Difference between revisions of "ASDR TOC Vulnerabilities"

From OWASP
Jump to: navigation, search
Line 76: Line 76:
 
# [[Early Amplification]]
 
# [[Early Amplification]]
 
# [[EJB Bad Practices: Use of AWT/Swing]]
 
# [[EJB Bad Practices: Use of AWT/Swing]]
* 77 [[EJB Bad Practices: Use of Class Loader]]
+
# [[EJB Bad Practices: Use of Class Loader]]
* 78 [[EJB Bad Practices: Use of java.io]]
+
# [[EJB Bad Practices: Use of java.io]]
* 79 [[EJB Bad Practices: Use of Sockets]]
+
# [[EJB Bad Practices: Use of Sockets]]
* 80 [[EJB Bad Practices: Use of Synchronization Primitives]]
+
# [[EJB Bad Practices: Use of Synchronization Primitives]]
* 81 [[Empty Catch Block]]
+
# [[Empty Catch Block]]
* 82 [[Empty String Password]]
+
# [[Empty String Password]]
* 83 [[Error Conditions, Return Values, Status Codes]]
+
# [[Error Conditions, Return Values, Status Codes]]
* 84 [[Error Message Infoleaks]]
+
# [[Error Message Infoleaks]]
* 85 [[Escape, Meta, or Control Character / Sequence]]
+
# [[Escape, Meta, or Control Character / Sequence]]
* 86 [[Expected behavior violation]]
+
# [[Expected behavior violation]]
* 87 [[External behavioral inconsistency infoleak]]
+
# [[External behavioral inconsistency infoleak]]
* 88 [[External initialization of trusted variables or values]]
+
# [[External initialization of trusted variables or values]]
* 89 [[Extra Parameter Error]]
+
# [[Extra Parameter Error]]
* 90 [[Extra Special Element]]
+
# [[Extra Special Element]]
* 91 [[Extra Unhandled Features]]
+
# [[Extra Unhandled Features]]
* 92 [[Extra Value Error]]
+
# [[Extra Value Error]]
* 93 [[Fails poorly due to insufficient permissions]]
+
# [[Fails poorly due to insufficient permissions]]
* 94 [[Failure of true random number generator]]
+
# [[Failure of true random number generator]]
* 95 [[Failure to account for default case in switch]]
+
# [[Failure to account for default case in switch]]
* 96 [[Failure to add integrity check value]]
+
# [[Failure to add integrity check value]]
* 97 [[Failure to check for certificate revocation]]
+
# [[Failure to check for certificate revocation]]
* 98 [[Failure to check integrity check value]]
+
# [[Failure to check integrity check value]]
* 99 [[Failure to check whether privileges were dropped successfully]]
+
# [[Failure to check whether privileges were dropped successfully]]
* 100 [[Failure to deallocate data]]
+
# [[Failure to deallocate data]]
* 101 [[Failure to drop privileges when reasonable]]
+
# [[Failure to drop privileges when reasonable]]
* 102 [[Failure to encrypt data]]
+
# [[Failure to encrypt data]]
* 103 [[Failure to follow chain of trust in certificate validation]]
+
# [[Failure to follow chain of trust in certificate validation]]
* 104 [[Failure to protect stored data from modification]]
+
# [[Failure to protect stored data from modification]]
* 105 [[Failure to provide confidentiality for stored data]]
+
# [[Failure to provide confidentiality for stored data]]
* 106 [[Failure to validate certificate expiration]]
+
# [[Failure to validate certificate expiration]]
* 107 [[Failure to validate host-specific certificate data]]
+
# [[Failure to validate host-specific certificate data]]
* 108 [[File Access Race Condition: TOCTOU]]
+
# [[File Access Race Condition: TOCTOU]]
* 109 [[Format String]]
+
# [[Format String]]
* 110 [[Format string problem]]
+
# [[Format string problem]]
* 111 [[General Special Element Problems]]
+
# [[General Special Element Problems]]
* 112 [[Grouping Element / Paired Delimiter]]
