CWEs that violate the OWASP 2017 standard
This table lists all the CWEs that may cause an application to not pass a policy that includes an OWASP 2017 policy rule.
CWE ID | CWE name | Static support | Dynamic support | Veracode severity |
---|---|---|---|---|
5 | J2EE Misconfiguration: Data Transmission Without Encryption | |||
9 | J2EE Misconfiguration: Weak Access Permissions for EJB Methods | |||
13 | ASP.NET Misconfiguration: Password in Configuration File | |||
16 | Configuration | X | 0 - Informational | |
22 | Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) | X | X | 3 - Medium |
23 | Relative Path Traversal | |||
24 | Path Traversal: '../filedir' | |||
25 | Path Traversal: '/../filedir' | |||
26 | Path Traversal: '/dir/../filename' | |||
27 | Path Traversal: 'dir/../../filename' | |||
28 | Path Traversal: '..\filedir' | |||
29 | Path Traversal: '\..\filename' | |||
30 | Path Traversal: '\dir\..\filename' | |||
31 | Path Traversal: 'dir\..\..\filename' | |||
32 | Path Traversal: '...' (Triple Dot) | |||
33 | Path Traversal: '....' (Multiple Dot) | |||
34 | Path Traversal: '....//' | |||
35 | Path Traversal: '.../...//' | |||
36 | Absolute Path Traversal | |||
37 | Path Traversal: '/absolute/pathname/here' | |||
38 | Path Traversal: '\absolute\pathname\here' | |||
39 | Path Traversal: 'C:dirname' | |||
40 | Path Traversal: '\\UNC\share\name\' (Windows UNC Share) | |||
74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection) | X | 4 - High | |
75 | Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) | |||
76 | Improper Neutralization of Equivalent Special Elements | |||
77 | Improper Neutralization of Special Elements used in a Command (Command Injection) | X | 5 - Very High | |
78 | Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) | X | X | 5 - Very High |
79 | Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) | X | X | 3 - Medium |
80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | X | X | 3 - Medium |
81 | Improper Neutralization of Script in an Error Message Web Page | |||
82 | Improper Neutralization of Script in Attributes of IMG Tags in a Web Page | |||
83 | Improper Neutralization of Script in Attributes in a Web Page | X | 3 - Medium | |
84 | Improper Neutralization of Encoded URI Schemes in a Web Page | |||
85 | Doubled Character XSS Manipulations | |||
86 | Improper Neutralization of Invalid Characters in Identifiers in Web Pages | X | 3 - Medium | |
87 | Improper Neutralization of Alternate XSS Syntax | |||
88 | Argument Injection or Modification | X | 3 - Medium | |
89 | Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) | X | X | 4 - High |
90 | Improper Neutralization of Special Elements used in an LDAP Query (LDAP Injection) | X | 3 - Medium | |
91 | XML Injection (aka Blind XPath Injection) | X | 3 - Medium | |
93 | Improper Neutralization of CRLF Sequences (CRLF Injection) | X | 3 - Medium | |
94 | Improper Control of Generation of Code (Code Injection) | X | 3 - Medium | |
95 | Improper Neutralization of Directives in Dynamically Evaluated Code (Eval Injection) | X | 5 - Very High | |
96 | Improper Neutralization of Directives in Statically Saved Code (Static Code Injection) | |||
97 | Improper Neutralization of Server-Side Includes (SSI) Within a Web Page | |||
98 | Improper Control of Filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion) | X | X | 4 - High |
99 | Improper Control of Resource Identifiers (Resource Injection) | X | 3 - Medium | |
102 | Struts: Duplicate Validation Forms | |||
113 | Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Response Splitting) | X | X | 3 - Medium |
117 | Improper Output Neutralization for Logs | X | 3 - Medium | |
202 | Exposure of Sensitive Data Through Data Queries | |||
209 | Information Exposure Through an Error Message | X | X | 2 - Low |
210 | Information Exposure Through Self-generated Error Message | |||
211 | Information Exposure Through Externally-Generated Error Message | |||
219 | Sensitive Data Under Web Root | |||
220 | Sensitive Data Under FTP Root | |||
223 | Omission of Security-relevant Information | X | 2 - Low | |
