Difference between revisions of "ASDR TOC Vulnerabilities"

From OWASP
Jump to: navigation, search
m (Added vulnerability - HPP)
(48 intermediate revisions by 3 users not shown)
Line 1: Line 1:
Back to [[ASDR_Table_of_Contents|TOC]]
+
# [[Access control enforced by presentation layer]]
 
+
# [[Addition of data-structure sentinel]]
*# [[Access control enforced by presentation layer]]
+
# [[Allowing password aging]]
*# [[Accidental leaking of sensitive information through data queries]]
+
# [[ASP.NET Misconfigurations]]
*# [[Accidental leaking of sensitive information through error messages]]
+
# [[Assigning instead of comparing]]
* 4 [[Accidental leaking of sensitive information through sent data]]
+
# [[Authentication Bypass via Assumed-Immutable Data]]
* 5 [[Addition of data-structure sentinel]]
+
# [[Buffer Overflow]]
* 6 [[Algorithmic Complexity]]
+
# [[Buffer underwrite]]
* 7 [[Allowing External Setting Manipulation]]
+
# [[Business logic vulnerability]]
* 8 [[Allowing password aging]]
+
# [[Capture-replay]]
* 9 [[Alternate Channel Race Condition]]
+
# [[Catch NullPointerException]]
* 10 [[Alternate Encoding]]
+
# [[Comparing classes by name]]
* 11 [[ASP.NET Misconfiguration: Creating Debug Binary]]
+
# [[Comparing instead of assigning]]
* 12 [[ASP.NET Misconfiguration: Missing Custom Error Handling]]
+
# [[Comprehensive list of Threats to Authentication Procedures and Data]]
* 13 [[ASP.NET Misconfiguration: Password in Configuration File]]
+
# [[Covert timing channel]]
* 14 [[Assigning instead of comparing]]
+
# [[CRLF Injection]]
* 15 [[Authentication bypass by alternate name]]
+
# [[Cross Site Scripting Flaw]]
* 16 [[Authentication Bypass by Alternate Path/Channel]]
+
# [[Dangerous Function]]
* 17 [[Authentication Bypass by Primary Weakness]]
+
# [[Deletion of data-structure sentinel]]
* 18 [[Authentication bypass by spoofing]]
+
# [[Deserialization of untrusted data]]
* 19 [[Authentication Bypass via Assumed-Immutable Data]]
+
# [[Directory Restriction Error]]
* 20 [[Authentication Error]]
+
# [[Double Free]]
* 21 [[Authentication Logic Error]]
+
# [[Doubly freeing memory]]
* 22 [[Behavioral Change]]
+
# [[Duplicate key in associative list (alist)]]
* 23 [[Behavioral Discrepancy Infoleak]]
+
# [[Empty Catch Block]]
* 24 [[Behavioral problems]]
+
# [[Empty String Password]]
* 25 [[Buffer overflow]]
+
# [[Failure of true random number generator]]
* 26 [[Buffer Overflow]]
+
# [[Failure to account for default case in switch]]
* 27 [[Buffer over-read]]
+
# [[Failure to add integrity check value]]
* 28 [[Buffer under-read]]
+
# [[Failure to check for certificate revocation]]
* 29 [[Buffer underwrite]]
+
# [[Failure to check integrity check value]]
* 30 [[Bundling Issues]]
+
# [[Failure to check whether privileges were dropped successfully]]
* 31 [[Byte/Object Code]]
+
# [[Failure to deallocate data]]
* 32 [[Capture-replay]]
+
# [[Failure to drop privileges when reasonable]]
* 33 [[Case Sensitivity (lowercase, uppercase, mixed case)]]
+
# [[Failure to encrypt data]]
* 34 [[Catch NullPointerException]]
+
# [[Failure to follow chain of trust in certificate validation]]
* 35 [[Channel and Path Errors]]
+
# [[Failure to follow guideline/specification]]
* 36 [[Cleansing, Canonicalization, and Comparison Errors]]
+
# [[Failure to protect stored data from modification]]
* 37 [[Code Correctness: Call to System.gc()]]
+
# [[Failure to provide confidentiality for stored data]]
* 38 [[Code Correctness: Call to Thread.run()]]
+
# [[Failure to validate certificate expiration]]
* 39 [[Code Correctness: Class Does Not Implement Cloneable]]
+
# [[Failure to validate host-specific certificate data]]
* 40 [[Code Correctness: Double-Checked Locking]]
+
# [[File Access Race Condition: TOCTOU]]
* 41 [[Code Correctness: Erroneous finalize() Method]]
+
# [[Format String]]
* 42 [[Code Correctness: Erroneous String Compare]]
+
# [[Guessed or visible temporary file]]
* 43 [[Code Correctness: Misspelled Method Name]]
+
# [[Hard-Coded Password]]
* 44 [[Code Correctness: null Argument to equals()]]
+
# [[Heap Inspection]]
* 45 [[Collapse of Data into Unsafe Value]]