+
# [[Grouping Element / Paired Delimiter]]
* 113 [[Guessed or visible temporary file]]
+
# [[Guessed or visible temporary file]]
* 114 [[Hard-Coded Password]]
+
# [[Hard-Coded Password]]
* 115 [[Heap Inspection]]
+
# [[Heap Inspection]]
* 116 [[Heap overflow]]
+
# [[Heap overflow]]
* 117 [[Ignored function return value]]
+
# [[Ignored function return value]]
* 118 [[Illegal Pointer Value]]
+
# [[Illegal Pointer Value]]
* 119 [[Improper cleanup on thrown exception]]
+
# [[Improper cleanup on thrown exception]]
* 120 [[Improper error handling]]
+
# [[Improper error handling]]
* 121 [[Improper Handler Deployment]]
+
# [[Improper Handler Deployment]]
* 122 [[Improper Null Termination]]
+
# [[Improper Null Termination]]
* 123 [[Improper resource shutdown or release]]
+
# [[Improper resource shutdown or release]]
* 124 [[Improper string length checking]]
+
# [[Improper string length checking]]
* 125 [[Improper temp file opening]]
+
# [[Improper temp file opening]]
* 126 [[Improperly Implemented Security Check for Standard]]
+
# [[Improperly Implemented Security Check for Standard]]
* 127 [[Improperly Trusted Reverse DNS]]
+
# [[Improperly Trusted Reverse DNS]]
* 128 [[Improperly Verified Signature]]
+
# [[Improperly Verified Signature]]
* 129 [[Inadvertent]]
+
# [[Inadvertent]]
* 130 [[Incomplete Blacklist]]
+
# [[Incomplete Blacklist]]
* 131 [[Incomplete Cleanup]]
+
# [[Incomplete Cleanup]]
* 132 [[Incomplete Element]]
+
# [[Incomplete Element]]
* 133 [[Incomplete Internal State Distinction]]
+
# [[Incomplete Internal State Distinction]]
* 134 [[Inconsistent Elements]]
+
# [[Inconsistent Elements]]
* 135 [[Inconsistent Implementations]]
+
# [[Inconsistent Implementations]]
* 136 [[Inconsistent Special Elements]]
+
# [[Inconsistent Special Elements]]
* 137 [[Incorrect block delimitation]]
+
# [[Incorrect block delimitation]]
* 138 [[Incorrect initialization]]
+
# [[Incorrect initialization]]
* 139 [[Incorrect Privilege Assignment]]
+
# [[Incorrect Privilege Assignment]]
* 140 [[Infoleak Using Debug Information]]
+
# [[Infoleak Using Debug Information]]
* 141 [[Information Leak (information disclosure)]]
+
# [[Information Leak (information disclosure)]]
* 142 [[Information leak through class cloning]]
+
# [[Information leak through class cloning]]
* 143 [[Information leak through serialization]]
+
# [[Information leak through serialization]]
* 144 [[Information loss or omission]]
+
# [[Information loss or omission]]
* 145 [[Initialization and Cleanup Errors]]
+
# [[Initialization and Cleanup Errors]]
* 146 [[Injection problem]]
+
# [[Injection problem]]
* 147 [[Input Terminator]]
+
# [[Input Terminator]]
* 148 [[Insecure Compiler Optimization]]
+
# [[Insecure Compiler Optimization]]
* 149 [[Insecure Default Permissions]]
+
# [[Insecure Default Permissions]]
* 150 [[Insecure default variable initialization]]
+
# [[Insecure default variable initialization]]
* 151 [[Insecure execution-assigned permissions]]
+
# [[Insecure execution-assigned permissions]]
* 152 [[Insecure inherited permissions]]
+
# [[Insecure inherited permissions]]
* 153 [[Insecure preserved inherited permissions]]
+
# [[Insecure preserved inherited permissions]]
* 154 [[Insecure Randomness]]
+
# [[Insecure Randomness]]
* 155 [[Insecure Temporary File]]
+
# [[Insecure Temporary File]]
* 156 [[Installation Issues]]
+
# [[Installation Issues]]
* 157 [[Insufficient Entropy]]
+
