CWE - CWE-711: Weaknesses in OWASP Top Ten (2004) (4.18)

Home > CWE List > CWE- Individual Dictionary Definition (4.18)

CWE Glossary Definition

CWE VIEW: Weaknesses in OWASP Top Ten (2004)

View ID: 711

Vulnerability Mapping: PROHIBITED This CWE ID must not be used to map to real-world vulnerabilities
Type: Graph

Downloads: Booklet | CSV | XML

Objective

CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top Ten is available.

Audience

Stakeholder	Description
Software Developers	This view outlines the most important issues as identified by the OWASP Top Ten (2004 version), providing a good starting point for web application developers who want to code more securely, as well as complying with PCI DSS 1.1.
Product Customers	This view outlines the most important issues as identified by the OWASP Top Ten, providing customers with a way of asking their software developers to follow minimum expectations for secure code, in compliance with PCI-DSS 1.1.
Educators	Since the OWASP Top Ten covers the most frequently encountered issues, this view can be used by educators as training material for students. However, the 2007 version (CWE-629) might be more appropriate.

Relationships

The following graph shows the tree-like relationships between weaknesses that exist at different levels of abstraction. At the highest level, categories and pillars exist to group weaknesses. Categories (which are not technically weaknesses) are special CWE entries used to group weaknesses that share a common characteristic. Pillars are weaknesses that are described in the most abstract fashion. Below these top-level entries are weaknesses are varying levels of abstraction. Classes are still very abstract, typically independent of any specific language or technology. Base level weaknesses are used to present a more specific type of weakness. A variant is a weakness that is described at a very low level of detail, typically limited to a specific language or technology. A chain is a set of weaknesses that must be reachable consecutively in order to produce an exploitable vulnerability. While a composite is a set of weaknesses that must all be present simultaneously in order to produce an exploitable vulnerability.

Show Details:

711 - Weaknesses in OWASP Top Ten (2004)

Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2004 Category A1 - Unvalidated Input - (722)

711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input)

Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2004.

* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Struts: Duplicate Validation Forms - (102)

711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 102 (Struts: Duplicate Validation Forms)

The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.

711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 103 (Struts: Incomplete validate() Method Definition)

The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().

711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 104 (Struts: Form Bean Does Not Extend Validation Class)

If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.

711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 106 (Struts: Plug-in Framework not in Use)

When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient input validation.

711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 109 (Struts: Validator Turned Off)

Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation.

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - (120)

711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'))

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. Classic Buffer Overflow Unbounded Transfer

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Handling of Missing Special Element - (166)

711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 166 (Improper Handling of Missing Special Element)

The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Handling of Additional Special Element - (167)

711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 167 (Improper Handling of Additional Special Element)

The product receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided.

711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 179 (Incorrect Behavior Order: Early Validation)

The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification.

711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 180 (Incorrect Behavior Order: Validate Before Canonicalize)

The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.

711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 181 (Incorrect Behavior Order: Validate Before Filter)

The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step. Validate-before-cleanse

711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 182 (Collapse of Data into Unsafe Value)

The product filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property.

711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 183 (Permissive List of Allowed Inputs)

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses. Allowlist / Allow List Safelist / Safe List Whitelist / White List

* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Input Validation - (20)

711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 20 (Improper Input Validation)

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 425 (Direct Request ('Forced Browsing'))

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. forced browsing

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. External Control of Assumed-Immutable Web Parameter - (472)

711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 472 (External Control of Assumed-Immutable Web Parameter)

The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields. Assumed-Immutable Parameter Tampering

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. URL Redirection to Untrusted Site ('Open Redirect') - (601)

711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 601 (URL Redirection to Untrusted Site ('Open Redirect'))

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. Open Redirect Cross-site Redirect Cross-domain Redirect Unvalidated Redirect Drive-by download

711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 602 (Client-Side Enforcement of Server-Side Security)

The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.