+
# [[Heap overflow]]
* 46 [[Common Special Element Manipulations]]
+
# [[HTTP Parameter Pollution]]
* 47 [[Comparing classes by name]]
+
# [[Ignored function return value]]
* 48 [[Comparing instead of assigning]]
+
# [[Illegal Pointer Value]]
* 49 [[Comprehensive list of Threats to Authentication Procedures and Data]]
+
# [[Improper cleanup on thrown exception]]
* 50 [[Context Switching Race Condition]]
+
# [[Improper Data Validation]]
* 51 [[Covert timing channel]]
+
# [[Improper error handling]]
* 52 [[CRLF Injection]]
+
# [[Improper string length checking]]
* 53 [[Cross Site Scripting]]
+
# [[Improper temp file opening]]
* 54 [[Cross-Boundary Cleansing Infoleak]]
+
# [[Incorrect block delimitation]]
* 55 [[Dangerous Function]]
+
# [[Information Leakage]]
* 56 [[Dangerous handler not cleared/disabled during sensitive operations]]
+
# [[Information leak through class cloning]]
* 57 [[Data Amplification]]
+
# [[Information leak through serialization]]
* 58 [[Data Leaking Between Users]]
+
# [[Injection problem]]
* 59 [[Data Structure Issues]]
+
# [[Insecure Compiler Optimization]]
* 60 [[Dead Code: Broken Override]]
+
# [[Insecure Randomness]]
* 61 [[Dead Code: Expression is Always False]]
+
# [[Insecure Temporary File]]
* 62 [[Dead Code: Expression is Always True]]
+
# [[Insecure Third Party Domain Access]]
* 63 [[Dead Code: Unused Field]]
+
# [[Insecure Transport]]
* 64 [[Dead Code: Unused Method]]
+
# [[Insufficient Entropy]]
* 65 [[Deletion of data-structure sentinel]]
+
# [[Insufficient entropy in pseudo-random number generator]]
* 66 [[Delimiter between Expressions or Commands]]
+
# [[Insufficient Session-ID Length]]
* 67 [[Delimiter Problems]]
+
# [[Integer coercion error]]
* 68 [[Deserialization of untrusted data]]
+
# [[Integer overflow]]
* 69 [[Directory Restriction Error]]
+
# [[Invoking untrusted mobile code]]
* 70 [[Discrepancy Information Leaks]]
+
# [[J2EE Misconfiguration: Unsafe Bean Declaration]]
* 71 [[Double Free]]
+
# [[Key exchange without entity authentication]]
* 72 [[Doubled character XSS manipulations]]
+
# [[Least Privilege Violation]]
* 73 [[Doubly freeing memory]]
+
# [[Leftover Debug Code]]
* 74 [[Duplicate key in associative list (alist)]]
+
# [[Log Forging]]
* 75 [[Early Amplification]]
+
# [[Log injection]]
* 76 [[EJB Bad Practices: Use of AWT/Swing]]
+
# [[Member Field Race Condition]]
* 77 [[EJB Bad Practices: Use of Class Loader]]
+
# [[Memory leak]]
* 78 [[EJB Bad Practices: Use of java.io]]
+
# [[Miscalculated null termination]]
* 79 [[EJB Bad Practices: Use of Sockets]]
+
# [[Misinterpreted function return value]]
* 80 [[EJB Bad Practices: Use of Synchronization Primitives]]
+
# [[Missing Error Handling]]
* 81 [[Empty Catch Block]]
+
# [[Missing parameter]]
* 82 [[Empty String Password]]
+
# [[Missing XML Validation]]
* 83 [[Error Conditions, Return Values, Status Codes]]
+
# [[Mutable object returned]]
* 84 [[Error Message Infoleaks]]
+
# [[Non-cryptographic pseudo-random number generator]]
* 85 [[Escape, Meta, or Control Character / Sequence]]
+
# [[Not allowing password aging]]
* 86 [[Expected behavior violation]]
+
# [[Not using a random initialization vector with cipher block chaining mode]]
* 87 [[External behavioral inconsistency infoleak]]
+
# [[Null Dereference]]
* 88 [[External initialization of trusted variables or values]]
+
# [[Object Model Violation: Just One of equals() and hashCode() Defined]]
* 89 [[Extra Parameter Error]]
+
# [[Often Misused: Authentication]]
* 90 [[Extra Special Element]]
+
# [[Often Misused: Exception Handling]]
* 91 [[Extra Unhandled Features]]
+
# [[Often Misused: File System]]
* 92 [[Extra Value Error]]
+
# [[Often Misused: Privilege Management]]
* 93 [[Fails poorly due to insufficient permissions]]
+
# [[Often Misused: String Management]]
* 94 [[Failure of true random number generator]]
+
# [[Omitted break statement]]
* 95 [[Failure to account for default case in switch]]
+
# [[Open forward]]
* 96 [[Failure to add integrity check value]]
+
# [[Open redirect]]
* 97 [[Failure to check for certificate revocation]]
+
# [[Overflow of static internal buffer]]
* 98 [[Failure to check integrity check value]]
