| Manipulating Web Input to File System Calls |
|
CWE-15
|
External Control of System or Configuration Setting
|
|
CWE-22
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|
|
CWE-23
|
Relative Path Traversal
|
|
CWE-59
|
Improper Link Resolution Before File Access ('Link Following')
|
|
CWE-73
|
External Control of File Name or Path
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-77
|
Improper Neutralization of Special Elements used in a Command ('Command Injection')
|
|
CWE-264
|
Permissions, Privileges, and Access Controls
|
|
CWE-272
|
Least Privilege Violation
|
|
CWE-285
|
Improper Authorization
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-348
|
Use of Less Trusted Source
|
|
CWE-715
|
OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference
|
|
| Exploitation of Trusted Identifiers |
|
CWE-6
|
J2EE Misconfiguration: Insufficient Session-ID Length
|
|
CWE-290
|
Authentication Bypass by Spoofing
|
|
CWE-302
|
Authentication Bypass by Assumed-Immutable Data
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-384
|
Session Fixation
|
|
CWE-539
|
Use of Persistent Cookies Containing Sensitive Information
|
|
CWE-602
|
Client-Side Enforcement of Server-Side Security
|
|
CWE-642
|
External Control of Critical State Data
|
|
CWE-664
|
Improper Control of a Resource Through its Lifetime
|
|
| Application API Navigation Remapping |
|
CWE-311
|
Missing Encryption of Sensitive Data
|
|
CWE-345
|
Insufficient Verification of Data Authenticity
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-471
|
Modification of Assumed-Immutable Data (MAID)
|
|
CWE-602
|
Client-Side Enforcement of Server-Side Security
|
|
| SaaS User Request Forgery |
|
| Session Credential Falsification through Prediction |
|
CWE-6
|
J2EE Misconfiguration: Insufficient Session-ID Length
|
|
CWE-200
|
Exposure of Sensitive Information to an Unauthorized Actor
|
|
CWE-285
|
Improper Authorization
|
|
CWE-290
|
Authentication Bypass by Spoofing
|
|
CWE-330
|
Use of Insufficiently Random Values
|
|
CWE-331
|
Insufficient Entropy
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-384
|
Session Fixation
|
|
CWE-488
|
Exposure of Data Element to Wrong Session
|
|
CWE-539
|
Use of Persistent Cookies Containing Sensitive Information
|
|
CWE-693
|
Protection Mechanism Failure
|
|
CWE-719
|
OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage
|
|
| Cache Poisoning |
|
CWE-345
|
Insufficient Verification of Data Authenticity
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-348
|
Use of Less Trusted Source
|
|
CWE-349
|
Acceptance of Extraneous Untrusted Data With Trusted Data
|
|
CWE-441
|
Unintended Proxy or Intermediary ('Confused Deputy')
|
|
| Transaction or Event Tampering via Application API Manipulation |
|
CWE-311
|
Missing Encryption of Sensitive Data
|
|
CWE-345
|
Insufficient Verification of Data Authenticity
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-471
|
Modification of Assumed-Immutable Data (MAID)
|
|
CWE-602
|
Client-Side Enforcement of Server-Side Security
|
|
| Application API Button Hijacking |
|
CWE-311
|
Missing Encryption of Sensitive Data
|
|
CWE-345
|
Insufficient Verification of Data Authenticity
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-471
|
Modification of Assumed-Immutable Data (MAID)
|
|
CWE-602
|
Client-Side Enforcement of Server-Side Security
|
|
| Reusing Session IDs (aka Session Replay) |
|
CWE-200
|
Exposure of Sensitive Information to an Unauthorized Actor
|
|
CWE-285
|
Improper Authorization
|
|
CWE-290
|
Authentication Bypass by Spoofing
|
|
CWE-294
|
Authentication Bypass by Capture-replay
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-384
|
Session Fixation
|
|
CWE-488
|
Exposure of Data Element to Wrong Session
|
|
CWE-539
|
Use of Persistent Cookies Containing Sensitive Information
|
|
CWE-664
|
Improper Control of a Resource Through its Lifetime
|
|
CWE-732
|
Incorrect Permission Assignment for Critical Resource
|
|
| JSON Hijacking (aka JavaScript Hijacking) |
|
CWE-345
|
Insufficient Verification of Data Authenticity
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-352
|
Cross-Site Request Forgery (CSRF)
|
|
| DNS Cache Poisoning |
|
CWE-345
|
Insufficient Verification of Data Authenticity
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-348
|
Use of Less Trusted Source
|
|
CWE-349
|
Acceptance of Extraneous Untrusted Data With Trusted Data
|
|
CWE-350
|
Reliance on Reverse DNS Resolution for a Security-Critical Action
|
|
CWE-441
|
Unintended Proxy or Intermediary ('Confused Deputy')
|
|
| Exploit Script-Based APIs |
|
| Application API Message Manipulation via Man-in-the-Middle |
|
CWE-311
|
Missing Encryption of Sensitive Data
|
|
CWE-345
|
Insufficient Verification of Data Authenticity
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-471
|
Modification of Assumed-Immutable Data (MAID)
|
|
CWE-602
|
Client-Side Enforcement of Server-Side Security
|
|
| Navigation Remapping To Propagate Malicious Content |
|
CWE-311
|
Missing Encryption of Sensitive Data
|
|
CWE-345
|
Insufficient Verification of Data Authenticity
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-471
|
Modification of Assumed-Immutable Data (MAID)
|
|
CWE-602
|
Client-Side Enforcement of Server-Side Security
|
|
| Manipulating Writeable Configuration Files |
|
CWE-77
|
Improper Neutralization of Special Elements used in a Command ('Command Injection')
|
|
CWE-99
|
Improper Control of Resource Identifiers ('Resource Injection')
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-349
|
Acceptance of Extraneous Untrusted Data With Trusted Data
|
|
CWE-353
|
Missing Support for Integrity Check
|
|
CWE-354
|
Improper Validation of Integrity Check Value
|
|
CWE-713
|
OWASP Top Ten 2007 Category A2 - Injection Flaws
|
|
| Pharming |
|
CWE-346
|
Origin Validation Error
|
|
CWE-350
|
Reliance on Reverse DNS Resolution for a Security-Critical Action
|
|