# [[Insufficient Entropy]]
* 158 [[Insufficient entropy in pseudo-random number generator]]
+
# [[Insufficient entropy in pseudo-random number generator]]
* 159 [[Insufficient privileges]]
+
# [[Insufficient privileges]]
* 160 [[Insufficient Resource Locking]]
+
# [[Insufficient Resource Locking]]
* 161 [[Insufficient Resource Pool]]
+
# [[Insufficient Resource Pool]]
* 162 [[Insufficient Type Distinction]]
+
# [[Insufficient Type Distinction]]
* 163 [[Insufficient UI warning of dangerous operations]]
+
# [[Insufficient UI warning of dangerous operations]]
* 164 [[Insufficient Verification of Data]]
+
# [[Insufficient Verification of Data]]
* 165 [[Integer coercion error]]
+
# [[Integer coercion error]]
* 166 [[Integer overflow]]
+
# [[Integer overflow]]
* 167 [[Integer Overflow]]
+
# [[Integer Overflow]]
* 168 [[Integer underflow (wrap or wraparound)]]
+
# [[Integer underflow (wrap or wraparound)]]
* 169 [[Intended information leak]]
+
# [[Intended information leak]]
* 170 [[Interaction Errors]]
+
# [[Interaction Errors]]
* 171 [[Internal behavioral inconsistency infoleak]]
+
# [[Internal behavioral inconsistency infoleak]]
* 172 [[Internal Special Element]]
+
# [[Internal Special Element]]
* 173 [[Invalid Characters in Identifiers]]
+
# [[Invalid Characters in Identifiers]]
* 174 [[Invoking untrusted mobile code]]
+
# [[Invoking untrusted mobile code]]
* 175 [[J2EE Bad Practices: getConnection()]]
+
# [[J2EE Bad Practices: getConnection()]]
* 176 [[J2EE Bad Practices: JSP Expressions]]
+
# [[J2EE Bad Practices: JSP Expressions]]
* 177 [[J2EE Bad Practices: Sockets]]
+
# [[J2EE Bad Practices: Sockets]]
* 178 [[J2EE Bad Practices: System.exit()]]
+
# [[J2EE Bad Practices: System.exit()]]
* 179 [[J2EE Bad Practices: Threads]]
+
# [[J2EE Bad Practices: Threads]]
* 180 [[J2EE Misconfiguration: Insecure Transport]]
+
# [[J2EE Misconfiguration: Insecure Transport]]
* 181 [[J2EE Misconfiguration: Insufficient Session-ID Length]]
+
# [[J2EE Misconfiguration: Insufficient Session-ID Length]]
* 182 [[J2EE Misconfiguration: Missing Error Handling]]
+
# [[J2EE Misconfiguration: Missing Error Handling]]
* 183 [[J2EE Misconfiguration: Unsafe Bean Declaration]]
+
# [[J2EE Misconfiguration: Unsafe Bean Declaration]]
* 184 [[J2EE Misconfiguration: Weak Access Permissions]]
+
# [[J2EE Misconfiguration: Weak Access Permissions]]
* 185 [[J2EE Time and State Issues]]
+
# [[J2EE Time and State Issues]]
* 186 [[Key exchange without entity authentication]]
+
# [[Key exchange without entity authentication]]
* 187 [[Key management errors]]
+
# [[Key management errors]]
* 188 [[Leading Special Element]]
+
# [[Leading Special Element]]
* 189 [[Least Privilege Violation]]
+
# [[Least Privilege Violation]]
* 190 [[Leftover Debug Code]]
+
# [[Leftover Debug Code]]
* 191 [[Length Parameter Inconsistency]]
+
# [[Length Parameter Inconsistency]]
* 192 [[Line Delimiter]]
+
# [[Line Delimiter]]
* 193 [[Log Forging]]
+
# [[Log Forging]]
* 194 [[Log injection]]
+
# [[Log injection]]
* 195 [[Mac virtual file problems]]
+
# [[Mac virtual file problems]]
* 196 [[Macro symbol]]
+
# [[Macro symbol]]
* 197 [[Member Field Race Condition]]
+
# [[Member Field Race Condition]]
* 198 [[Memory leak]]
+
# [[Memory leak]]
* 199 [[Memory Leak]]
+
# [[Memory Leak]]
* 200 [[Miscalculated null termination]]
+
# [[Miscalculated null termination]]
* 201 [[Misinterpretation error]]
+
# [[Misinterpretation error]]
* 202 [[Misinterpreted function return value]]
+
# [[Misinterpreted function return value]]
* 203 [[Missing access control]]
