Difference between revisions of "ASDR TOC Vulnerabilities"

From OWASP
Jump to: navigation, search
m (Added vulnerability - HPP)
(47 intermediate revisions by 3 users not shown)
Line 1: Line 1:
Back to [[ASDR_Table_of_Contents|TOC]]
 
 
 
# [[Access control enforced by presentation layer]]
 
# [[Access control enforced by presentation layer]]
# [[Accidental leaking of sensitive information through data queries]]
 
# [[Accidental leaking of sensitive information through error messages]]
 
# [[Accidental leaking of sensitive information through sent data]]
 
 
# [[Addition of data-structure sentinel]]
 
# [[Addition of data-structure sentinel]]
# [[Algorithmic Complexity]]
 
# [[Allowing External Setting Manipulation]]
 
 
# [[Allowing password aging]]
 
# [[Allowing password aging]]
# [[Alternate Channel Race Condition]]
+
# [[ASP.NET Misconfigurations]]
# [[Alternate Encoding]]
+
# [[ASP.NET Misconfiguration: Creating Debug Binary]]
+
# [[ASP.NET Misconfiguration: Missing Custom Error Handling]]
+
# [[ASP.NET Misconfiguration: Password in Configuration File]]
+
 
# [[Assigning instead of comparing]]
 
# [[Assigning instead of comparing]]
# [[Authentication bypass by alternate name]]
 
# [[Authentication Bypass by Alternate Path/Channel]]
 
# [[Authentication Bypass by Primary Weakness]]
 
# [[Authentication bypass by spoofing]]
 
 
# [[Authentication Bypass via Assumed-Immutable Data]]
 
# [[Authentication Bypass via Assumed-Immutable Data]]
# [[Authentication Error]]
 
# [[Authentication Logic Error]]
 
# [[Behavioral Change]]
 
# [[Behavioral Discrepancy Infoleak]]
 
# [[Behavioral problems]]
 
 
# [[Buffer Overflow]]
 
# [[Buffer Overflow]]
# [[Buffer over-read]]
 
# [[Buffer under-read]]
 
 
# [[Buffer underwrite]]
 
# [[Buffer underwrite]]
# [[Bundling Issues]]
+
# [[Business logic vulnerability]]
# [[Byte/Object Code]]
+
# [[Capture-replay]]
#[[Capture-replay]]
+
# [[Case Sensitivity (lowercase, uppercase, mixed case)]]
+
 
# [[Catch NullPointerException]]
 
# [[Catch NullPointerException]]
# [[Channel and Path Errors]]
 
# [[Cleansing, Canonicalization, and Comparison Errors]]
 
# [[Code Correctness: Call to System.gc()]]
 
# [[Code Correctness: Call to Thread.run()]]
 
# [[Code Correctness: Class Does Not Implement Cloneable]]
 
# [[Code Correctness: Double-Checked Locking]]
 
# [[Code Correctness: Erroneous finalize() Method]]
 
# [[Code Correctness: Erroneous String Compare]]
 
# [[Code Correctness: Misspelled Method Name]]
 
# [[Code Correctness: null Argument to equals()]]
 
# [[Collapse of Data into Unsafe Value]]
 
# [[Common Special Element Manipulations]]
 
 
# [[Comparing classes by name]]
 
# [[Comparing classes by name]]
 
# [[Comparing instead of assigning]]
 
# [[Comparing instead of assigning]]
 
# [[Comprehensive list of Threats to Authentication Procedures and Data]]
 
# [[Comprehensive list of Threats to Authentication Procedures and Data]]
# [[Context Switching Race Condition]]
 
 
# [[Covert timing channel]]
 
# [[Covert timing channel]]
 
# [[CRLF Injection]]
 
# [[CRLF Injection]]
# [[Cross Site Scripting]]
+
# [[Cross Site Scripting Flaw]]
# [[Cross-Boundary Cleansing Infoleak]]
+
 