711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 77 (Improper Neutralization of Special Elements used in a Command ('Command Injection'))

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. Command injection

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - (79)

711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. XSS HTML Injection Reflected XSS / Non-Persistent XSS / Type 1 XSS Stored XSS / Persistent XSS / Type 2 XSS DOM-Based XSS / Type 0 XSS CSS

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - (89)

711 (Weaknesses in OWASP Top Ten (2004)) > 722 (OWASP Top Ten 2004 Category A1 - Unvalidated Input) > 89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. SQL injection SQLi

Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2004 Category A2 - Broken Access Control - (723)

711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control)

Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2004.

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - (22)

711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Directory traversal Path traversal

711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 266 (Incorrect Privilege Assignment)

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 268 (Privilege Chaining)

Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.

* Category Category - a CWE entry that contains a set of other entries that share a common characteristic. Permission Issues - (275)

711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 275 (Permission Issues)

Weaknesses in this category are related to improper assignment or handling of permissions.

711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 283 (Unverified Ownership)

The product does not properly verify that a critical resource is owned by the proper entity.

* Pillar Pillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things. Improper Access Control - (284)

711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 284 (Improper Access Control)

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Authorization

711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 285 (Improper Authorization)

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. AuthZ

711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 330 (Use of Insufficiently Random Values)

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 41 (Improper Resolution of Path Equivalence)

The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object.

711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 425 (Direct Request ('Forced Browsing'))

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. forced browsing

711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 525 (Use of Web Browser Cache Containing Sensitive Information)

The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Incorrect Behavior Order: Authorization Before Parsing and Canonicalization - (551)

711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 551 (Incorrect Behavior Order: Authorization Before Parsing and Canonicalization)

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.

711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 556 (ASP.NET Misconfiguration: Use of Identity Impersonation)

Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Authorization Bypass Through User-Controlled Key - (639)

711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 639 (Authorization Bypass Through User-Controlled Key)

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. Insecure Direct Object Reference / IDOR Broken Object Level Authorization / BOLA Horizontal Authorization

711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 708 (Incorrect Ownership Assignment)

The product assigns an owner to a resource, but the owner is outside of the intended control sphere.

711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 73 (External Control of File Name or Path)

The product allows user input to control or influence paths or file names that are used in filesystem operations.

711 (Weaknesses in OWASP Top Ten (2004)) > 723 (OWASP Top Ten 2004 Category A2 - Broken Access Control) > 9 (J2EE Misconfiguration: Weak Access Permissions for EJB Methods)

If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.

Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management - (724)

711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management)

Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2004.

* Category Category - a CWE entry that contains a set of other entries that share a common characteristic. Credentials Management Errors - (255)

711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 255 (Credentials Management Errors)

Weaknesses in this category are related to the management of credentials.

711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 259 (Use of Hard-coded Password)

The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.

711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 287 (Improper Authentication)

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. authentification AuthN AuthC

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Following of a Certificate's Chain of Trust - (296)

711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 296 (Improper Following of a Certificate's Chain of Trust)

The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.

711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 298 (Improper Validation of Certificate Expiration)

A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Authentication Bypass by Assumed-Immutable Data - (302)

711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 302 (Authentication Bypass by Assumed-Immutable Data)

The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 304 (Missing Critical Step in Authentication)

The product implements an authentication technique, but it skips a step that weakens the technique.

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Restriction of Excessive Authentication Attempts - (307)

711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 307 (Improper Restriction of Excessive Authentication Attempts)

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Use of Password System for Primary Authentication - (309)

711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 309 (Use of Password System for Primary Authentication)

The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.

711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 345 (Insufficient Verification of Data Authenticity)

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

* Composite Composite - a Compound Element that consists of two or more distinct weaknesses, in which all weaknesses must be present at the same time in order for a potential vulnerability to arise. Removing any of the weaknesses eliminates or sharply reduces the risk. One weakness, X, can be "broken down" into component weaknesses Y and Z. There can be cases in which one weakness might not be essential to a composite, but changes the nature of the composite when it becomes a vulnerability. Session Fixation - (384)

711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 384 (Session Fixation)

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 521 (Weak Password Requirements)

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 522 (Insufficiently Protected Credentials)

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 525 (Use of Web Browser Cache Containing Sensitive Information)

The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 613 (Insufficient Session Expiration)

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 620 (Unverified Password Change)

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Weak Password Recovery Mechanism for Forgotten Password - (640)

711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 640 (Weak Password Recovery Mechanism for Forgotten Password)

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

711 (Weaknesses in OWASP Top Ten (2004)) > 724 (OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management) > 798 (Use of Hard-coded Credentials)

The product contains hard-coded credentials, such as a password or cryptographic key.

Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws - (725)

711 (Weaknesses in OWASP Top Ten (2004)) > 725 (OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws)

Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2004.

711 (Weaknesses in OWASP Top Ten (2004)) > 725 (OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws) > 644 (Improper Neutralization of HTTP Headers for Scripting Syntax)

The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - (79)

711 (Weaknesses in OWASP Top Ten (2004)) > 725 (OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws) > 79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2004 Category A5 - Buffer Overflows - (726)

711 (Weaknesses in OWASP Top Ten (2004)) > 726 (OWASP Top Ten 2004 Category A5 - Buffer Overflows)

Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2004.

711 (Weaknesses in OWASP Top Ten (2004)) > 726 (OWASP Top Ten 2004 Category A5 - Buffer Overflows) > 119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. Buffer Overflow buffer overrun memory safety

711 (Weaknesses in OWASP Top Ten (2004)) > 726 (OWASP Top Ten 2004 Category A5 - Buffer Overflows) > 120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'))

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. Classic Buffer Overflow Unbounded Transfer

711 (Weaknesses in OWASP Top Ten (2004)) > 726 (OWASP Top Ten 2004 Category A5 - Buffer Overflows) > 134 (Use of Externally-Controlled Format String)

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2004 Category A6 - Injection Flaws - (727)

711 (Weaknesses in OWASP Top Ten (2004)) > 727 (OWASP Top Ten 2004 Category A6 - Injection Flaws)

Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2004.

711 (Weaknesses in OWASP Top Ten (2004)) > 727 (OWASP Top Ten 2004 Category A6 - Injection Flaws) > 117 (Improper Output Neutralization for Logs)

The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file. Log forging

711 (Weaknesses in OWASP Top Ten (2004)) > 727 (OWASP Top Ten 2004 Category A6 - Injection Flaws) > 74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'))

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

711 (Weaknesses in OWASP Top Ten (2004)) > 727 (OWASP Top Ten 2004 Category A6 - Injection Flaws) > 77 (Improper Neutralization of Special Elements used in a Command ('Command Injection'))

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - (78)

711 (Weaknesses in OWASP Top Ten (2004)) > 727 (OWASP Top Ten 2004 Category A6 - Injection Flaws) > 78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Shell injection Shell metacharacters OS Command Injection

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - (89)

711 (Weaknesses in OWASP Top Ten (2004)) > 727 (OWASP Top Ten 2004 Category A6 - Injection Flaws) > 89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

711 (Weaknesses in OWASP Top Ten (2004)) > 727 (OWASP Top Ten 2004 Category A6 - Injection Flaws) > 91 (XML Injection (aka Blind XPath Injection))

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

711 (Weaknesses in OWASP Top Ten (2004)) > 727 (OWASP Top Ten 2004 Category A6 - Injection Flaws) > 95 (Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'))

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

711 (Weaknesses in OWASP Top Ten (2004)) > 727 (OWASP Top Ten 2004 Category A6 - Injection Flaws) > 98 (Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion'))

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. Remote file include RFI Local file inclusion

Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2004 Category A7 - Improper Error Handling - (728)

711 (Weaknesses in OWASP Top Ten (2004)) > 728 (OWASP Top Ten 2004 Category A7 - Improper Error Handling)

Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2004.

711 (Weaknesses in OWASP Top Ten (2004)) > 728 (OWASP Top Ten 2004 Category A7 - Improper Error Handling) > 203 (Observable Discrepancy)

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. Side Channel Attack

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Generation of Error Message Containing Sensitive Information - (209)

711 (Weaknesses in OWASP Top Ten (2004)) > 728 (OWASP Top Ten 2004 Category A7 - Improper Error Handling) > 209 (Generation of Error Message Containing Sensitive Information)

The product generates an error message that includes sensitive information about its environment, users, or associated data.

