CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > CWE- Individual Dictionary Definition (4.18)
ID
CWE Glossary Definition

CWE VIEW: Weaknesses in OWASP Top Ten (2013)

View ID: 928
Vulnerability Mapping: PROHIBITED This CWE ID must not be used to map to real-world vulnerabilities
Type: Graph
Downloads: Booklet | CSV | XML
Objective
CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top Ten is available.
Audience
Stakeholder Description
Software Developers This view outlines the most important issues as identified by the OWASP Top Ten (2013 version), providing a good starting point for web application developers who want to code more securely.
Product Customers This view outlines the most important issues as identified by the OWASP Top Ten (2013 version), providing customers with a way of asking their software developers to follow minimum expectations for secure code.
Educators Since the OWASP Top Ten covers the most frequently encountered issues, this view can be used by educators as training material for students.
Relationships
The following graph shows the tree-like relationships between weaknesses that exist at different levels of abstraction. At the highest level, categories and pillars exist to group weaknesses. Categories (which are not technically weaknesses) are special CWE entries used to group weaknesses that share a common characteristic. Pillars are weaknesses that are described in the most abstract fashion. Below these top-level entries are weaknesses are varying levels of abstraction. Classes are still very abstract, typically independent of any specific language or technology. Base level weaknesses are used to present a more specific type of weakness. A variant is a weakness that is described at a very low level of detail, typically limited to a specific language or technology. A chain is a set of weaknesses that must be reachable consecutively in order to produce an exploitable vulnerability. While a composite is a set of weaknesses that must all be present simultaneously in order to produce an exploitable vulnerability.
Show Details:
|
928 - Weaknesses in OWASP Top Ten (2013)
Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2013 Category A1 - Injection - (929)
928 (Weaknesses in OWASP Top Ten (2013)) > 929 (OWASP Top Ten 2013 Category A1 - Injection)
Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2013.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') - (74)
928 (Weaknesses in OWASP Top Ten (2013)) > 929 (OWASP Top Ten 2013 Category A1 - Injection) > 74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'))
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Neutralization of Special Elements used in a Command ('Command Injection') - (77)
928 (Weaknesses in OWASP Top Ten (2013)) > 929 (OWASP Top Ten 2013 Category A1 - Injection) > 77 (Improper Neutralization of Special Elements used in a Command ('Command Injection'))
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. Command injection
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - (78)
928 (Weaknesses in OWASP Top Ten (2013)) > 929 (OWASP Top Ten 2013 Category A1 - Injection) > 78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Shell injection Shell metacharacters OS Command Injection
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') - (88)
928 (Weaknesses in OWASP Top Ten (2013)) > 929 (OWASP Top Ten 2013 Category A1 - Injection) > 88 (Improper Neutralization of Argument Delimiters in a Command ('Argument Injection'))
The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - (89)
928 (Weaknesses in OWASP Top Ten (2013)) > 929 (OWASP Top Ten 2013 Category A1 - Injection) > 89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. SQL injection SQLi
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. SQL Injection: Hibernate - (564)
928 (Weaknesses in OWASP Top Ten (2013)) > 929 (OWASP Top Ten 2013 Category A1 - Injection) > 89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')) > 564 (SQL Injection: Hibernate)
Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') - (90)
928 (Weaknesses in OWASP Top Ten (2013)) > 929 (OWASP Top Ten 2013 Category A1 - Injection) > 90 (Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection'))
The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. XML Injection (aka Blind XPath Injection) - (91)
928 (Weaknesses in OWASP Top Ten (2013)) > 929 (OWASP Top Ten 2013 Category A1 - Injection) > 91 (XML Injection (aka Blind XPath Injection))
The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Data within XPath Expressions ('XPath Injection') - (643)
928 (Weaknesses in OWASP Top Ten (2013)) > 929 (OWASP Top Ten 2013 Category A1 - Injection) > 643 (Improper Neutralization of Data within XPath Expressions ('XPath Injection'))
The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') - (652)
928 (Weaknesses in OWASP Top Ten (2013)) > 929 (OWASP Top Ten 2013 Category A1 - Injection) > 652 (Improper Neutralization of Data within XQuery Expressions ('XQuery Injection'))
The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.
Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management - (930)
928 (Weaknesses in OWASP Top Ten (2013)) > 930 (OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management)
Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2013.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Plaintext Storage of a Password - (256)
928 (Weaknesses in OWASP Top Ten (2013)) > 930 (OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management) > 256 (Plaintext Storage of a Password)
The product stores a password in plaintext within resources such as memory or files.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Authentication - (287)
928 (Weaknesses in OWASP Top Ten (2013)) > 930 (OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management) > 287 (Improper Authentication)
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. authentification AuthN AuthC