# [[Dangerous Function]]
 
# [[Dangerous Function]]
# [[Dangerous handler not cleared/disabled during sensitive operations]]
 
# [[Data Amplification]]
 
# [[Data Leaking Between Users]]
 
# [[Data Structure Issues]]
 
# [[Dead Code: Broken Override]]
 
# [[Dead Code: Expression is Always False]]
 
# [[Dead Code: Expression is Always True]]
 
# [[Dead Code: Unused Field]]
 
# [[Dead Code: Unused Method]]
 
 
# [[Deletion of data-structure sentinel]]
 
# [[Deletion of data-structure sentinel]]
# [[Delimiter between Expressions or Commands]]
 
# [[Delimiter Problems]]
 
 
# [[Deserialization of untrusted data]]
 
# [[Deserialization of untrusted data]]
 
# [[Directory Restriction Error]]
 
# [[Directory Restriction Error]]
# [[Discrepancy Information Leaks]]
 
 
# [[Double Free]]
 
# [[Double Free]]
# [[Doubled character XSS manipulations]]
 
 
# [[Doubly freeing memory]]
 
# [[Doubly freeing memory]]
 
# [[Duplicate key in associative list (alist)]]
 
# [[Duplicate key in associative list (alist)]]
# [[Early Amplification]]
+
# [[Empty Catch Block]]
# [[EJB Bad Practices: Use of AWT/Swing]]
+
# [[Empty String Password]]
* 77 [[EJB Bad Practices: Use of Class Loader]]
+
# [[Failure of true random number generator]]
* 78 [[EJB Bad Practices: Use of java.io]]
+
# [[Failure to account for default case in switch]]
* 79 [[EJB Bad Practices: Use of Sockets]]
+
# [[Failure to add integrity check value]]
* 80 [[EJB Bad Practices: Use of Synchronization Primitives]]
+
# [[Failure to check for certificate revocation]]
* 81 [[Empty Catch Block]]
+
# [[Failure to check integrity check value]]
* 82 [[Empty String Password]]
+
# [[Failure to check whether privileges were dropped successfully]]
* 83 [[Error Conditions, Return Values, Status Codes]]
+
# [[Failure to deallocate data]]
* 84 [[Error Message Infoleaks]]
+
# [[Failure to drop privileges when reasonable]]
* 85 [[Escape, Meta, or Control Character / Sequence]]
+
# [[Failure to encrypt data]]
* 86 [[Expected behavior violation]]
+
# [[Failure to follow chain of trust in certificate validation]]
* 87 [[External behavioral inconsistency infoleak]]
+
# [[Failure to follow guideline/specification]]
* 88 [[External initialization of trusted variables or values]]
+
# [[Failure to protect stored data from modification]]
* 89 [[Extra Parameter Error]]
+
# [[Failure to provide confidentiality for stored data]]
* 90 [[Extra Special Element]]
+
# [[Failure to validate certificate expiration]]
* 91 [[Extra Unhandled Features]]
+
# [[Failure to validate host-specific certificate data]]
* 92 [[Extra Value Error]]
+
# [[File Access Race Condition: TOCTOU]]
* 93 [[Fails poorly due to insufficient permissions]]
+
# [[Format String]]
* 94 [[Failure of true random number generator]]
+
# [[Guessed or visible temporary file]]
* 95 [[Failure to account for default case in switch]]
+
# [[Hard-Coded Password]]
* 96 [[Failure to add integrity check value]]
+
# [[Heap Inspection]]
* 97 [[Failure to check for certificate revocation]]
+
# [[Heap overflow]]
* 98 [[Failure to check integrity check value]]
+
# [[HTTP Parameter Pollution]]
* 99 [[Failure to check whether privileges were dropped successfully]]
+
# [[Ignored function return value]]
* 100 [[Failure to deallocate data]]
+
# [[Illegal Pointer Value]]
* 101 [[Failure to drop privileges when reasonable]]
+
# [[Improper cleanup on thrown exception]]
* 102 [[Failure to encrypt data]]
+
# [[Improper Data Validation]]
* 103 [[Failure to follow chain of trust in certificate validation]]
+
# [[Improper error handling]]
* 104 [[Failure to protect stored data from modification]]
+
# [[Improper string length checking]]
* 105 [[Failure to provide confidentiality for stored data]]
+
# [[Improper temp file opening]]
* 106 [[Failure to validate certificate expiration]]
+
# [[Incorrect block delimitation]]
* 107 [[Failure to validate host-specific certificate data]]
+