+
# [[Overly-Broad Catch Block]]
* 99 [[Failure to check whether privileges were dropped successfully]]
+
# [[Overly-Broad Throws Declaration]]
* 100 [[Failure to deallocate data]]
+
# [[Passing mutable objects to an untrusted method]]
* 101 [[Failure to drop privileges when reasonable]]
+
# [[Password Management: Hardcoded Password]]
* 102 [[Failure to encrypt data]]
+
# [[Password Management: Weak Cryptography]]
* 103 [[Failure to follow chain of trust in certificate validation]]
+
# [[Password Plaintext Storage]]
* 104 [[Failure to protect stored data from modification]]
+
# [[PHP File Inclusion]]
* 105 [[Failure to provide confidentiality for stored data]]
+
# [[Poor Logging Practice]]
* 106 [[Failure to validate certificate expiration]]
+
# [[Portability Flaw]]
* 107 [[Failure to validate host-specific certificate data]]
+
# [[Privacy Violation]]
* 108 [[File Access Race Condition: TOCTOU]]
+
# [[PRNG Seed Error]]
* 109 [[Format String]]
+
# [[Process Control]]
* 110 [[Format string problem]]
+
# [[Publicizing of private data when using inner classes]]
* 111 [[General Special Element Problems]]
+
# [[Race Conditions]]
* 112 [[Grouping Element / Paired Delimiter]]
+
# [[Reflection attack in an auth protocol]]
* 113 [[Guessed or visible temporary file]]
+
# [[Reflection injection]]
* 114 [[Hard-Coded Password]]
+
# [[Relative path library search]]
* 115 [[Heap Inspection]]
+
# [[Reliance on data layout]]
* 116 [[Heap overflow]]
+
# [[Relying on package-level scope]]
* 117 [[Ignored function return value]]
+
# [[Resource exhaustion]]
* 118 [[Illegal Pointer Value]]
+
# [[Return Inside Finally Block]]
* 119 [[Improper cleanup on thrown exception]]
+
# [[Reusing a nonce, key pair in encryption]]
* 120 [[Improper error handling]]
+
# [[Session_Fixation]]
* 121 [[Improper Handler Deployment]]
+
# [[Sign extension error]]
* 122 [[Improper Null Termination]]
+
# [[Signed to unsigned conversion error]]
* 123 [[Improper resource shutdown or release]]
+
# [[Stack overflow]]
* 124 [[Improper string length checking]]
+
# [[State synchronization error]]
* 125 [[Improper temp file opening]]
+
# [[Storing passwords in a recoverable format]]
* 126 [[Improperly Implemented Security Check for Standard]]
+
# [[String Termination Error]]
* 127 [[Improperly Trusted Reverse DNS]]
+
# [[Symbolic name not mapping to correct object]]
* 128 [[Improperly Verified Signature]]
+
# [[Template:Vulnerability]]
* 129 [[Inadvertent]]
+
# [[Truncation error]]
* 130 [[Incomplete Blacklist]]
+
# [[Trust Boundary Violation]]
* 131 [[Incomplete Cleanup]]
+
# [[Trust of system event data]]
* 132 [[Incomplete Element]]
+
# [[Trusting self-reported DNS name]]
* 133 [[Incomplete Internal State Distinction]]
+
# [[Trusting self-reported IP address]]
* 134 [[Inconsistent Elements]]
+
# [[Uncaught exception]]
* 135 [[Inconsistent Implementations]]
+
# [[Unchecked array indexing]]
* 136 [[Inconsistent Special Elements]]
+
# [[Unchecked Return Value: Missing Check against Null]]
* 137 [[Incorrect block delimitation]]
+
# [[Undefined Behavior]]
* 138 [[Incorrect initialization]]
+
# [[Uninitialized Variable]]
* 139 [[Incorrect Privilege Assignment]]
+
# [[Unintentional pointer scaling]]
* 140 [[Infoleak Using Debug Information]]
+
# [[Unreleased Resource]]
* 141 [[Information Leak (information disclosure)]]
+
# [[Unrestricted File Upload]]
* 142 [[Information leak through class cloning]]
+
# [[Unsafe function call from a signal handler]]
* 143 [[Information leak through serialization]]
+
# [[Unsafe JNI]]
* 144 [[Information loss or omission]]
+
# [[Unsafe Mobile Code]]
* 145 [[Initialization and Cleanup Errors]]
+
# [[Unsafe Reflection]]
* 146 [[Injection problem]]
+
# [[Unsigned to signed conversion error]]
* 147 [[Input Terminator]]
+
# [[Use of hard-coded password]]
* 148 [[Insecure Compiler Optimization]]
+
# [[Use of Obsolete Methods]]
* 149 [[Insecure Default Permissions]]
+
# [[Use of sizeof() on a pointer type]]
* 150 [[Insecure default variable initialization]]
+
# [[Using a broken or risky cryptographic algorithm]]
* 151 [[Insecure execution-assigned permissions]]