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Missing Encryption of Sensitive Data - (311)
928 (Weaknesses in OWASP Top Ten (2013)) > 930 (OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management) > 311 (Missing Encryption of Sensitive Data)
The product does not encrypt sensitive or critical information before storage or transmission.
* Composite Composite - a Compound Element that consists of two or more distinct weaknesses, in which all weaknesses must be present at the same time in order for a potential vulnerability to arise. Removing any of the weaknesses eliminates or sharply reduces the risk. One weakness, X, can be "broken down" into component weaknesses Y and Z. There can be cases in which one weakness might not be essential to a composite, but changes the nature of the composite when it becomes a vulnerability. Session Fixation - (384)
928 (Weaknesses in OWASP Top Ten (2013)) > 930 (OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management) > 384 (Session Fixation)
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Insufficiently Protected Credentials - (522)
928 (Weaknesses in OWASP Top Ten (2013)) > 930 (OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management) > 522 (Insufficiently Protected Credentials)
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Unprotected Transport of Credentials - (523)
928 (Weaknesses in OWASP Top Ten (2013)) > 930 (OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management) > 523 (Unprotected Transport of Credentials)
Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Insufficient Session Expiration - (613)
928 (Weaknesses in OWASP Top Ten (2013)) > 930 (OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management) > 613 (Insufficient Session Expiration)
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Unverified Password Change - (620)
928 (Weaknesses in OWASP Top Ten (2013)) > 930 (OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management) > 620 (Unverified Password Change)
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Weak Password Recovery Mechanism for Forgotten Password - (640)
928 (Weaknesses in OWASP Top Ten (2013)) > 930 (OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management) > 640 (Weak Password Recovery Mechanism for Forgotten Password)
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2013 Category A3 - Cross-Site Scripting (XSS) - (931)
928 (Weaknesses in OWASP Top Ten (2013)) > 931 (OWASP Top Ten 2013 Category A3 - Cross-Site Scripting (XSS))
Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2013.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - (79)
928 (Weaknesses in OWASP Top Ten (2013)) > 931 (OWASP Top Ten 2013 Category A3 - Cross-Site Scripting (XSS)) > 79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. XSS HTML Injection Reflected XSS / Non-Persistent XSS / Type 1 XSS Stored XSS / Persistent XSS / Type 2 XSS DOM-Based XSS / Type 0 XSS CSS
Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2013 Category A4 - Insecure Direct Object References - (932)
928 (Weaknesses in OWASP Top Ten (2013)) > 932 (OWASP Top Ten 2013 Category A4 - Insecure Direct Object References)
Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2013.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - (22)
928 (Weaknesses in OWASP Top Ten (2013)) > 932 (OWASP Top Ten 2013 Category A4 - Insecure Direct Object References) > 22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Directory traversal Path traversal
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Control of Resource Identifiers ('Resource Injection') - (99)
928 (Weaknesses in OWASP Top Ten (2013)) > 932 (OWASP Top Ten 2013 Category A4 - Insecure Direct Object References) > 99 (Improper Control of Resource Identifiers ('Resource Injection'))
The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. Insecure Direct Object Reference
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Authorization Bypass Through User-Controlled Key - (639)
928 (Weaknesses in OWASP Top Ten (2013)) > 932 (OWASP Top Ten 2013 Category A4 - Insecure Direct Object References) > 639 (Authorization Bypass Through User-Controlled Key)
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. Insecure Direct Object Reference / IDOR Broken Object Level Authorization / BOLA Horizontal Authorization
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Use of Incorrectly-Resolved Name or Reference - (706)
928 (Weaknesses in OWASP Top Ten (2013)) > 932 (OWASP Top Ten 2013 Category A4 - Insecure Direct Object References) > 706 (Use of Incorrectly-Resolved Name or Reference)
The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2013 Category A5 - Security Misconfiguration - (933)
928 (Weaknesses in OWASP Top Ten (2013)) > 933 (OWASP Top Ten 2013 Category A5 - Security Misconfiguration)
Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2013.
* Category Category - a CWE entry that contains a set of other entries that share a common characteristic. 7PK - Environment - (2)
928 (Weaknesses in OWASP Top Ten (2013)) > 933 (OWASP Top Ten 2013 Category A5 - Security Misconfiguration) > 2 (7PK - Environment)
This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."
* Category Category - a CWE entry that contains a set of other entries that share a common characteristic. Configuration - (16)
928 (Weaknesses in OWASP Top Ten (2013)) > 933 (OWASP Top Ten 2013 Category A5 - Security Misconfiguration) > 16 (Configuration)
Weaknesses in this category are typically introduced during the configuration of the software.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Generation of Error Message Containing Sensitive Information - (209)
928 (Weaknesses in OWASP Top Ten (2013)) > 933 (OWASP Top Ten 2013 Category A5 - Security Misconfiguration) > 209 (Generation of Error Message Containing Sensitive Information)