# [[Information Leakage]]
* 108 [[File Access Race Condition: TOCTOU]]
+
# [[Information leak through class cloning]]
* 109 [[Format String]]
+
# [[Information leak through serialization]]
* 110 [[Format string problem]]
+
# [[Injection problem]]
* 111 [[General Special Element Problems]]
+
# [[Insecure Compiler Optimization]]
* 112 [[Grouping Element / Paired Delimiter]]
+
# [[Insecure Randomness]]
* 113 [[Guessed or visible temporary file]]
+
# [[Insecure Temporary File]]
* 114 [[Hard-Coded Password]]
+
# [[Insecure Third Party Domain Access]]
* 115 [[Heap Inspection]]
+
# [[Insecure Transport]]
* 116 [[Heap overflow]]
+
# [[Insufficient Entropy]]
* 117 [[Ignored function return value]]
+
# [[Insufficient entropy in pseudo-random number generator]]
* 118 [[Illegal Pointer Value]]
+
# [[Insufficient Session-ID Length]]
* 119 [[Improper cleanup on thrown exception]]
+
# [[Integer coercion error]]
* 120 [[Improper error handling]]
+
# [[Integer overflow]]
* 121 [[Improper Handler Deployment]]
+
# [[Invoking untrusted mobile code]]
* 122 [[Improper Null Termination]]
+
# [[J2EE Misconfiguration: Unsafe Bean Declaration]]
* 123 [[Improper resource shutdown or release]]
+
# [[Key exchange without entity authentication]]
* 124 [[Improper string length checking]]
+
# [[Least Privilege Violation]]
* 125 [[Improper temp file opening]]
+
# [[Leftover Debug Code]]
* 126 [[Improperly Implemented Security Check for Standard]]
+
# [[Log Forging]]
* 127 [[Improperly Trusted Reverse DNS]]
+
# [[Log injection]]
* 128 [[Improperly Verified Signature]]
+
# [[Member Field Race Condition]]
* 129 [[Inadvertent]]
+
# [[Memory leak]]
* 130 [[Incomplete Blacklist]]
+
# [[Miscalculated null termination]]
* 131 [[Incomplete Cleanup]]
+
# [[Misinterpreted function return value]]
* 132 [[Incomplete Element]]
+
# [[Missing Error Handling]]
* 133 [[Incomplete Internal State Distinction]]
+
# [[Missing parameter]]
* 134 [[Inconsistent Elements]]
+
# [[Missing XML Validation]]
* 135 [[Inconsistent Implementations]]
+
# [[Mutable object returned]]
* 136 [[Inconsistent Special Elements]]
+
# [[Non-cryptographic pseudo-random number generator]]
* 137 [[Incorrect block delimitation]]
+
# [[Not allowing password aging]]
* 138 [[Incorrect initialization]]
+
# [[Not using a random initialization vector with cipher block chaining mode]]
* 139 [[Incorrect Privilege Assignment]]
+
# [[Null Dereference]]
* 140 [[Infoleak Using Debug Information]]
+
# [[Object Model Violation: Just One of equals() and hashCode() Defined]]
* 141 [[Information Leak (information disclosure)]]
+
# [[Often Misused: Authentication]]
* 142 [[Information leak through class cloning]]
+
# [[Often Misused: Exception Handling]]
* 143 [[Information leak through serialization]]
+
# [[Often Misused: File System]]
* 144 [[Information loss or omission]]
+
# [[Often Misused: Privilege Management]]
* 145 [[Initialization and Cleanup Errors]]
+
# [[Often Misused: String Management]]
* 146 [[Injection problem]]
+
# [[Omitted break statement]]
* 147 [[Input Terminator]]
+
# [[Open forward]]
* 148 [[Insecure Compiler Optimization]]
+
# [[Open redirect]]
* 149 [[Insecure Default Permissions]]
+
# [[Overflow of static internal buffer]]
* 150 [[Insecure default variable initialization]]
+
# [[Overly-Broad Catch Block]]
* 151 [[Insecure execution-assigned permissions]]
+
# [[Overly-Broad Throws Declaration]]
* 152 [[Insecure inherited permissions]]
+
# [[Passing mutable objects to an untrusted method]]
* 153 [[Insecure preserved inherited permissions]]
+
# [[Password Management: Hardcoded Password]]
* 154 [[Insecure Randomness]]
+
# [[Password Management: Weak Cryptography]]
* 155 [[Insecure Temporary File]]
+
# [[Password Plaintext Storage]]
* 156 [[Installation Issues]]
+
# [[PHP File Inclusion]]
* 157 [[Insufficient Entropy]]
+
# [[Poor Logging Practice]]
* 158 [[Insufficient entropy in pseudo-random number generator]]
+
# [[Portability Flaw]]
* 159 [[Insufficient privileges]]