+
# [[Using a key past its expiration date]]
* 152 [[Insecure inherited permissions]]
+
# [[Using freed memory]]
* 153 [[Insecure preserved inherited permissions]]
+
# [[Using password systems]]
* 154 [[Insecure Randomness]]
+
# [[Using referer field for authentication or authorization]]
* 155 [[Insecure Temporary File]]
+
# [[Using single-factor authentication]]
* 156 [[Installation Issues]]
+
# [[Using the wrong operator]]
* 157 [[Insufficient Entropy]]
+
# [[Validation performed in client]]
* 158 [[Insufficient entropy in pseudo-random number generator]]
+
# [[Wrap-around error]]
* 159 [[Insufficient privileges]]
+
# [[Write-what-where condition]]
* 160 [[Insufficient Resource Locking]]
+
* 161 [[Insufficient Resource Pool]]
+
* 162 [[Insufficient Type Distinction]]
+
* 163 [[Insufficient UI warning of dangerous operations]]
+
* 164 [[Insufficient Verification of Data]]
+
* 165 [[Integer coercion error]]
+
* 166 [[Integer overflow]]
+
* 167 [[Integer Overflow]]
+
* 168 [[Integer underflow (wrap or wraparound)]]
+
* 169 [[Intended information leak]]
+
* 170 [[Interaction Errors]]
+
* 171 [[Internal behavioral inconsistency infoleak]]
+
* 172 [[Internal Special Element]]
+
* 173 [[Invalid Characters in Identifiers]]
+
* 174 [[Invoking untrusted mobile code]]
+
* 175 [[J2EE Bad Practices: getConnection()]]
+
* 176 [[J2EE Bad Practices: JSP Expressions]]
+
* 177 [[J2EE Bad Practices: Sockets]]
+
* 178 [[J2EE Bad Practices: System.exit()]]
+
* 179 [[J2EE Bad Practices: Threads]]
+
* 180 [[J2EE Misconfiguration: Insecure Transport]]
+
* 181 [[J2EE Misconfiguration: Insufficient Session-ID Length]]
+
* 182 [[J2EE Misconfiguration: Missing Error Handling]]
+
* 183 [[J2EE Misconfiguration: Unsafe Bean Declaration]]
+
* 184 [[J2EE Misconfiguration: Weak Access Permissions]]
+
* 185 [[J2EE Time and State Issues]]
+
* 186 [[Key exchange without entity authentication]]
+
* 187 [[Key management errors]]
+
* 188 [[Leading Special Element]]
+
* 189 [[Least Privilege Violation]]
+
* 190 [[Leftover Debug Code]]
+
* 191 [[Length Parameter Inconsistency]]
+
* 192 [[Line Delimiter]]
+
* 193 [[Log Forging]]
+
* 194 [[Log injection]]
+
* 195 [[Mac virtual file problems]]
+
* 196 [[Macro symbol]]
+
* 197 [[Member Field Race Condition]]
+
* 198 [[Memory leak]]
+
* 199 [[Memory Leak]]
+
* 200 [[Miscalculated null termination]]
+
* 201 [[Misinterpretation error]]
+
* 202 [[Misinterpreted function return value]]
+
* 203 [[Missing access control]]
+
* 204 [[Missing critical step in authentication]]
+
* 205 [[Missing element error]]
+
* 206 [[Missing error status code]]
+
* 207 [[Missing handler]]
+
* 208 [[Missing initialization]]
+
* 209 [[Missing lock check]]
+
* 210 [[Missing parameter]]
+
* 211 [[Missing parameter error]]
+
* 212 [[Missing required cryptographic step]]
+
* 213 [[Missing special element]]
+
* 214 [[Missing value error]]
+
* 215 [[Missing XML Validation]]
+
* 216 [[Mixed encoding]]
+
* 217 [[Modification of assumed-immutable data]]
+
* 218 [[Multiple failed authentication attempts not prevented]]
+
* 219 [[Multiple internal special element]]
+
* 220 [[Multiple interpretation error (MIE)]]
+
* 221 [[Multiple interpretations of UI input]]
+
* 222 [[Multiple Leading Special Elements]]
+
* 223 [[Multiple Trailing Special Elements]]
+
* 224 [[Mutable object returned]]
+
* 225 [[Mutable objects passed by reference]]
+
* 226 [[No authentication for critical function]]
+
* 227 [[Non-cryptographic pseudo-random number generator]]
+
* 228 [[Non-exit on failed initialization]]
+
* 229 [[Non-replicating]]
+
* 230 [[Not allowing password aging]]
+
* 231 [[Not using a random initialization vector with cipher block chaining mode]]
+
* 232 [[Null character / null byte]]
+
* 233 [[Null Dereference]]
+
* 234 [[Null-pointer dereference]]
+
* 235 [[Numeric Byte Ordering Error]]
+
* 236 [[Numeric Errors]]
+
* 237 [[Object Model Violation: Just One of equals() and hashCode() Defined]]
+
* 238 [[Obscured Security-relevant Information by Alternate Name]]
+
* 239 [[Obsolete feature in UI]]
+
* 240 [[Off-by-one Error]]
+