The product generates an error message that includes sensitive information about its environment, users, or associated data.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Insertion of Sensitive Information Into Debugging Code - (215)
928 (Weaknesses in OWASP Top Ten (2013)) > 933 (OWASP Top Ten 2013 Category A5 - Security Misconfiguration) > 215 (Insertion of Sensitive Information Into Debugging Code)
The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Exposure of Information Through Directory Listing - (548)
928 (Weaknesses in OWASP Top Ten (2013)) > 933 (OWASP Top Ten 2013 Category A5 - Security Misconfiguration) > 548 (Exposure of Information Through Directory Listing)
The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory.
Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure - (934)
928 (Weaknesses in OWASP Top Ten (2013)) > 934 (OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure)
Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2013.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Missing Encryption of Sensitive Data - (311)
928 (Weaknesses in OWASP Top Ten (2013)) > 934 (OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure) > 311 (Missing Encryption of Sensitive Data)
The product does not encrypt sensitive or critical information before storage or transmission.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Cleartext Storage of Sensitive Information - (312)
928 (Weaknesses in OWASP Top Ten (2013)) > 934 (OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure) > 312 (Cleartext Storage of Sensitive Information)
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Cleartext Transmission of Sensitive Information - (319)
928 (Weaknesses in OWASP Top Ten (2013)) > 934 (OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure) > 319 (Cleartext Transmission of Sensitive Information)
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
* Category Category - a CWE entry that contains a set of other entries that share a common characteristic. Key Management Errors - (320)
928 (Weaknesses in OWASP Top Ten (2013)) > 934 (OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure) > 320 (Key Management Errors)
Weaknesses in this category are related to errors in the management of cryptographic keys.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Missing Cryptographic Step - (325)
928 (Weaknesses in OWASP Top Ten (2013)) > 934 (OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure) > 325 (Missing Cryptographic Step)
The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Inadequate Encryption Strength - (326)
928 (Weaknesses in OWASP Top Ten (2013)) > 934 (OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure) > 326 (Inadequate Encryption Strength)
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Use of a Broken or Risky Cryptographic Algorithm - (327)
928 (Weaknesses in OWASP Top Ten (2013)) > 934 (OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure) > 327 (Use of a Broken or Risky Cryptographic Algorithm)
The product uses a broken or risky cryptographic algorithm or protocol.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Use of Weak Hash - (328)
928 (Weaknesses in OWASP Top Ten (2013)) > 934 (OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure) > 328 (Use of Weak Hash)
The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2013 Category A7 - Missing Function Level Access Control - (935)
928 (Weaknesses in OWASP Top Ten (2013)) > 935 (OWASP Top Ten 2013 Category A7 - Missing Function Level Access Control)
Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2013.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Authorization - (285)
928 (Weaknesses in OWASP Top Ten (2013)) > 935 (OWASP Top Ten 2013 Category A7 - Missing Function Level Access Control) > 285 (Improper Authorization)
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. AuthZ
Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2013 Category A8 - Cross-Site Request Forgery (CSRF) - (936)
928 (Weaknesses in OWASP Top Ten (2013)) > 936 (OWASP Top Ten 2013 Category A8 - Cross-Site Request Forgery (CSRF))
Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2013.
* Composite Composite - a Compound Element that consists of two or more distinct weaknesses, in which all weaknesses must be present at the same time in order for a potential vulnerability to arise. Removing any of the weaknesses eliminates or sharply reduces the risk. One weakness, X, can be "broken down" into component weaknesses Y and Z. There can be cases in which one weakness might not be essential to a composite, but changes the nature of the composite when it becomes a vulnerability. Cross-Site Request Forgery (CSRF) - (352)
928 (Weaknesses in OWASP Top Ten (2013)) > 936 (OWASP Top Ten 2013 Category A8 - Cross-Site Request Forgery (CSRF)) > 352 (Cross-Site Request Forgery (CSRF))
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. Session Riding Cross Site Reference Forgery XSRF CSRF
* Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities - (937)
928 (Weaknesses in OWASP Top Ten (2013)) > 937 (OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities)
Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
Category Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2013 Category A10 - Unvalidated Redirects and Forwards - (938)
928 (Weaknesses in OWASP Top Ten (2013)) > 938 (OWASP Top Ten 2013 Category A10 - Unvalidated Redirects and Forwards)
Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2013.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. URL Redirection to Untrusted Site ('Open Redirect') - (601)
928 (Weaknesses in OWASP Top Ten (2013)) > 938 (OWASP Top Ten 2013 Category A10 - Unvalidated Redirects and Forwards) > 601 (URL Redirection to Untrusted Site ('Open Redirect'))
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. Open Redirect Cross-site Redirect Cross-domain Redirect Unvalidated Redirect Drive-by download
Vulnerability Mapping Notes