+
# [[Privacy Violation]]
* 160 [[Insufficient Resource Locking]]
+
# [[PRNG Seed Error]]
* 161 [[Insufficient Resource Pool]]
+
# [[Process Control]]
* 162 [[Insufficient Type Distinction]]
+
# [[Publicizing of private data when using inner classes]]
* 163 [[Insufficient UI warning of dangerous operations]]
+
# [[Race Conditions]]
* 164 [[Insufficient Verification of Data]]
+
# [[Reflection attack in an auth protocol]]
* 165 [[Integer coercion error]]
+
# [[Reflection injection]]
* 166 [[Integer overflow]]
+
# [[Relative path library search]]
* 167 [[Integer Overflow]]
+
# [[Reliance on data layout]]
* 168 [[Integer underflow (wrap or wraparound)]]
+
# [[Relying on package-level scope]]
* 169 [[Intended information leak]]
+
# [[Resource exhaustion]]
* 170 [[Interaction Errors]]
+
# [[Return Inside Finally Block]]
* 171 [[Internal behavioral inconsistency infoleak]]
+
# [[Reusing a nonce, key pair in encryption]]
* 172 [[Internal Special Element]]
+
# [[Session_Fixation]]
* 173 [[Invalid Characters in Identifiers]]
+
# [[Sign extension error]]
* 174 [[Invoking untrusted mobile code]]
+
# [[Signed to unsigned conversion error]]
* 175 [[J2EE Bad Practices: getConnection()]]
+
# [[Stack overflow]]
* 176 [[J2EE Bad Practices: JSP Expressions]]
+
# [[State synchronization error]]
* 177 [[J2EE Bad Practices: Sockets]]
+
# [[Storing passwords in a recoverable format]]
* 178 [[J2EE Bad Practices: System.exit()]]
+
# [[String Termination Error]]
* 179 [[J2EE Bad Practices: Threads]]
+
# [[Symbolic name not mapping to correct object]]
* 180 [[J2EE Misconfiguration: Insecure Transport]]
+
# [[Template:Vulnerability]]
* 181 [[J2EE Misconfiguration: Insufficient Session-ID Length]]
+
# [[Truncation error]]
* 182 [[J2EE Misconfiguration: Missing Error Handling]]
+
# [[Trust Boundary Violation]]
* 183 [[J2EE Misconfiguration: Unsafe Bean Declaration]]
+
# [[Trust of system event data]]
* 184 [[J2EE Misconfiguration: Weak Access Permissions]]
+
# [[Trusting self-reported DNS name]]
* 185 [[J2EE Time and State Issues]]
+
# [[Trusting self-reported IP address]]
* 186 [[Key exchange without entity authentication]]
+
# [[Uncaught exception]]
* 187 [[Key management errors]]
+
# [[Unchecked array indexing]]
* 188 [[Leading Special Element]]
+
# [[Unchecked Return Value: Missing Check against Null]]
* 189 [[Least Privilege Violation]]
+
# [[Undefined Behavior]]
* 190 [[Leftover Debug Code]]
+
# [[Uninitialized Variable]]
* 191 [[Length Parameter Inconsistency]]
+
# [[Unintentional pointer scaling]]
* 192 [[Line Delimiter]]
+
# [[Unreleased Resource]]
* 193 [[Log Forging]]
+
# [[Unrestricted File Upload]]
* 194 [[Log injection]]
+
# [[Unsafe function call from a signal handler]]
* 195 [[Mac virtual file problems]]
+
# [[Unsafe JNI]]
* 196 [[Macro symbol]]
+
# [[Unsafe Mobile Code]]
* 197 [[Member Field Race Condition]]
+
# [[Unsafe Reflection]]
* 198 [[Memory leak]]
+
# [[Unsigned to signed conversion error]]
* 199 [[Memory Leak]]
+
# [[Use of hard-coded password]]
* 200 [[Miscalculated null termination]]
+
# [[Use of Obsolete Methods]]
* 201 [[Misinterpretation error]]
+
# [[Use of sizeof() on a pointer type]]
* 202 [[Misinterpreted function return value]]
+
# [[Using a broken or risky cryptographic algorithm]]
* 203 [[Missing access control]]
+
# [[Using a key past its expiration date]]
* 204 [[Missing critical step in authentication]]
+
# [[Using freed memory]]
* 205 [[Missing element error]]
+
# [[Using password systems]]
* 206 [[Missing error status code]]
+
# [[Using referer field for authentication or authorization]]
* 207 [[Missing handler]]
+
# [[Using single-factor authentication]]
* 208 [[Missing initialization]]
+
# [[Using the wrong operator]]
* 209 [[Missing lock check]]
+
# [[Validation performed in client]]
* 210 [[Missing parameter]]
+
# [[Wrap-around error]]
* 211 [[Missing parameter error]]
+
# [[Write-what-where condition]]
* 212 [[Missing required cryptographic step]]