* 241 [[Often Misused: Authentication]]
+
* 242 [[Often Misused: Exception Handling]]
+
* 243 [[Often Misused: File System]]
+
* 244 [[Often Misused: Path Manipulation]]
+
* 245 [[Often Misused: Privilege Management]]
+
* 246 [[Often Misused: String Management]]
+
* 247 [[Omission of Security-relevant Information]]
+
* 248 [[Omitted break statement]]
+
* 249 [[Open forward]]
+
* 250 [[Open redirect]]
+
* 251 [[Origin Validation Error]]
+
* 252 [[Other length calculation error]]
+
* 253 [[Out-of-bounds Read]]
+
* 254 [[Overflow of static internal buffer]]
+
* 255 [[Overly Restrictive Regular Expression]]
+
* 256 [[Overly-Broad Catch Block]]
+
* 257 [[Overly-Broad Throws Declaration]]
+
* 258 [[Ownership errors]]
+
* 259 [[Parameter Problems]]
+
* 260 [[Partial Comparison]]
+
* 261 [[Passing mutable objects to an untrusted method]]
+
* 262 [[Password Management: Hardcoded Password]]
+
* 263 [[Password Management: Weak Cryptography]]
+
* 264 [[Password Plaintext Storage]]
+
* 265 [[Patch Issues]]
+
* 266 [[Path Equivalence]]
+
* 267 [[Path Issue - asterix wildcard - filedir*]]
+
* 268 [[Path Issue - backslash absolute path - /absolute/pathname/here]]
+
* 269 [[Path Issue - directory doubled dot dot backslash]]
+
* 270 [[Path Issue - directory doubled dot dot slash]]
+
* 271 [[Path Issue - dirname/fakechild/]]
+
* 272 [[Path Issue - dot dot backslash]]
+
* 273 [[Path Issue - doubled dot dot slash]]
+
* 274 [[Path Issue - doubled triple dot slash]]
+
* 275 [[Path Issue - drive letter or Windows volume - 'C:dirname']]
+
* 276 [[Path Issue - internal dot - 'file.ordir']]
+
* 277 [[Path Issue - internal space - file(SPACE)name]]
+
* 278 [[Path Issue - leading directory dot dot backslash]]
+
* 279 [[Path Issue - leading directory dot dot slash]]
+
* 280 [[Path Issue - leading dot dot backslash]]
+
* 281 [[Path Issue - leading dot dot slash]]
+
* 282 [[Path Issue - leading space]]
+
* 283 [[Path Issue - multiple dot]]
+
* 284 [[Path Issue - multiple internal backslash]]
+
* 285 [[Path Issue - multiple leading slash]]
+
* 286 [[Path Issue - multiple trailing dot]]
+
* 287 [[Path Issue - multiple trailing slash]]
+
* 288 [[Path Issue - single dot directory]]
+
* 289 [[Path Issue - slash absolute path]]
+
* 290 [[Path Issue - trailing backslash]]
+
* 291 [[Path Issue - trailing dot]]
+
* 292 [[Path Issue - trailing slash]]
+
* 293 [[Path Issue - trailing space]]
+
* 294 [[Path Issue - triple dot]]
+
* 295 [[Path Issue - Windows 8.3 Filename]]
+
* 296 [[Path Issue - Windows UNC share - '/UNC/share/name/']]
+
* 297 [[Pathname Traversal and Equivalence Errors]]
+
* 298 [[Permission errors]]
+
* 299 [[Permission preservation failure]]
+
* 300 [[Permissions, Privileges, and ACLs]]
+
* 301 [[Permissive Whitelist]]
+
* 302 [[PHP External Variable Modification]]
+
* 303 [[PHP File Inclusion]]
+
* 304 [[Plaintext Storage in Cookie]]
+
* 305 [[Plaintext Storage in Executable]]
+
* 306 [[Plaintext Storage in File or on Disk]]
+
* 307 [[Plaintext Storage in GUI]]
+
* 308 [[Plaintext Storage in Memory]]
+
* 309 [[Plaintext Storage of Sensitive Information]]
+
* 310 [[Pointer Issues]]
+
* 311 [[Poor Logging Practice: Logger Not Declared Static Final]]
+
* 312 [[Poor Logging Practice: Multiple Loggers]]
+
* 313 [[Poor Logging Practice: Use of a System Output Stream]]
+
* 314 [[Poor Style: Confusing Naming]]
+
* 315 [[Poor Style: Empty Synchronized Block]]
+
* 316 [[Poor Style: Explicit call to finalize()]]
+
* 317 [[Poor Style: Identifier Contains Dollar Symbol ($)]]
+
* 318 [[Portability Flaw]]
+
* 319 [[Porting Issues]]
+
* 320 [[Predictability problems]]
+
* 321 [[Predictable Exact Value from Previous Values]]
+
* 322 [[Predictable from Observable State]]
+
* 323 [[Predictable Seed in PRNG]]
+
* 324 [[Predictable Value Range from Previous Values]]
+
* 325 [[Privacy Violation]]
+
* 326 [[Private Array-Typed Field Returned From A Public Method]]
+
* 327 [[Privilege / sandbox errors]]
+
* 328 [[Privilege Chaining]]
+
* 329 [[Privilege Context Switching Error]]
+
* 330 [[Privilege Dropping / Lowering Errors]]
+
* 331 [[Privilege Management Error]]
+
* 332 [[PRNG Seed Error]]
+