256 | Unprotected Storage of Credentials | X | 3 - Medium | |
257 | Storing Passwords in a Recoverable Format | |||
258 | Empty Password in Configuration File | |||
259 | Use of Hard-coded Password | X | X | 3 - Medium |
260 | Password in Configuration File | |||
261 | Weak Cryptography for Passwords | X | 3 - Medium | |
262 | Not Using Password Aging | |||
263 | Password Aging with Long Expiration | |||
266 | Incorrect Privilege Assignment | |||
267 | Privilege Defined With Unsafe Actions | |||
268 | Privilege Chaining | |||
269 | Improper Privilege Management | |||
270 | Privilege Context Switching Error | |||
271 | Privilege Dropping / Lowering Errors | |||
272 | Least Privilege Violation | X | 3 - Medium | |
276 | Incorrect Default Permissions | |||
277 | Insecure Inherited Permissions | |||
278 | Insecure Preserved Inherited Permissions | |||
279 | Incorrect Execution-Assigned Permissions | |||
281 | Improper Preservation of Permissions | |||
282 | Improper Ownership Management | X | 3 - Medium | |
283 | Unverified Ownership | |||
284 | Improper Access Control | X | 3 - Medium | |
285 | Improper Authorization | X | X | 3 - Medium |
286 | Incorrect User Management | |||
287 | Improper Authentication | X | X | 4 - High |
288 | Authentication Bypass Using an Alternate Path or Channel | |||
289 | Authentication Bypass by Alternate Name | |||
290 | Authentication Bypass by Spoofing | |||
291 | Reliance on IP Address for Authentication | |||
293 | Using Referer Field for Authentication | |||
294 | Authentication Bypass by Capture-replay | |||
295 | Improper Certificate Validation | X | 3 - Medium | |
296 | Improper Following of a Certificate's Chain of Trust | X | 3 - Medium | |
297 | Improper Validation of Certificate with Host Mismatch | X | X | 3 - Medium |
298 | Improper Validation of Certificate Expiration | X | 3 - Medium | |
299 | Improper Check for Certificate Revocation | X | 3 - Medium | |
300 | Channel Accessible by Non-Endpoint (Man-in-the-Middle) | |||
301 | Reflection Attack in an Authentication Protocol | |||
302 | Authentication Bypass by Assumed-Immutable Data | |||
303 | Incorrect Implementation of Authentication Algorithm | |||
305 | Authentication Bypass by Primary Weakness | |||
306 | Missing Authentication for Critical Function | |||
307 | Improper Restriction of Excessive Authentication Attempts | |||
308 | Use of Single-factor Authentication | |||
309 | Use of Password System for Primary Authentication | |||
311 | Missing Encryption of Sensitive Data | X | 3 - Medium | |
312 | Cleartext Storage of Sensitive Information | X | 3 - Medium | |
313 | Cleartext Storage in a File or on Disk | X | 3 - Medium | |
314 | Cleartext Storage in the Registry | |||
315 | Cleartext Storage of Sensitive Information in a Cookie | |||
316 | Cleartext Storage of Sensitive Information in Memory | X | 3 - Medium | |
317 | Cleartext Storage of Sensitive Information in GUI | |||
318 | Cleartext Storage of Sensitive Information in Executable | |||
319 | Cleartext Transmission of Sensitive Information | X | 3 - Medium | |
320 | Key Management Errors | |||
321 | Use of Hard-coded Cryptographic Key | X | X | 3 - Medium |
322 | Key Exchange without Entity Authentication | |||
325 | Missing Required Cryptographic Step | |||
326 | Inadequate Encryption Strength | X | X | 3 - Medium |
327 | Use of a Broken or Risky Cryptographic Algorithm | X | X | 3 - Medium |
328 | Reversible One-Way Hash | X | 3 - Medium | |
350 | Reliance on Reverse DNS Resolution for a Security-Critical Action | X | 3 - Medium | |
359 | Exposure of Private Information (Privacy Violation) | X | 2 - Low | |
370 | Missing Check for Certificate Revocation after Initial Check | |||
384 | Session Fixation | X | X | 3 - Medium |
419 | Unprotected Primary Channel | |||
420 | Unprotected Alternate Channel | |||
421 | Race Condition During Access to Alternate Channel | X | 3 - Medium | |
422 | Unprotected Windows Messaging Channel (Shatter) | |||
425 | Direct Request (Forced Browsing) | |||
433 | Unparsed Raw Web Content Delivery | |||
