| Buffer Overflow in an API Call |
|
CWE-20
|
Improper Input Validation
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-118
|
Incorrect Access of Indexable Resource ('Range Error')
|
|
CWE-119
|
Improper Restriction of Operations within the Bounds of a Memory Buffer
|
|
CWE-120
|
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
|
|
CWE-680
|
Integer Overflow to Buffer Overflow
|
|
CWE-697
|
Incorrect Comparison
|
|
CWE-733
|
Compiler Optimization Removal or Modification of Security-critical Code
|
|
| Postfix, Null Terminate, and Backslash |
|
CWE-20
|
Improper Input Validation
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-158
|
Improper Neutralization of Null Byte or NUL Character
|
|
CWE-171
|
|
|
CWE-172
|
Encoding Error
|
|
CWE-173
|
Improper Handling of Alternate Encoding
|
|
CWE-697
|
Incorrect Comparison
|
|
CWE-707
|
Improper Neutralization
|
|
| Blind SQL Injection |
|
CWE-20
|
Improper Input Validation
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-89
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
|
|
CWE-209
|
Generation of Error Message Containing Sensitive Information
|
|
CWE-697
|
Incorrect Comparison
|
|
CWE-707
|
Improper Neutralization
|
|
CWE-713
|
OWASP Top Ten 2007 Category A2 - Injection Flaws
|
|
| Manipulating Web Input to File System Calls |
|
CWE-15
|
External Control of System or Configuration Setting
|
|
CWE-22
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|
|
CWE-23
|
Relative Path Traversal
|
|
CWE-59
|
Improper Link Resolution Before File Access ('Link Following')
|
|
CWE-73
|
External Control of File Name or Path
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-77
|
Improper Neutralization of Special Elements used in a Command ('Command Injection')
|
|
CWE-264
|
Permissions, Privileges, and Access Controls
|
|
CWE-272
|
Least Privilege Violation
|
|
CWE-285
|
Improper Authorization
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-348
|
Use of Less Trusted Source
|
|
CWE-715
|
OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference
|
|
| Using UTF-8 Encoding to Bypass Validation Logic |
|
CWE-20
|
Improper Input Validation
|
|
CWE-21
|
|
|
CWE-73
|
External Control of File Name or Path
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-171
|
|
|
CWE-172
|
Encoding Error
|
|
CWE-173
|
Improper Handling of Alternate Encoding
|
|
CWE-180
|
Incorrect Behavior Order: Validate Before Canonicalize
|
|
CWE-181
|
Incorrect Behavior Order: Validate Before Filter
|
|
CWE-692
|
Incomplete Denylist to Cross-Site Scripting
|
|
CWE-697
|
Incorrect Comparison
|
|
| Buffer Overflow in Local Command-Line Utilities |
|
CWE-20
|
Improper Input Validation
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-118
|
Incorrect Access of Indexable Resource ('Range Error')
|
|
CWE-119
|
Improper Restriction of Operations within the Bounds of a Memory Buffer
|
|
CWE-120
|
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
|
|
CWE-680
|
Integer Overflow to Buffer Overflow
|
|
CWE-697
|
Incorrect Comparison
|
|
CWE-733
|
Compiler Optimization Removal or Modification of Security-critical Code
|
|
| XML Injection |
|
CWE-20
|
Improper Input Validation
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-91
|
XML Injection (aka Blind XPath Injection)
|
|
CWE-707
|
Improper Neutralization
|
|
CWE-713
|
OWASP Top Ten 2007 Category A2 - Injection Flaws
|
|
| Leverage Alternate Encoding |
|
CWE-20
|
Improper Input Validation
|
|
CWE-21
|
|
|
CWE-73
|
External Control of File Name or Path
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-171
|
|
|
CWE-172
|
Encoding Error
|
|
CWE-173
|
Improper Handling of Alternate Encoding
|
|
CWE-180
|
Incorrect Behavior Order: Validate Before Canonicalize
|
|
CWE-181
|
Incorrect Behavior Order: Validate Before Filter
|
|
CWE-692
|
Incomplete Denylist to Cross-Site Scripting
|
|
CWE-697