+
* 213 [[Missing special element]]
+
* 214 [[Missing value error]]
+
* 215 [[Missing XML Validation]]
+
* 216 [[Mixed encoding]]
+
* 217 [[Modification of assumed-immutable data]]
+
* 218 [[Multiple failed authentication attempts not prevented]]
+
* 219 [[Multiple internal special element]]
+
* 220 [[Multiple interpretation error (MIE)]]
+
* 221 [[Multiple interpretations of UI input]]
+
* 222 [[Multiple Leading Special Elements]]
+
* 223 [[Multiple Trailing Special Elements]]
+
* 224 [[Mutable object returned]]
+
* 225 [[Mutable objects passed by reference]]
+
* 226 [[No authentication for critical function]]
+
* 227 [[Non-cryptographic pseudo-random number generator]]
+
* 228 [[Non-exit on failed initialization]]
+
* 229 [[Non-replicating]]
+
* 230 [[Not allowing password aging]]
+
* 231 [[Not using a random initialization vector with cipher block chaining mode]]
+
* 232 [[Null character / null byte]]
+
* 233 [[Null Dereference]]
+
* 234 [[Null-pointer dereference]]
+
* 235 [[Numeric Byte Ordering Error]]
+
* 236 [[Numeric Errors]]
+
* 237 [[Object Model Violation: Just One of equals() and hashCode() Defined]]
+
* 238 [[Obscured Security-relevant Information by Alternate Name]]
+
* 239 [[Obsolete feature in UI]]
+
* 240 [[Off-by-one Error]]
+
* 241 [[Often Misused: Authentication]]
+
* 242 [[Often Misused: Exception Handling]]
+
* 243 [[Often Misused: File System]]
+
* 244 [[Often Misused: Path Manipulation]]
+
* 245 [[Often Misused: Privilege Management]]
+
* 246 [[Often Misused: String Management]]
+
* 247 [[Omission of Security-relevant Information]]
+
* 248 [[Omitted break statement]]
+
* 249 [[Open forward]]
+
* 250 [[Open redirect]]
+
* 251 [[Origin Validation Error]]
+
* 252 [[Other length calculation error]]
+
* 253 [[Out-of-bounds Read]]
+
* 254 [[Overflow of static internal buffer]]
+
* 255 [[Overly Restrictive Regular Expression]]
+
* 256 [[Overly-Broad Catch Block]]
+
* 257 [[Overly-Broad Throws Declaration]]
+
* 258 [[Ownership errors]]
+
* 259 [[Parameter Problems]]
+
* 260 [[Partial Comparison]]
+
* 261 [[Passing mutable objects to an untrusted method]]
+
* 262 [[Password Management: Hardcoded Password]]
+
* 263 [[Password Management: Weak Cryptography]]
+
* 264 [[Password Plaintext Storage]]
+
* 265 [[Patch Issues]]
+
* 266 [[Path Equivalence]]
+
* 267 [[Path Issue - asterix wildcard - filedir*]]
+
* 268 [[Path Issue - backslash absolute path - /absolute/pathname/here]]
+
* 269 [[Path Issue - directory doubled dot dot backslash]]
+
* 270 [[Path Issue - directory doubled dot dot slash]]
+
* 271 [[Path Issue - dirname/fakechild/]]
+
* 272 [[Path Issue - dot dot backslash]]
+
* 273 [[Path Issue - doubled dot dot slash]]
+
* 274 [[Path Issue - doubled triple dot slash]]
+
* 275 [[Path Issue - drive letter or Windows volume - 'C:dirname']]
+
* 276 [[Path Issue - internal dot - 'file.ordir']]
+
* 277 [[Path Issue - internal space - file(SPACE)name]]
+
* 278 [[Path Issue - leading directory dot dot backslash]]
+
* 279 [[Path Issue - leading directory dot dot slash]]
+
* 280 [[Path Issue - leading dot dot backslash]]
+
* 281 [[Path Issue - leading dot dot slash]]
+
* 282 [[Path Issue - leading space]]
+
* 283 [[Path Issue - multiple dot]]
+
* 284 [[Path Issue - multiple internal backslash]]
+
* 285 [[Path Issue - multiple leading slash]]
+
* 286 [[Path Issue - multiple trailing dot]]
+
* 287 [[Path Issue - multiple trailing slash]]
+
* 288 [[Path Issue - single dot directory]]
+
* 289 [[Path Issue - slash absolute path]]
+
* 290 [[Path Issue - trailing backslash]]
+
* 291 [[Path Issue - trailing dot]]
+
* 292 [[Path Issue - trailing slash]]
+
* 293 [[Path Issue - trailing space]]
+
* 294 [[Path Issue - triple dot]]
+
* 295 [[Path Issue - Windows 8.3 Filename]]
+
* 296 [[Path Issue - Windows UNC share - '/UNC/share/name/']]
+
* 297 [[Pathname Traversal and Equivalence Errors]]
+
* 298 [[Permission errors]]
+
* 299 [[Permission preservation failure]]