Usage: PROHIBITED

(this CWE ID must not be used to map to real-world vulnerabilities)

Reason: View

Rationale:

This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.

Comments:

Use this View or other Views to search and navigate for the appropriate weakness.
Notes

Relationship

The relationships in this view have been pulled directly from the 2013 OWASP Top 10 document, either from the explicit mapping section, or from weakness types alluded to in the written sections.
References
[REF-926] "Top 10 2013". OWASP. 2013年06月12日. <https://github.com/OWASP/Top10/blob/master/2013/OWASP%20Top%2010%20-%202013.pdf>. URL validated: 2025年08月04日.
View Metrics
CWEs in this view Total CWEs
Weaknesses 36 out of 944
Categories 13 out of 375
Views 0 out of 52
Total 49 out of 1371
Content History
Submissions
Submission Date Submitter Organization
2013年07月16日
(CWE 2.5, 2013年07月17日) 		CWE Content Team MITRE
Modifications
Modification Date Modifier Organization
2017年11月08日 CWE Content Team MITRE
updated References
2018年03月27日 CWE Content Team MITRE
updated Relationship_Notes
2019年01月03日 CWE Content Team MITRE
updated Description
2020年02月24日 CWE Content Team MITRE
updated View_Audience
2023年06月29日 CWE Content Team MITRE
updated Mapping_Notes
2025年09月09日
(CWE 4.18, 2025年09月09日) 		CWE Content Team MITRE
updated References
More information is available — Please edit the custom filter or select a different filter.
Page Last Updated: September 09, 2025

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

AltStyle によって変換されたページ (->オリジナル) /