711 (Weaknesses in OWASP Top Ten (2004)) > 728 (OWASP Top Ten 2004 Category A7 - Improper Error Handling) > 228 (Improper Handling of Syntactically Invalid Structure)

The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.

711 (Weaknesses in OWASP Top Ten (2004)) > 728 (OWASP Top Ten 2004 Category A7 - Improper Error Handling) > 252 (Unchecked Return Value)

The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

* Category Category - a CWE entry that contains a set of other entries that share a common characteristic. Error Conditions, Return Values, Status Codes - (389)

711 (Weaknesses in OWASP Top Ten (2004)) > 728 (OWASP Top Ten 2004 Category A7 - Improper Error Handling) > 389 (Error Conditions, Return Values, Status Codes)

This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Detection of Error Condition Without Action - (390)

711 (Weaknesses in OWASP Top Ten (2004)) > 728 (OWASP Top Ten 2004 Category A7 - Improper Error Handling) > 390 (Detection of Error Condition Without Action)

The product detects a specific error, but takes no actions to handle the error.

711 (Weaknesses in OWASP Top Ten (2004)) > 728 (OWASP Top Ten 2004 Category A7 - Improper Error Handling) > 391 (Unchecked Error Condition)

[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.

711 (Weaknesses in OWASP Top Ten (2004)) > 728 (OWASP Top Ten 2004 Category A7 - Improper Error Handling) > 394 (Unexpected Status Code or Return Value)

The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.

711 (Weaknesses in OWASP Top Ten (2004)) > 728 (OWASP Top Ten 2004 Category A7 - Improper Error Handling) > 636 (Not Failing Securely ('Failing Open'))

When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions. Failing Open

711 (Weaknesses in OWASP Top Ten (2004)) > 728 (OWASP Top Ten 2004 Category A7 - Improper Error Handling) > 7 (J2EE Misconfiguration: Missing Custom Error Page)

The default error page of a web application should not display sensitive information about the product.

Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2004 Category A8 - Insecure Storage - (729)

711 (Weaknesses in OWASP Top Ten (2004)) > 729 (OWASP Top Ten 2004 Category A8 - Insecure Storage)

Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2004.

711 (Weaknesses in OWASP Top Ten (2004)) > 729 (OWASP Top Ten 2004 Category A8 - Insecure Storage) > 14 (Compiler Removal of Code to Clear Buffers)

Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka "dead store removal."

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Sensitive Information in Resource Not Removed Before Reuse - (226)

711 (Weaknesses in OWASP Top Ten (2004)) > 729 (OWASP Top Ten 2004 Category A8 - Insecure Storage) > 226 (Sensitive Information in Resource Not Removed Before Reuse)

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.

711 (Weaknesses in OWASP Top Ten (2004)) > 729 (OWASP Top Ten 2004 Category A8 - Insecure Storage) > 261 (Weak Encoding for Password)

Obscuring a password with a trivial encoding does not protect the password.

711 (Weaknesses in OWASP Top Ten (2004)) > 729 (OWASP Top Ten 2004 Category A8 - Insecure Storage) > 311 (Missing Encryption of Sensitive Data)

The product does not encrypt sensitive or critical information before storage or transmission.

711 (Weaknesses in OWASP Top Ten (2004)) > 729 (OWASP Top Ten 2004 Category A8 - Insecure Storage) > 321 (Use of Hard-coded Cryptographic Key)

The product uses a hard-coded, unchangeable cryptographic key.

711 (Weaknesses in OWASP Top Ten (2004)) > 729 (OWASP Top Ten 2004 Category A8 - Insecure Storage) > 326 (Inadequate Encryption Strength)

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

711 (Weaknesses in OWASP Top Ten (2004)) > 729 (OWASP Top Ten 2004 Category A8 - Insecure Storage) > 327 (Use of a Broken or Risky Cryptographic Algorithm)

The product uses a broken or risky cryptographic algorithm or protocol.