* 333 [[Process Control]]
+
* 334 [[Process information infoleak to other processes]]
+
* 335 [[Product UI does not warn user of unsafe actions]]
+
* 336 [[Product-External Error Message Infoleak]]
+
* 337 [[Product-Generated Error Message Infoleak]]
+
* 338 [[Proxied Trusted Channel]]
+
* 339 [[Public Data Assigned to Private Array-Typed Field]]
+
* 340 [[Publicizing of private data when using inner classes]]
+
* 341 [[Quoting Element]]
+
* 342 [[Race condition enabling link following]]
+
* 343 [[Race condition in checking for certificate revocation]]
+
* 344 [[Race condition in signal handler]]
+
* 345 [[Race condition in switch]]
+
* 346 [[Race condition within a thread]]
+
* 347 [[Race Conditions]]
+
* 348 [[Randomness and Predictability]]
+
* 349 [[Record Delimiter]]
+
* 350 [[Reflection attack in an auth protocol]]
+
* 351 [[Reflection injection]]
+
* 352 [[Regular Expression Error]]
+
* 353 [[Relative path library search]]
+
* 354 [[Reliance on data layout]]
+
* 355 [[Relying on package-level scope]]
+
* 356 [[Representation Errors]]
+
* 357 [[Requirements Issues]]
+
* 358 [[Resource exhaustion]]
+
* 359 [[Resource leaks]]
+
* 360 [[Resource Locking problems]]
+
* 361 [[Resource Management Errors]]
+
* 362 [[Response discrepancy infoleak]]
+
* 363 [[Return Inside Finally Block]]
+
* 364 [[Reusing a nonce, key pair in encryption]]
+
* 365 [[Reversible One-Way Hash]]
+
* 366 [[Same Seed in PRNG]]
+
* 367 [[Section Delimiter]]
+
* 368 [[Sensitive Data Under FTP Root]]
+
* 369 [[Sensitive Data Under Web Root]]
+
* 370 [[Sensitive Information Uncleared Before Use]]
+
* 371 [[Session Fixation]]
+
* 372 [[Sign extension error]]
+
* 373 [[Signal Errors]]
+
* 374 [[Signed to unsigned conversion error]]
+
* 375 [[Small Seed Space in PRNG]]
+
* 376 [[Small Space of Random Values]]
+
* 377 [[Stack overflow]]
+
* 378 [[State synchronization error]]
+
* 379 [[Static Value in Unpredictable Context]]
+
* 380 [[Storing passwords in a recoverable format]]
+
* 381 [[String Termination Error]]
+
* 382 [[Struts: Duplicate Validation Forms]]
+
* 383 [[Struts: Erroneous validate() Method]]
+
* 384 [[Struts: Form Bean Does Not Extend Validation Class]]
+
* 385 [[Struts: Form Does Not Extend Validation Class]]
+
* 386 [[Struts: Form Field Without Validator]]
+
* 387 [[Struts: Plug-in Framework Not In Use]]
+
* 388 [[Struts: Unused Validation Form]]
+
* 389 [[Struts: Unvalidated Action Form]]
+
* 390 [[Struts: Validator Turned Off]]
+
* 391 [[Struts: Validator Without Form Field]]
+
* 392 [[Substitution Character]]
+
* 393 [[Symbolic name not mapping to correct object]]
+
* 394 [[System Configuration Issues]]
+
* 395 [[System Information Leak]]
+
* 396 [[System Information Leak: Missing Catch Block]]
+
* 397 [[System Operations Issues]]
+
* 398 [[Technology-specific Environment Issues]]
+
* 399 [[Technology-Specific Input Validation Problems]]
+
* 400 [[Technology-Specific Special Elements]]
+
* 401 [[Technology-Specific Time and State Issues]]
+
* 402 [[Template:Vulnerability]]
+
* 403 [[Temporary File Issues]]
+
* 404 [[Testing Issues]]
+
* 405 [[The UI performs the wrong action]]
+
* 406 [[Time and State]]
+
* 407 [[Time of check, time of use race condition]]
+
* 408 [[Time of Introduction]]
+
* 409 [[Time-of-check Time-of-use race condition]]
+
* 410 [[Timing discrepancy infoleak]]
+
* 411 [[Trailing Special Element]]
+
* 412 [[Trapdoor]]
+
* 413 [[Truncation error]]
+
* 414 [[Truncation of Security-relevant Information]]
+
* 415 [[Trust Boundary Violation]]
+
* 416 [[Trust of system event data]]
+
* 417 [[Trusting self-reported DNS name]]
+
* 418 [[Trusting self-reported IP address]]
+
* 419 [[UI Misrepresentation of Critical Information]]
+
* 420 [[Uncaught exception]]
+
* 421 [[Unchecked array indexing]]
+
* 422 [[Unchecked Error Condition]]
+
* 423 [[Unchecked Return Value]]
+
* 424 [[Unchecked Return Value: Missing Check against Null]]
+
* 425 [[Uncontrolled Search Path Element]]
+
* 426 [[Undefined Behavior]]
+
* 427 [[Undefined Parameter Error]]
+
* 428 [[Undefined Value Error]]
+
* 429 [[Unexpected Status Code or Return Value]]
+