|
Incorrect Comparison
|
|
| Using Leading 'Ghost' Character Sequences to Bypass Input Filters |
|
CWE-20
|
Improper Input Validation
|
|
CWE-41
|
Improper Resolution of Path Equivalence
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-171
|
|
|
CWE-172
|
Encoding Error
|
|
CWE-173
|
Improper Handling of Alternate Encoding
|
|
CWE-179
|
Incorrect Behavior Order: Early Validation
|
|
CWE-180
|
Incorrect Behavior Order: Validate Before Canonicalize
|
|
CWE-181
|
Incorrect Behavior Order: Validate Before Filter
|
|
CWE-183
|
Permissive List of Allowed Inputs
|
|
CWE-184
|
Incomplete List of Disallowed Inputs
|
|
CWE-697
|
Incorrect Comparison
|
|
CWE-707
|
Improper Neutralization
|
|
| Exploiting Multiple Input Interpretation Layers |
|
CWE-20
|
Improper Input Validation
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-77
|
Improper Neutralization of Special Elements used in a Command ('Command Injection')
|
|
CWE-78
|
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
|
|
CWE-171
|
|
|
CWE-179
|
Incorrect Behavior Order: Early Validation
|
|
CWE-181
|
Incorrect Behavior Order: Validate Before Filter
|
|
CWE-183
|
Permissive List of Allowed Inputs
|
|
CWE-184
|
Incomplete List of Disallowed Inputs
|
|
CWE-697
|
Incorrect Comparison
|
|
CWE-707
|
Improper Neutralization
|
|
| Overflow Variables and Tags |
|
CWE-20
|
Improper Input Validation
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-118
|
Incorrect Access of Indexable Resource ('Range Error')
|
|
CWE-119
|
Improper Restriction of Operations within the Bounds of a Memory Buffer
|
|
CWE-120
|
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
|
|
CWE-680
|
Integer Overflow to Buffer Overflow
|
|
CWE-697
|
Incorrect Comparison
|
|
CWE-733
|
Compiler Optimization Removal or Modification of Security-critical Code
|
|
| Argument Injection |
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-78
|
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
|
|
CWE-146
|
Improper Neutralization of Expression/Command Delimiters
|
|
CWE-184
|
Incomplete List of Disallowed Inputs
|
|
CWE-185
|
Incorrect Regular Expression
|
|
CWE-697
|
Incorrect Comparison
|
|
CWE-713
|
OWASP Top Ten 2007 Category A2 - Injection Flaws
|
|
| URL Encoding |
|
CWE-20
|
Improper Input Validation
|
|
CWE-21
|
|
|
CWE-73
|
External Control of File Name or Path
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-171
|
|
|
CWE-172
|
Encoding Error
|
|
CWE-173
|
Improper Handling of Alternate Encoding
|
|
CWE-177
|
Improper Handling of URL Encoding (Hex Encoding)
|
|
| XPath Injection |
|
CWE-20
|
Improper Input Validation
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-91
|
XML Injection (aka Blind XPath Injection)
|
|
CWE-707
|
Improper Neutralization
|
|
CWE-713
|
OWASP Top Ten 2007 Category A2 - Injection Flaws
|
|
| Filter Failure through Buffer Overflow |
|
CWE-20
|
Improper Input Validation
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-118
|
Incorrect Access of Indexable Resource ('Range Error')
|
|
CWE-119
|
Improper Restriction of Operations within the Bounds of a Memory Buffer
|
|
CWE-120
|
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
|
|
CWE-680
|
Integer Overflow to Buffer Overflow
|
|
CWE-697
|
Incorrect Comparison
|
|
CWE-733
|
Compiler Optimization Removal or Modification of Security-critical Code
|
|
| Fuzzing |
|
CWE-20
|
Improper Input Validation
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-388
|
7PK - Errors
|
|
| HTTP Response Splitting |
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-113
|
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
|
|
CWE-697
|
Incorrect Comparison
|
|
CWE-707
|
Improper Neutralization
|
|
CWE-713
|
OWASP Top Ten 2007 Category A2 - Injection Flaws
|
|
| MIME Conversion |
|
CWE-20
|
Improper Input Validation
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-119
