutable Root of Trust in Hardware
|
|
CWE-1327
|
Binding to an Unrestricted IP Address
|
|
| Cross Zone Scripting |
|
CWE-20
|
Improper Input Validation
|
|
CWE-116
|
Improper Encoding or Escaping of Output
|
|
CWE-250
|
Execution with Unnecessary Privileges
|
|
CWE-285
|
Improper Authorization
|
|
CWE-638
|
Not Using Complete Mediation
|
|
| Directory Indexing |
|
CWE-276
|
Incorrect Default Permissions
|
|
CWE-285
|
Improper Authorization
|
|
CWE-288
|
Authentication Bypass Using an Alternate Path or Channel
|
|
CWE-424
|
Improper Protection of Alternate Path
|
|
CWE-425
|
Direct Request ('Forced Browsing')
|
|
CWE-693
|
Protection Mechanism Failure
|
|
CWE-721
|
OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access
|
|
CWE-732
|
Incorrect Permission Assignment for Critical Resource
|
|
| Subverting Environment Variable Values |
|
CWE-15
|
External Control of System or Configuration Setting
|
|
CWE-20
|
Improper Input Validation
|
|
CWE-73
|
External Control of File Name or Path
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-200
|
Exposure of Sensitive Information to an Unauthorized Actor
|
|
CWE-285
|
Improper Authorization
|
|
CWE-302
|
Authentication Bypass by Assumed-Immutable Data
|
|
CWE-353
|
Missing Support for Integrity Check
|
|
| Manipulating Opaque Client-based Data Tokens |
|
CWE-233
|
Improper Handling of Parameters
|
|
CWE-285
|
Improper Authorization
|
|
CWE-302
|
Authentication Bypass by Assumed-Immutable Data
|
|
CWE-315
|
Cleartext Storage of Sensitive Information in a Cookie
|
|
CWE-353
|
Missing Support for Integrity Check
|
|
CWE-384
|
Session Fixation
|
|
CWE-472
|
External Control of Assumed-Immutable Web Parameter
|
|
CWE-539
|
Use of Persistent Cookies Containing Sensitive Information
|
|
CWE-565
|
Reliance on Cookies without Validation and Integrity Checking
|
|
| Buffer Overflow via Symbolic Links |
|
CWE-20
|
Improper Input Validation
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-118
|
Incorrect Access of Indexable Resource ('Range Error')
|
|
CWE-119
|
Improper Restriction of Operations within the Bounds of a Memory Buffer
|
|
CWE-120
|
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
|
|
CWE-285
|
Improper Authorization
|
|
CWE-302
|
Authentication Bypass by Assumed-Immutable Data
|
|
CWE-680
|
Integer Overflow to Buffer Overflow
|
|
CWE-697
|
Incorrect Comparison
|
|
| Poison Web Service Registry |
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-285
|
Improper Authorization
|
|
CWE-693
|
Protection Mechanism Failure
|
|