* 430 [[Unimplemented or unsupported feature in UI]]
+
* 431 [[Uninitialized variable]]
+
* 432 [[Uninitialized Variable]]
+
* 433 [[Unintended proxy/intermediary]]
+
* 434 [[Unintentional pointer scaling]]
+
* 435 [[UNIX file descriptor leak]]
+
* 436 [[UNIX hard link]]
+
* 437 [[UNIX Path Link problems]]
+
* 438 [[UNIX symbolic link (symlink) following]]
+
* 439 [[Unparsed Raw Web Content Delivery]]
+
* 440 [[Unprotected Alternate Channel]]
+
* 441 [[Unprotected Primary Channel]]
+
* 442 [[Unquoted Search Path or Element]]
+
* 443 [[Unreleased Resource]]
+
* 444 [[Unrestricted Critical Resource Lock]]
+
* 445 [[Unrestricted File Upload]]
+
* 446 [[Unsafe function call from a signal handler]]
+
* 447 [[Unsafe JNI]]
+
* 448 [[Unsafe Mobile Code: Access Violation]]
+
* 449 [[Unsafe Mobile Code: Dangerous Array Declaration]]
+
* 450 [[Unsafe Mobile Code: Dangerous Public Field]]
+
* 451 [[Unsafe Mobile Code: Inner Class]]
+
* 452 [[Unsafe Mobile Code: Public finalize() Method]]
+
* 453 [[Unsafe Privilege]]
+
* 454 [[Unsafe Reflection]]
+
* 455 [[Unsigned to signed conversion error]]
+
* 456 [[Untrusted Data Appended with Trusted Data]]
+
* 457 [[Unverified Ownership]]
+
* 458 [[URL Encoding (Hex Encoding)]]
+
* 459 [[Use of hard-coded password]]
+
* 460 [[Use of Less Trusted Source]]
+
* 461 [[Use of Obsolete Methods]]
+
* 462 [[Use of sizeof() on a pointer type]]
+
* 463 [[User interface inconsistency]]
+
* 464 [[User Interface Quality Errors]]
+
* 465 [[User Interface Security Errors]]
+
* 466 [[User management errors]]
+
* 467 [[Using a broken or risky cryptographic algorithm]]
+
* 468 [[Using a key past its expiration date]]
+
* 469 [[Using freed memory]]
+
* 470 [[Using password systems]]
+
* 471 [[Using referer field for authentication or authorization]]
+
* 472 [[Using single-factor authentication]]
+
* 473 [[Using the wrong operator]]
+
* 474 [[Validate-Before-Canonicalize]]
+
* 475 [[Validate-Before-Filter]]
+
* 476 [[Validation performed in client]]
+
* 477 [[Value Delimiter]]
+
* 478 [[Value Problems]]
+
* 479 [[Variable Name Delimiter]]
+
* 480 [[Virtual Files]]
+
* 481 [[Weak credentials]]
+
* 482 [[Weak Encryption]]
+
* 483 [[Wrap-around error]]
+
* 484 [[Write-what-where condition]]
+
* 485 [[Wrong Data Type]]
+
* 486 [[Wrong Status Code]]
+
 
+
Back to [[ASDR_Table_of_Contents|TOC]]
+
  
 
[[Category:OWASP ASDR Project]]
 
[[Category:OWASP ASDR Project]]

Revision as of 04:18, 11 July 2012

  1. Access control enforced by presentation layer
  2. Addition of data-structure sentinel
  3. Allowing password aging
  4. ASP.NET Misconfigurations
  5. Assigning instead of comparing
  6. Authentication Bypass via Assumed-Immutable Data
  7. Buffer Overflow
  8. Buffer underwrite
  9. Business logic vulnerability
  10. Capture-replay
  11. Catch NullPointerException
  12. Comparing classes by name
  13. Comparing instead of assigning
  14. Comprehensive list of Threats to Authentication Procedures and Data
  15. Covert timing channel
  16. CRLF Injection
  17. Cross Site Scripting Flaw
  18. Dangerous Function
  19. Deletion of data-structure sentinel
  20. Deserialization of untrusted data
  21. Directory Restriction Error
  22. Double Free
  23. Doubly freeing memory
  24. Duplicate key in associative list (alist)
  25. Empty Catch Block
  26. Empty String Password
  27. Failure of true random number generator
  28. Failure to account for default case in switch
  29. Failure to add integrity check value
  30. Failure to check for certificate revocation
  31. Failure to check integrity check value
  32. Failure to check whether privileges were dropped successfully
  33. Failure to deallocate data
  34. Failure to drop privileges when reasonable
  35. Failure to encrypt data
  36. Failure to follow chain of trust in certificate validation
  37. Failure to follow guideline/specification
  38. Failure to protect stored data from modification
  39. Failure to provide confidentiality for stored data
  40. Failure to validate certificate expiration
  41. Failure to validate host-specific certificate data
  42. File Access Race Condition: TOCTOU
  43. Format String