|
Improper Restriction of Operations within the Bounds of a Memory Buffer
|
|
CWE-120
|
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
|
|
| Buffer Overflow via Parameter Expansion |
|
CWE-20
|
Improper Input Validation
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-118
|
Incorrect Access of Indexable Resource ('Range Error')
|
|
CWE-119
|
Improper Restriction of Operations within the Bounds of a Memory Buffer
|
|
CWE-120
|
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
|
|
CWE-130
|
Improper Handling of Length Parameter Inconsistency
|
|
CWE-131
|
Incorrect Calculation of Buffer Size
|
|
CWE-680
|
Integer Overflow to Buffer Overflow
|
|
CWE-697
|
Incorrect Comparison
|
|
| Embedding NULL Bytes |
|
CWE-20
|
Improper Input Validation
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-158
|
Improper Neutralization of Null Byte or NUL Character
|
|
CWE-171
|
|
|
CWE-172
|
Encoding Error
|
|
CWE-173
|
Improper Handling of Alternate Encoding
|
|
CWE-697
|
Incorrect Comparison
|
|
CWE-707
|
Improper Neutralization
|
|
| String Format Overflow in syslog() |
|
CWE-20
|
Improper Input Validation
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-120
|
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
|
|
CWE-134
|
Use of Externally-Controlled Format String
|
|
CWE-680
|
Integer Overflow to Buffer Overflow
|
|
CWE-697
|
Incorrect Comparison
|
|
| Using Escaped Slashes in Alternate Encoding |
|
CWE-20
|
Improper Input Validation
|
|
CWE-21
|
|
|
CWE-22
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|
|
CWE-73
|
External Control of File Name or Path
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-171
|
|
|
CWE-172
|
Encoding Error
|
|
CWE-173
|
Improper Handling of Alternate Encoding
|
|
CWE-180
|
Incorrect Behavior Order: Validate Before Canonicalize
|
|
CWE-181
|
Incorrect Behavior Order: Validate Before Filter
|
|
CWE-697
|
Incorrect Comparison
|
|
CWE-707
|
Improper Neutralization
|
|
| Buffer Overflow via Environment Variables |
|
CWE-20
|
Improper Input Validation
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-99
|
Improper Control of Resource Identifiers ('Resource Injection')
|
|
CWE-118
|
Incorrect Access of Indexable Resource ('Range Error')
|
|
CWE-119
|
Improper Restriction of Operations within the Bounds of a Memory Buffer
|
|
CWE-120
|
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
|
|
CWE-302
|
Authentication Bypass by Assumed-Immutable Data
|
|
CWE-680
|
Integer Overflow to Buffer Overflow
|
|
CWE-697
|
Incorrect Comparison
|
|
CWE-733
|
Compiler Optimization Removal or Modification of Security-critical Code
|
|
| Server Side Include (SSI) Injection |
|
CWE-20
|
Improper Input Validation
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-97
|
Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
|
|
CWE-713
|
OWASP Top Ten 2007 Category A2 - Injection Flaws
|
|
| Command Line Execution through SQL Injection |
|
CWE-20
|
Improper Input Validation
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-78
|
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
|
|
CWE-89
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
|
|
CWE-114
|
Process Control
|
|
| Double Encoding |
|
CWE-20
|
Improper Input Validation
|
|
CWE-21
|
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-171
|
|
|
CWE-172
|
Encoding Error
|
|
CWE-173
|
Improper Handling of Alternate Encoding
|
|
CWE-177
|
Improper Handling of URL Encoding (Hex Encoding)
|
|
CWE-181
|
Incorrect Behavior Order: Validate Before Filter
|
|
CWE-183
|
Permissive List of Allowed Inputs
|
|
CWE-184
|
Incomplete List of Disallowed Inputs
|
|
CWE-692
|
Incomplete Denylist to Cross-Site Scripting
|
|
CWE-697
|
Incorrect Comparison
|
|
| Subverting Environment Variable Values |
|
CWE-15
|
External Control of System or Configuration Setting
|
|
CWE-20
|