+
# [[Missing access control]]
* 204 [[Missing critical step in authentication]]
+
# [[Missing critical step in authentication]]
* 205 [[Missing element error]]
+
# [[Missing element error]]
* 206 [[Missing error status code]]
+
# [[Missing error status code]]
* 207 [[Missing handler]]
+
# [[Missing handler]]
* 208 [[Missing initialization]]
+
# [[Missing initialization]]
* 209 [[Missing lock check]]
+
# [[Missing lock check]]
* 210 [[Missing parameter]]
+
# [[Missing parameter]]
* 211 [[Missing parameter error]]
+
# [[Missing parameter error]]
* 212 [[Missing required cryptographic step]]
+
# [[Missing required cryptographic step]]
* 213 [[Missing special element]]
+
# [[Missing special element]]
* 214 [[Missing value error]]
+
# [[Missing value error]]
* 215 [[Missing XML Validation]]
+
# [[Missing XML Validation]]
* 216 [[Mixed encoding]]
+
# [[Mixed encoding]]
* 217 [[Modification of assumed-immutable data]]
+
# [[Modification of assumed-immutable data]]
* 218 [[Multiple failed authentication attempts not prevented]]
+
# [[Multiple failed authentication attempts not prevented]]
* 219 [[Multiple internal special element]]
+
# [[Multiple internal special element]]
* 220 [[Multiple interpretation error (MIE)]]
+
# [[Multiple interpretation error (MIE)]]
* 221 [[Multiple interpretations of UI input]]
+
# [[Multiple interpretations of UI input]]
* 222 [[Multiple Leading Special Elements]]
+
# [[Multiple Leading Special Elements]]
* 223 [[Multiple Trailing Special Elements]]
+
# [[Multiple Trailing Special Elements]]
* 224 [[Mutable object returned]]
+
# [[Mutable object returned]]
* 225 [[Mutable objects passed by reference]]
+
# [[Mutable objects passed by reference]]
* 226 [[No authentication for critical function]]
+
# [[No authentication for critical function]]
* 227 [[Non-cryptographic pseudo-random number generator]]
+
# [[Non-cryptographic pseudo-random number generator]]
* 228 [[Non-exit on failed initialization]]
+
# [[Non-exit on failed initialization]]
* 229 [[Non-replicating]]
+
# [[Non-replicating]]
* 230 [[Not allowing password aging]]
+
# [[Not allowing password aging]]
* 231 [[Not using a random initialization vector with cipher block chaining mode]]
+
# [[Not using a random initialization vector with cipher block chaining mode]]
* 232 [[Null character / null byte]]
+
# [[Null character / null byte]]
* 233 [[Null Dereference]]
+
# [[Null Dereference]]
* 234 [[Null-pointer dereference]]
+
# [[Null-pointer dereference]]
* 235 [[Numeric Byte Ordering Error]]
+
# [[Numeric Byte Ordering Error]]
* 236 [[Numeric Errors]]
+
# [[Numeric Errors]]
* 237 [[Object Model Violation: Just One of equals() and hashCode() Defined]]
+
# [[Object Model Violation: Just One of equals() and hashCode() Defined]]
* 238 [[Obscured Security-relevant Information by Alternate Name]]
+
# [[Obscured Security-relevant Information by Alternate Name]]
* 239 [[Obsolete feature in UI]]
+
# [[Obsolete feature in UI]]
* 240 [[Off-by-one Error]]
+
# [[Off-by-one Error]]
* 241 [[Often Misused: Authentication]]
+
# [[Often Misused: Authentication]]
* 242 [[Often Misused: Exception Handling]]
+
# [[Often Misused: Exception Handling]]
* 243 [[Often Misused: File System]]
+
# [[Often Misused: File System]]
* 244 [[Often Misused: Path Manipulation]]
+
# [[Often Misused: Path Manipulation]]
* 245 [[Often Misused: Privilege Management]]
+
# [[Often Misused: Privilege Management]]
* 246 [[Often Misused: String Management]]