+
* 300 [[Permissions, Privileges, and ACLs]]
+
* 301 [[Permissive Whitelist]]
+
* 302 [[PHP External Variable Modification]]
+
* 303 [[PHP File Inclusion]]
+
* 304 [[Plaintext Storage in Cookie]]
+
* 305 [[Plaintext Storage in Executable]]
+
* 306 [[Plaintext Storage in File or on Disk]]
+
* 307 [[Plaintext Storage in GUI]]
+
* 308 [[Plaintext Storage in Memory]]
+
* 309 [[Plaintext Storage of Sensitive Information]]
+
* 310 [[Pointer Issues]]
+
* 311 [[Poor Logging Practice: Logger Not Declared Static Final]]
+
* 312 [[Poor Logging Practice: Multiple Loggers]]
+
* 313 [[Poor Logging Practice: Use of a System Output Stream]]
+
* 314 [[Poor Style: Confusing Naming]]
+
* 315 [[Poor Style: Empty Synchronized Block]]
+
* 316 [[Poor Style: Explicit call to finalize()]]
+
* 317 [[Poor Style: Identifier Contains Dollar Symbol ($)]]
+
* 318 [[Portability Flaw]]
+
* 319 [[Porting Issues]]
+
* 320 [[Predictability problems]]
+
* 321 [[Predictable Exact Value from Previous Values]]
+
* 322 [[Predictable from Observable State]]
+
* 323 [[Predictable Seed in PRNG]]
+
* 324 [[Predictable Value Range from Previous Values]]
+
* 325 [[Privacy Violation]]
+
* 326 [[Private Array-Typed Field Returned From A Public Method]]
+
* 327 [[Privilege / sandbox errors]]
+
* 328 [[Privilege Chaining]]
+
* 329 [[Privilege Context Switching Error]]
+
* 330 [[Privilege Dropping / Lowering Errors]]
+
* 331 [[Privilege Management Error]]
+
* 332 [[PRNG Seed Error]]
+
* 333 [[Process Control]]
+
* 334 [[Process information infoleak to other processes]]
+
* 335 [[Product UI does not warn user of unsafe actions]]
+
* 336 [[Product-External Error Message Infoleak]]
+
* 337 [[Product-Generated Error Message Infoleak]]
+
* 338 [[Proxied Trusted Channel]]
+
* 339 [[Public Data Assigned to Private Array-Typed Field]]
+
* 340 [[Publicizing of private data when using inner classes]]
+
* 341 [[Quoting Element]]
+
* 342 [[Race condition enabling link following]]
+
* 343 [[Race condition in checking for certificate revocation]]
+
* 344 [[Race condition in signal handler]]
+
* 345 [[Race condition in switch]]
+
* 346 [[Race condition within a thread]]
+
* 347 [[Race Conditions]]
+
* 348 [[Randomness and Predictability]]
+
* 349 [[Record Delimiter]]
+
* 350 [[Reflection attack in an auth protocol]]
+
* 351 [[Reflection injection]]
+
* 352 [[Regular Expression Error]]
+
* 353 [[Relative path library search]]
+
* 354 [[Reliance on data layout]]
+
* 355 [[Relying on package-level scope]]
+
* 356 [[Representation Errors]]
+
* 357 [[Requirements Issues]]
+
* 358 [[Resource exhaustion]]
+
* 359 [[Resource leaks]]
+
* 360 [[Resource Locking problems]]
+
* 361 [[Resource Management Errors]]
+
* 362 [[Response discrepancy infoleak]]
+
* 363 [[Return Inside Finally Block]]
+
* 364 [[Reusing a nonce, key pair in encryption]]
+
* 365 [[Reversible One-Way Hash]]
+
* 366 [[Same Seed in PRNG]]
+
* 367 [[Section Delimiter]]
+
* 368 [[Sensitive Data Under FTP Root]]
+
* 369 [[Sensitive Data Under Web Root]]
+
* 370 [[Sensitive Information Uncleared Before Use]]
+
* 371 [[Session Fixation]]
+
* 372 [[Sign extension error]]
+
* 373 [[Signal Errors]]
+
* 374 [[Signed to unsigned conversion error]]
+
* 375 [[Small Seed Space in PRNG]]
+
* 376 [[Small Space of Random Values]]
+
* 377 [[Stack overflow]]
+
* 378 [[State synchronization error]]
+
* 379 [[Static Value in Unpredictable Context]]
+
* 380 [[Storing passwords in a recoverable format]]
+
* 381 [[String Termination Error]]
+
* 382 [[Struts: Duplicate Validation Forms]]
+
* 383 [[Struts: Erroneous validate() Method]]
+
* 384 [[Struts: Form Bean Does Not Extend Validation Class]]
+
* 385 [[Struts: Form Does Not Extend Validation Class]]
+
* 386 [[Struts: Form Field Without Validator]]
+
* 387 [[Struts: Plug-in Framework Not In Use]]
+
* 388 [[Struts: Unused Validation Form]]
+
* 389 [[Struts: Unvalidated Action Form]]
+
* 390 [[Struts: Validator Turned Off]]
+