  44. Guessed or visible temporary file
  45. Hard-Coded Password
  46. Heap Inspection
  47. Heap overflow
  48. HTTP Parameter Pollution
  49. Ignored function return value
  50. Illegal Pointer Value
  51. Improper cleanup on thrown exception
  52. Improper Data Validation
  53. Improper error handling
  54. Improper string length checking
  55. Improper temp file opening
  56. Incorrect block delimitation
  57. Information Leakage
  58. Information leak through class cloning
  59. Information leak through serialization
  60. Injection problem
  61. Insecure Compiler Optimization
  62. Insecure Randomness
  63. Insecure Temporary File
  64. Insecure Third Party Domain Access
  65. Insecure Transport
  66. Insufficient Entropy
  67. Insufficient entropy in pseudo-random number generator
  68. Insufficient Session-ID Length
  69. Integer coercion error
  70. Integer overflow
  71. Invoking untrusted mobile code
  72. J2EE Misconfiguration: Unsafe Bean Declaration
  73. Key exchange without entity authentication
  74. Least Privilege Violation
  75. Leftover Debug Code
  76. Log Forging
  77. Log injection
  78. Member Field Race Condition
  79. Memory leak
  80. Miscalculated null termination
  81. Misinterpreted function return value
  82. Missing Error Handling
  83. Missing parameter
  84. Missing XML Validation
  85. Mutable object returned
  86. Non-cryptographic pseudo-random number generator
  87. Not allowing password aging
  88. Not using a random initialization vector with cipher block chaining mode
  89. Null Dereference
  90. Object Model Violation: Just One of equals() and hashCode() Defined
  91. Often Misused: Authentication
  92. Often Misused: Exception Handling
  93. Often Misused: File System
  94. Often Misused: Privilege Management
  95. Often Misused: String Management
  96. Omitted break statement
  97. Open forward
  98. Open redirect
  99. Overflow of static internal buffer
  100. Overly-Broad Catch Block
  101. Overly-Broad Throws Declaration
  102. Passing mutable objects to an untrusted method
  103. Password Management: Hardcoded Password
  104. Password Management: Weak Cryptography
  105. Password Plaintext Storage
  106. PHP File Inclusion
  107. Poor Logging Practice
  108. Portability Flaw
  109. Privacy Violation
  110. PRNG Seed Error
  111. Process Control
  112. Publicizing of private data when using inner classes
  113. Race Conditions
  114. Reflection attack in an auth protocol
  115. Reflection injection
  116. Relative path library search
  117. Reliance on data layout
  118. Relying on package-level scope
  119. Resource exhaustion
  120. Return Inside Finally Block
  121. Reusing a nonce, key pair in encryption
  122. Session_Fixation
  123. Sign extension error
  124. Signed to unsigned conversion error
  125. Stack overflow
  126. State synchronization error
  127. Storing passwords in a recoverable format
  128. String Termination Error
  129. Symbolic name not mapping to correct object
  130. Template:Vulnerability
  131. Truncation error
  132. Trust Boundary Violation
  133. Trust of system event data
  134. Trusting self-reported DNS name
  135. Trusting self-reported IP address
  136. Uncaught exception
  137. Unchecked array indexing
  138. Unchecked Return Value: Missing Check against Null
  139. Undefined Behavior
  140. Uninitialized Variable
  141. Unintentional pointer scaling
  142. Unreleased Resource
  143. Unrestricted File Upload
  144. Unsafe function call from a signal handler
  145. Unsafe JNI
  146. Unsafe Mobile Code
  147. Unsafe Reflection
  148. Unsigned to signed conversion error
  149. Use of hard-coded password
  150. Use of Obsolete Methods
  151. Use of sizeof() on a pointer type
  152. Using a broken or risky cryptographic algorithm
  153. Using a key past its expiration date
  154. Using freed memory
  155. Using password systems
  156. Using referer field for authentication or authorization
  157. Using single-factor authentication
  158. Using the wrong operator
  159. Validation performed in client
  160. Wrap-around error
  161. Write-what-where condition