Improper Input Validation
|
|
CWE-73
|
External Control of File Name or Path
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-200
|
Exposure of Sensitive Information to an Unauthorized Actor
|
|
CWE-285
|
Improper Authorization
|
|
CWE-302
|
Authentication Bypass by Assumed-Immutable Data
|
|
CWE-353
|
Missing Support for Integrity Check
|
|
| Format String Injection |
|
CWE-20
|
Improper Input Validation
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-133
|
String Errors
|
|
CWE-134
|
Use of Externally-Controlled Format String
|
|
| Client-side Injection-induced Buffer Overflow |
|
CWE-20
|
Improper Input Validation
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-118
|
Incorrect Access of Indexable Resource ('Range Error')
|
|
CWE-119
|
Improper Restriction of Operations within the Bounds of a Memory Buffer
|
|
CWE-120
|
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
|
|
CWE-353
|
Missing Support for Integrity Check
|
|
CWE-680
|
Integer Overflow to Buffer Overflow
|
|
CWE-697
|
Incorrect Comparison
|
|
CWE-713
|
OWASP Top Ten 2007 Category A2 - Injection Flaws
|
|
| HTTP Response Smuggling |
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-436
|
Interpretation Conflict
|
|
| Buffer Overflow via Symbolic Links |
|
CWE-20
|
Improper Input Validation
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-118
|
Incorrect Access of Indexable Resource ('Range Error')
|
|
CWE-119
|
Improper Restriction of Operations within the Bounds of a Memory Buffer
|
|
CWE-120
|
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
|
|
CWE-285
|
Improper Authorization
|
|
CWE-302
|
Authentication Bypass by Assumed-Immutable Data
|
|
CWE-680
|
Integer Overflow to Buffer Overflow
|
|
CWE-697
|
Incorrect Comparison
|
|
| Poison Web Service Registry |
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-285
|
Improper Authorization
|
|
CWE-693
|
Protection Mechanism Failure
|
|
| Using Slashes and URL Encoding Combined to Bypass Validation Logic |
|
CWE-20
|
Improper Input Validation
|
|
CWE-21
|
|
|
CWE-22
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|
|
CWE-73
|
External Control of File Name or Path
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-171
|
|
|
CWE-172
|
Encoding Error
|
|
CWE-173
|
Improper Handling of Alternate Encoding
|
|
CWE-177
|
Improper Handling of URL Encoding (Hex Encoding)
|
|
CWE-697
|
Incorrect Comparison
|
|
CWE-707
|
Improper Neutralization
|
|
| Using Unicode Encoding to Bypass Validation Logic |
|
CWE-20
|
Improper Input Validation
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-171
|
|
|
CWE-172
|
Encoding Error
|
|
CWE-173
|
Improper Handling of Alternate Encoding
|
|
CWE-176
|
Improper Handling of Unicode Encoding
|
|
CWE-179
|
Incorrect Behavior Order: Early Validation
|
|
CWE-180
|
Incorrect Behavior Order: Validate Before Canonicalize
|
|
CWE-183
|
Permissive List of Allowed Inputs
|
|
CWE-184
|
Incomplete List of Disallowed Inputs
|
|
CWE-692
|
Incomplete Denylist to Cross-Site Scripting
|
|
CWE-697
|
Incorrect Comparison
|
|
| Using Slashes in Alternate Encoding |
|
CWE-20
|
Improper Input Validation
|
|
CWE-21
|
|
|
CWE-22
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|
|
CWE-73
|
External Control of File Name or Path
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-171
|
|
|
CWE-173
|
Improper Handling of Alternate Encoding
|
|
CWE-180
|
Incorrect Behavior Order: Validate Before Canonicalize
|
|
CWE-181
|
Incorrect Behavior Order: Validate Before Filter
|
|
CWE-185
|
Incorrect Regular Expression
|
|
CWE-200
|
Exposure of Sensitive Information to an Unauthorized Actor
|
|
CWE-697
|
Incorrect Comparison
|
|
CWE-707
|
Improper Neutralization
|
|
| XQuery Injection |
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-707
|
Improper Neutralization
|
|
CWE-713
|
OWASP Top Ten 2007 Category A2 - Injection Flaws
|
|