* 391 [[Struts: Validator Without Form Field]]
+
* 392 [[Substitution Character]]
+
* 393 [[Symbolic name not mapping to correct object]]
+
* 394 [[System Configuration Issues]]
+
* 395 [[System Information Leak]]
+
* 396 [[System Information Leak: Missing Catch Block]]
+
* 397 [[System Operations Issues]]
+
* 398 [[Technology-specific Environment Issues]]
+
* 399 [[Technology-Specific Input Validation Problems]]
+
* 400 [[Technology-Specific Special Elements]]
+
* 401 [[Technology-Specific Time and State Issues]]
+
* 402 [[Template:Vulnerability]]
+
* 403 [[Temporary File Issues]]
+
* 404 [[Testing Issues]]
+
* 405 [[The UI performs the wrong action]]
+
* 406 [[Time and State]]
+
* 407 [[Time of check, time of use race condition]]
+
* 408 [[Time of Introduction]]
+
* 409 [[Time-of-check Time-of-use race condition]]
+
* 410 [[Timing discrepancy infoleak]]
+
* 411 [[Trailing Special Element]]
+
* 412 [[Trapdoor]]
+
* 413 [[Truncation error]]
+
* 414 [[Truncation of Security-relevant Information]]
+
* 415 [[Trust Boundary Violation]]
+
* 416 [[Trust of system event data]]
+
* 417 [[Trusting self-reported DNS name]]
+
* 418 [[Trusting self-reported IP address]]
+
* 419 [[UI Misrepresentation of Critical Information]]
+
* 420 [[Uncaught exception]]
+
* 421 [[Unchecked array indexing]]
+
* 422 [[Unchecked Error Condition]]
+
* 423 [[Unchecked Return Value]]
+
* 424 [[Unchecked Return Value: Missing Check against Null]]
+
* 425 [[Uncontrolled Search Path Element]]
+
* 426 [[Undefined Behavior]]
+
* 427 [[Undefined Parameter Error]]
+
* 428 [[Undefined Value Error]]
+
* 429 [[Unexpected Status Code or Return Value]]
+
* 430 [[Unimplemented or unsupported feature in UI]]
+
* 431 [[Uninitialized variable]]
+
* 432 [[Uninitialized Variable]]
+
* 433 [[Unintended proxy/intermediary]]
+
* 434 [[Unintentional pointer scaling]]
+
* 435 [[UNIX file descriptor leak]]
+
* 436 [[UNIX hard link]]
+
* 437 [[UNIX Path Link problems]]
+
* 438 [[UNIX symbolic link (symlink) following]]
+
* 439 [[Unparsed Raw Web Content Delivery]]
+
* 440 [[Unprotected Alternate Channel]]
+
* 441 [[Unprotected Primary Channel]]
+
* 442 [[Unquoted Search Path or Element]]
+
* 443 [[Unreleased Resource]]
+
* 444 [[Unrestricted Critical Resource Lock]]
+
* 445 [[Unrestricted File Upload]]
+
* 446 [[Unsafe function call from a signal handler]]
+
* 447 [[Unsafe JNI]]
+
* 448 [[Unsafe Mobile Code: Access Violation]]
+
* 449 [[Unsafe Mobile Code: Dangerous Array Declaration]]
+
* 450 [[Unsafe Mobile Code: Dangerous Public Field]]
+
* 451 [[Unsafe Mobile Code: Inner Class]]
+
* 452 [[Unsafe Mobile Code: Public finalize() Method]]
+
* 453 [[Unsafe Privilege]]
+
* 454 [[Unsafe Reflection]]
+
* 455 [[Unsigned to signed conversion error]]
+
* 456 [[Untrusted Data Appended with Trusted Data]]
+
* 457 [[Unverified Ownership]]
+
* 458 [[URL Encoding (Hex Encoding)]]
+
* 459 [[Use of hard-coded password]]
+
* 460 [[Use of Less Trusted Source]]
+
* 461 [[Use of Obsolete Methods]]
+
* 462 [[Use of sizeof() on a pointer type]]
+
* 463 [[User interface inconsistency]]
+
* 464 [[User Interface Quality Errors]]
+
* 465 [[User Interface Security Errors]]
+
* 466 [[User management errors]]
+
* 467 [[Using a broken or risky cryptographic algorithm]]
+
* 468 [[Using a key past its expiration date]]
+
* 469 [[Using freed memory]]
+
* 470 [[Using password systems]]
+
* 471 [[Using referer field for authentication or authorization]]
+
* 472 [[Using single-factor authentication]]
+
* 473 [[Using the wrong operator]]
+
* 474 [[Validate-Before-Canonicalize]]
+
* 475 [[Validate-Before-Filter]]
+
* 476 [[Validation performed in client]]
+
* 477 [[Value Delimiter]]
+
* 478 [[Value Problems]]
+
* 479 [[Variable Name Delimiter]]
+
* 480 [[Virtual Files]]
+
* 481 [[Weak credentials]]
+
* 482 [[Weak Encryption]]
+
* 483 [[Wrap-around error]]
+
* 484 [[Write-what-where condition]]
+
* 485 [[Wrong Data Type]]
+
* 486 [[Wrong Status Code]]
+
 