711 (Weaknesses in OWASP Top Ten (2004)) > 729 (OWASP Top Ten 2004 Category A8 - Insecure Storage) > 539 (Use of Persistent Cookies Containing Sensitive Information)

The web application uses persistent cookies, but the cookies contain sensitive information.

711 (Weaknesses in OWASP Top Ten (2004)) > 729 (OWASP Top Ten 2004 Category A8 - Insecure Storage) > 591 (Sensitive Data Storage in Improperly Locked Memory)

The product stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors.

711 (Weaknesses in OWASP Top Ten (2004)) > 729 (OWASP Top Ten 2004 Category A8 - Insecure Storage) > 598 (Use of GET Request Method With Sensitive Query Strings)

The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.

Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2004 Category A9 - Denial of Service - (730)

711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service)

Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2004.

711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service) > 170 (Improper Null Termination)

The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.

711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service) > 248 (Uncaught Exception)

An exception is thrown from a function, but it is not caught.

711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service) > 369 (Divide By Zero)

The product divides a value by zero.

711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service) > 382 (J2EE Bad Practices: Use of System.exit())

A J2EE application uses System.exit(), which also shuts down its container.

711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service) > 400 (Uncontrolled Resource Consumption)

The product does not properly control the allocation and maintenance of a limited resource. Resource Exhaustion

711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service) > 401 (Missing Release of Memory after Effective Lifetime)

The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. Memory Leak

711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service) > 404 (Improper Resource Shutdown or Release)

The product does not release or incorrectly releases a resource before it is made available for re-use.

711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service) > 405 (Asymmetric Resource Consumption (Amplification))

The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."

711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service) > 410 (Insufficient Resource Pool)

The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.

711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service) > 412 (Unrestricted Externally Accessible Lock)

The product properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control.

711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service) > 476 (NULL Pointer Dereference)

The product dereferences a pointer that it expects to be valid but is NULL. NPD null deref NPE nil pointer dereference

711 (Weaknesses in OWASP Top Ten (2004)) > 730 (OWASP Top Ten 2004 Category A9 - Denial of Service) > 674 (Uncontrolled Recursion)

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. Stack Exhaustion

Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2004 Category A10 - Insecure Configuration Management - (731)

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management)

Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2004.

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Generation of Error Message Containing Sensitive Information - (209)

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 209 (Generation of Error Message Containing Sensitive Information)

The product generates an error message that includes sensitive information about its environment, users, or associated data.

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Insertion of Sensitive Information Into Debugging Code - (215)

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 215 (Insertion of Sensitive Information Into Debugging Code)

The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 219 (Storage of File with Sensitive Data Under Web Root)

The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.

* Category Category - a CWE entry that contains a set of other entries that share a common characteristic. Permission Issues - (275)

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 275 (Permission Issues)

Weaknesses in this category are related to improper assignment or handling of permissions.

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 295 (Improper Certificate Validation)

The product does not validate, or incorrectly validates, a certificate.

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 5 (J2EE Misconfiguration: Data Transmission Without Encryption)

Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 555 (J2EE Misconfiguration: Plaintext Password in Configuration File)

The J2EE application stores a plaintext password in a configuration file.

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 6 (J2EE Misconfiguration: Insufficient Session-ID Length)

The J2EE application is configured to use an insufficient session ID length.

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 7 (J2EE Misconfiguration: Missing Custom Error Page)

The default error page of a web application should not display sensitive information about the product.

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 8 (J2EE Misconfiguration: Entity Bean Declared Remote)

When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities.

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 9 (J2EE Misconfiguration: Weak Access Permissions for EJB Methods)

If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 459 (Incomplete Cleanup)

The product does not properly "clean up" and remove temporary or supporting resources after they have been used. Insufficient Cleanup

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 489 (Active Debug Code)

The product is released with debugging code still enabled or active. Leftover debug code

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 11 (ASP.NET Misconfiguration: Creating Debug Binary)

Debugging messages help attackers learn about the system and plan a form of attack.

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 12 (ASP.NET Misconfiguration: Missing Custom Error Page)

An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 13 (ASP.NET Misconfiguration: Password in Configuration File)

Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 520 (.NET Misconfiguration: Use of Impersonation)

Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks.