+
# [[Often Misused: String Management]]
* 247 [[Omission of Security-relevant Information]]
+
# [[Omission of Security-relevant Information]]
* 248 [[Omitted break statement]]
+
# [[Omitted break statement]]
* 249 [[Open forward]]
+
# [[Open forward]]
* 250 [[Open redirect]]
+
# [[Open redirect]]
* 251 [[Origin Validation Error]]
+
# [[Origin Validation Error]]
* 252 [[Other length calculation error]]
+
# [[Other length calculation error]]
* 253 [[Out-of-bounds Read]]
+
# [[Out-of-bounds Read]]
* 254 [[Overflow of static internal buffer]]
+
# [[Overflow of static internal buffer]]
* 255 [[Overly Restrictive Regular Expression]]
+
# [[Overly Restrictive Regular Expression]]
* 256 [[Overly-Broad Catch Block]]
+
# [[Overly-Broad Catch Block]]
* 257 [[Overly-Broad Throws Declaration]]
+
# [[Overly-Broad Throws Declaration]]
* 258 [[Ownership errors]]
+
# [[Ownership errors]]
* 259 [[Parameter Problems]]
+
# [[Parameter Problems]]
* 260 [[Partial Comparison]]
+
# [[Partial Comparison]]
* 261 [[Passing mutable objects to an untrusted method]]
+
# [[Passing mutable objects to an untrusted method]]
* 262 [[Password Management: Hardcoded Password]]
+
# [[Password Management: Hardcoded Password]]
* 263 [[Password Management: Weak Cryptography]]
+
# [[Password Management: Weak Cryptography]]
* 264 [[Password Plaintext Storage]]
+
# [[Password Plaintext Storage]]
* 265 [[Patch Issues]]
+
# [[Patch Issues]]
* 266 [[Path Equivalence]]
+
# [[Path Equivalence]]
* 267 [[Path Issue - asterix wildcard - filedir*]]
+
# [[Path Issue - asterix wildcard - filedir*]]
* 268 [[Path Issue - backslash absolute path - /absolute/pathname/here]]
+
# [[Path Issue - backslash absolute path - /absolute/pathname/here]]
* 269 [[Path Issue - directory doubled dot dot backslash]]
+
# [[Path Issue - directory doubled dot dot backslash]]
* 270 [[Path Issue - directory doubled dot dot slash]]
+
# [[Path Issue - directory doubled dot dot slash]]
* 271 [[Path Issue - dirname/fakechild/]]
+
# [[Path Issue - dirname/fakechild/]]
* 272 [[Path Issue - dot dot backslash]]
+
# [[Path Issue - dot dot backslash]]
* 273 [[Path Issue - doubled dot dot slash]]
+
# [[Path Issue - doubled dot dot slash]]
* 274 [[Path Issue - doubled triple dot slash]]
+
# [[Path Issue - doubled triple dot slash]]
* 275 [[Path Issue - drive letter or Windows volume - 'C:dirname']]
+
# [[Path Issue - drive letter or Windows volume - 'C:dirname']]
* 276 [[Path Issue - internal dot - 'file.ordir']]
+
# [[Path Issue - internal dot - 'file.ordir']]
* 277 [[Path Issue - internal space - file(SPACE)name]]
+
# [[Path Issue - internal space - file(SPACE)name]]
* 278 [[Path Issue - leading directory dot dot backslash]]
+
# [[Path Issue - leading directory dot dot backslash]]
* 279 [[Path Issue - leading directory dot dot slash]]
+
# [[Path Issue - leading directory dot dot slash]]
* 280 [[Path Issue - leading dot dot backslash]]
+
# [[Path Issue - leading dot dot backslash]]
* 281 [[Path Issue - leading dot dot slash]]
+
# [[Path Issue - leading dot dot slash]]
* 282 [[Path Issue - leading space]]
+
# [[Path Issue - leading space]]
* 283 [[Path Issue - multiple dot]]
+
# [[Path Issue - multiple dot]]
* 284 [[Path Issue - multiple internal backslash]]
+
# [[Path Issue - multiple internal backslash]]
* 285 [[Path Issue - multiple leading slash]]
+
# [[Path Issue - multiple leading slash]]
* 286 [[Path Issue - multiple trailing dot]]
+
# [[Path Issue - multiple trailing dot]]
 