+
Back to [[ASDR_Table_of_Contents|TOC]]
+
  
 
[[Category:OWASP ASDR Project]]
 
[[Category:OWASP ASDR Project]]

Revision as of 04:18, 11 July 2012

  1. Access control enforced by presentation layer
  2. Addition of data-structure sentinel
  3. Allowing password aging
  4. ASP.NET Misconfigurations
  5. Assigning instead of comparing
  6. Authentication Bypass via Assumed-Immutable Data
  7. Buffer Overflow
  8. Buffer underwrite
  9. Business logic vulnerability
  10. Capture-replay
  11. Catch NullPointerException
  12. Comparing classes by name
  13. Comparing instead of assigning
  14. Comprehensive list of Threats to Authentication Procedures and Data
  15. Covert timing channel
  16. CRLF Injection
  17. Cross Site Scripting Flaw
  18. Dangerous Function
  19. Deletion of data-structure sentinel
  20. Deserialization of untrusted data
  21. Directory Restriction Error
  22. Double Free
  23. Doubly freeing memory
  24. Duplicate key in associative list (alist)
  25. Empty Catch Block
  26. Empty String Password
  27. Failure of true random number generator
  28. Failure to account for default case in switch
  29. Failure to add integrity check value
  30. Failure to check for certificate revocation
  31. Failure to check integrity check value
  32. Failure to check whether privileges were dropped successfully
  33. Failure to deallocate data
  34. Failure to drop privileges when reasonable
  35. Failure to encrypt data
  36. Failure to follow chain of trust in certificate validation
  37. Failure to follow guideline/specification
  38. Failure to protect stored data from modification
  39. Failure to provide confidentiality for stored data
  40. Failure to validate certificate expiration
  41. Failure to validate host-specific certificate data
  42. File Access Race Condition: TOCTOU
  43. Format String
  44. Guessed or visible temporary file
  45. Hard-Coded Password
  46. Heap Inspection
  47. Heap overflow
  48. HTTP Parameter Pollution
  49. Ignored function return value
  50. Illegal Pointer Value
  51. Improper cleanup on thrown exception
  52. Improper Data Validation
  53. Improper error handling
  54. Improper string length checking
  55. Improper temp file opening
  56. Incorrect block delimitation
  57. Information Leakage
  58. Information leak through class cloning
  59. Information leak through serialization
  60. Injection problem
  61. Insecure Compiler Optimization
  62. Insecure Randomness
  63. Insecure Temporary File
  64. Insecure Third Party Domain Access
  65. Insecure Transport
  66. Insufficient Entropy
  67. Insufficient entropy in pseudo-random number generator
  68. Insufficient Session-ID Length
  69. Integer coercion error
  70. Integer overflow
  71. Invoking untrusted mobile code
  72. J2EE Misconfiguration: Unsafe Bean Declaration
  73. Key exchange without entity authentication
  74. Least Privilege Violation
  75. Leftover Debug Code
  76. Log Forging
  77. Log injection
  78. Member Field Race Condition
  79. Memory leak
  80. Miscalculated null termination
  81. Misinterpreted function return value
  82. Missing Error Handling
  83. Missing parameter
  84. Missing XML Validation
  85. Mutable object returned
  86. Non-cryptographic pseudo-random number generator
  87. Not allowing password aging
  88. Not using a random initialization vector with cipher block chaining mode
  89. Null Dereference
  90. Object Model Violation: Just One of equals() and hashCode() Defined
  91. Often Misused: Authentication
  92. Often Misused: Exception Handling
  93. Often Misused: File System
  94. Often Misused: Privilege Management
  95. Often Misused: String Management
  96. Omitted break statement
  97. Open forward
  98. Open redirect
  99. Overflow of static internal buffer
  100. Overly-Broad Catch Block
  101. Overly-Broad Throws Declaration
  102. Passing mutable objects to an untrusted method
  103. Password Management: Hardcoded Password
  104. Password Management: Weak Cryptography
  105. Password Plaintext Storage
  106. PHP File Inclusion
  107. Poor Logging Practice
  108. Portability Flaw
  109. Privacy Violation
  110. PRNG Seed Error
  111. Process Control
  112. Publicizing of private data when using inner classes
  113. Race Conditions
  114. Reflection attack in an auth protocol
  115. Reflection injection
  116. Relative path library search
  117. Reliance on data layout
  118. Relying on package-level scope
  119. Resource exhaustion
  120. Return Inside Finally Block
  121. Reusing a nonce, key pair in encryption
  122. Session_Fixation
  123. Sign extension error
  124. Signed to unsigned conversion error
  125. Stack overflow
  126. State synchronization error
  127. Storing passwords in a recoverable format
  128. String Termination Error
  129. Symbolic name not mapping to correct object
  130. Template:Vulnerability
  131. Truncation error
  132. Trust Boundary Violation
  133. Trust of system event data
  134. Trusting self-reported DNS name
  135. Trusting self-reported IP address
  136. Uncaught exception
  137. Unchecked array indexing
  138. Unchecked Return Value: Missing Check against Null
  139. Undefined Behavior
  140. Uninitialized Variable
  141. Unintentional pointer scaling
  142. Unreleased Resource
  143. Unrestricted File Upload
  144. Unsafe function call from a signal handler
  145. Unsafe JNI
  146. Unsafe Mobile Code
  147. Unsafe Reflection
  148. Unsigned to signed conversion error
  149. Use of hard-coded password
  150. Use of Obsolete Methods
  151. Use of sizeof() on a pointer type
  152. Using a broken or risky cryptographic algorithm
  153. Using a key past its expiration date
  154. Using freed memory
  155. Using password systems
  156. Using referer field for authentication or authorization
  157. Using single-factor authentication
  158. Using the wrong operator
  159. Validation performed in client
  160. Wrap-around error
  161. Write-what-where condition