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 554 (ASP.NET Misconfiguration: Not Using Input Validation Framework)

The ASP.NET application does not use an input validation framework.

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 556 (ASP.NET Misconfiguration: Use of Identity Impersonation)

Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 526 (Cleartext Storage of Sensitive Information in an Environment Variable)

The product uses an environment variable to store unencrypted sensitive information.

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 527 (Exposure of Version-Control Repository to an Unauthorized Control Sphere)

The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 528 (Exposure of Core Dump File to an Unauthorized Control Sphere)

The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 529 (Exposure of Access Control List Files to an Unauthorized Control Sphere)

The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere.

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 530 (Exposure of Backup File to an Unauthorized Control Sphere)

A backup file is stored in a directory or archive that is made accessible to unauthorized actors.

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 531 (Inclusion of Sensitive Information in Test Code)

Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions.

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Insertion of Sensitive Information into Log File - (532)

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 532 (Insertion of Sensitive Information into Log File)

The product writes sensitive information to a log file.

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Inclusion of Sensitive Information in Source Code - (540)

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 540 (Inclusion of Sensitive Information in Source Code)

Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 541 (Inclusion of Sensitive Information in an Include File)

If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 548 (Exposure of Information Through Directory Listing)

The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory.

* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Files or Directories Accessible to External Parties - (552)

711 (Weaknesses in OWASP Top Ten (2004)) > 731 (OWASP Top Ten 2004 Category A10 - Insecure Configuration Management) > 552 (Files or Directories Accessible to External Parties)

The product makes files or directories accessible to unauthorized actors, even though they should not be.

Vulnerability Mapping Notes

Usage: PROHIBITED

(this CWE ID must not be used to map to real-world vulnerabilities)

Reason: View

Rationale:

This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.

Comments:

Use this View or other Views to search and navigate for the appropriate weakness.

Notes

Relationship

CWE relationships for this view were obtained by examining the OWASP document and mapping to any items that were specifically mentioned within the text of a category. As a result, this mapping is not complete with respect to all of CWE. In addition, some concepts were mentioned in multiple Top Ten items, which caused them to be mapped to multiple CWE categories. For example, SQL injection is mentioned in both A1 (CWE-722) and A6 (CWE-727) categories.

Relationship

As of 2008, some parts of CWE were not fully clarified out in terms of weaknesses. When these areas were mentioned in the OWASP Top Ten, category entries were mapped, although general mapping practice would usually favor mapping only to weaknesses.

References

[REF-570] "Top 10 2004". OWASP. 2004年01月27日. <http://www.owasp.org/index.php/Top_10_2004>.

[REF-571] PCI Security Standards Council. "About the PCI Data Security Standard (PCI DSS)". <https://listings.pcisecuritystandards.org/pci_security/>. URL validated: 2023年04月07日.

View Metrics

CWEs in this view	Total CWEs
Weaknesses	117	out of	944
Categories	13	out of	375
Views	0	out of	52
Total	130	out of	1371

Content History

Submissions
Submission Date	Submitter	Organization
2008年08月15日 (CWE 1.0, 2008年09月09日)	Veracode
2008年08月15日 (CWE 1.0, 2008年09月09日)	Suggested creation of view and provided mappings
Modifications
Modification Date	Modifier	Organization
2017年11月08日	CWE Content Team	MITRE
2017年11月08日	updated References
2019年01月03日	CWE Content Team	MITRE
2019年01月03日	updated Description
2020年02月24日	CWE Content Team	MITRE
2020年02月24日	updated View_Audience
2021年03月15日	CWE Content Team	MITRE
2021年03月15日	updated Description, Maintenance_Notes, Relationship_Notes
2023年04月27日	CWE Content Team	MITRE
2023年04月27日	updated References
2023年06月29日	CWE Content Team	MITRE
2023年06月29日	updated Mapping_Notes

More information is available — Please edit the custom filter or select a different filter.

Page Last Updated: September 09, 2025

MITRE

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

HSSEDI