462 | Duplicate Key in Associative List (Alist) | |||
477 | Use of Obsolete Functions | X | X | 0 - Informational |
502 | Deserialization of Untrusted Data | X | 3 - Medium | |
520 | .NET Misconfiguration: Use of Impersonation | |||
521 | Weak Password Requirements | |||
522 | Insufficiently Protected Credentials | X | X | 3 - Medium |
523 | Unprotected Transport of Credentials | |||
535 | Information Exposure Through Shell Error Message | |||
536 | Information Exposure Through Servlet Runtime Error Message | |||
537 | Information Exposure Through Java Runtime Error Message | |||
548 | Information Exposure Through Directory Listing | X | 2 - Low | |
549 | Missing Password Field Masking | |||
550 | Information Exposure Through Server Error Message | |||
551 | Incorrect Behavior Order: Authorization Before Parsing and Canonicalization | |||
555 | J2EE Misconfiguration: Plaintext Password in Configuration File | |||
556 | ASP.NET Misconfiguration: Use of Identity Impersonation | |||
564 | SQL Injection: Hibernate | X | 4 - High | |
566 | Authorization Bypass Through User-Controlled SQL Primary Key | X | 3 - Medium | |
599 | Missing Validation of OpenSSL Certificate | |||
611 | Improper Restriction of XML External Entity Reference (XXE) | X | X | 3 - Medium |
613 | Insufficient Session Expiration | |||
614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | X | X | 2 - Low |
620 | Unverified Password Change | |||
621 | Variable Extraction Error | |||
623 | Unsafe ActiveX Control Marked Safe For Scripting | |||
624 | Executable Regular Expression Error | |||
627 | Dynamic Variable Evaluation | |||
639 | Authorization Bypass Through User-Controlled Key | X | 4 - High | |
640 | Weak Password Recovery Mechanism for Forgotten Password | |||
641 | Improper Restriction of Names for Files and Other Resources | |||
643 | Improper Neutralization of Data within XPath Expressions (XPath Injection) | |||
645 | Overly Restrictive Account Lockout Mechanism | |||
647 | Use of Non-Canonical URL Paths for Authorization Decisions | |||
648 | Incorrect Use of Privileged APIs | |||
652 | Improper Neutralization of Data within XQuery Expressions (XQuery Injection) | |||
689 | Permission Race Condition During Resource Copy | |||
692 | Incomplete Denylist to Cross-Site Scripting | |||
694 | Use of Multiple Resources with Duplicate Identifier | |||
708 | Incorrect Ownership Assignment | X | 4 - High | |
732 | Incorrect Permission Assignment for Critical Resource | X | 3 - Medium | |
759 | Use of a One-Way Hash without a Salt | |||
760 | Use of a One-Way Hash with a Predictable Salt | X | 3 - Medium | |
776 | Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion) | |||
778 | Insufficient Logging | |||
780 | Use of RSA Algorithm without OAEP | X | 3 - Medium | |
798 | Use of Hard-coded Credentials | X | 3 - Medium | |
804 | Guessable CAPTCHA | |||
836 | Use of Password Hash Instead of Password for Authentication | |||
842 | Placement of User into Incorrect Group | |||
862 | Missing Authorization | |||
863 | Incorrect Authorization | |||
914 | Improper Control of Dynamically-Identified Variables | |||
916 | Use of Password Hash With Insufficient Computational Effort | X | 3 - Medium | |
917 | Improper Neutralization of Special Elements used in an Expression Language Statement (Expression Language Injection) | |||
923 | Improper Restriction of Communication Channel to Intended Endpoints | |||
925 | Improper Verification of Intent by Broadcast Receiver | |||
926 | Improper Export of Android Application Components | |||
927 | Use of Implicit Intent for Sensitive Communication | |||
939 | Improper Authorization in Handler for Custom URL Scheme | |||
940 | Improper Verification of Source of a Communication Channel | |||
941 | Incorrectly Specified Destination in a Communication Channel | |||
942 | Permissive Cross-domain Policy with Untrusted Domains | X | X | 3 - Medium |
943 | Improper Neutralization of Special Elements in Data Query Logic | X | 4 - High | |
1004 | Sensitive Cookie Without HttpOnly Flag | |||
1022 | Use of Web Link to Untrusted Target with window.opener Access |