* 287 [[Path Issue - multiple trailing slash]]
 
* 287 [[Path Issue - multiple trailing slash]]
 
* 288 [[Path Issue - single dot directory]]
 
* 288 [[Path Issue - single dot directory]]

Revision as of 07:35, 5 September 2008

Back to TOC

  1. Access control enforced by presentation layer
  2. Accidental leaking of sensitive information through data queries
  3. Accidental leaking of sensitive information through error messages
  4. Accidental leaking of sensitive information through sent data
  5. Addition of data-structure sentinel
  6. Algorithmic Complexity
  7. Allowing External Setting Manipulation
  8. Allowing password aging
  9. Alternate Channel Race Condition
  10. Alternate Encoding
  11. ASP.NET Misconfiguration: Creating Debug Binary
  12. ASP.NET Misconfiguration: Missing Custom Error Handling
  13. ASP.NET Misconfiguration: Password in Configuration File
  14. Assigning instead of comparing
  15. Authentication bypass by alternate name
  16. Authentication Bypass by Alternate Path/Channel
  17. Authentication Bypass by Primary Weakness
  18. Authentication bypass by spoofing
  19. Authentication Bypass via Assumed-Immutable Data
  20. Authentication Error
  21. Authentication Logic Error
  22. Behavioral Change
  23. Behavioral Discrepancy Infoleak
  24. Behavioral problems
  25. Buffer Overflow
  26. Buffer over-read
  27. Buffer under-read
  28. Buffer underwrite
  29. Bundling Issues
  30. Byte/Object Code
  31. Capture-replay
  32. Case Sensitivity (lowercase, uppercase, mixed case)
  33. Catch NullPointerException
  34. Channel and Path Errors
  35. Cleansing, Canonicalization, and Comparison Errors
  36. Code Correctness: Call to System.gc()
  37. Code Correctness: Call to Thread.run()
  38. Code Correctness: Class Does Not Implement Cloneable
  39. Code Correctness: Double-Checked Locking
  40. Code Correctness: Erroneous finalize() Method
  41. Code Correctness: Erroneous String Compare
  42. Code Correctness: Misspelled Method Name
  43. Code Correctness: null Argument to equals()
  44. Collapse of Data into Unsafe Value
  45. Common Special Element Manipulations
  46. Comparing classes by name
  47. Comparing instead of assigning
  48. Comprehensive list of Threats to Authentication Procedures and Data
  49. Context Switching Race Condition
  50. Covert timing channel
  51. CRLF Injection
  52. Cross Site Scripting
  53. Cross-Boundary Cleansing Infoleak
  54. Dangerous Function
  55. Dangerous handler not cleared/disabled during sensitive operations
  56. Data Amplification
  57. Data Leaking Between Users
  58. Data Structure Issues
  59. Dead Code: Broken Override
  60. Dead Code: Expression is Always False
  61. Dead Code: Expression is Always True
  62. Dead Code: Unused Field
  63. Dead Code: Unused Method
  64. Deletion of data-structure sentinel
  65. Delimiter between Expressions or Commands
  66. Delimiter Problems
  67. Deserialization of untrusted data
  68. Directory Restriction Error
  69. Discrepancy Information Leaks
  70. Double Free
  71. Doubled character XSS manipulations
  72. Doubly freeing memory
  73. Duplicate key in associative list (alist)
  74. Early Amplification
  75. EJB Bad Practices: Use of AWT/Swing
  76. EJB Bad Practices: Use of Class Loader
  77. EJB Bad Practices: Use of java.io
  78. EJB Bad Practices: Use of Sockets
  79. EJB Bad Practices: Use of Synchronization Primitives
  80. Empty Catch Block
  81. Empty String Password
  82. Error Conditions, Return Values, Status Codes
  83. Error Message Infoleaks
  84. Escape, Meta, or Control Character / Sequence
  85. Expected behavior violation
  86. External behavioral inconsistency infoleak
  87. External initialization of trusted variables or values
  88. Extra Parameter Error
  89. Extra Special Element
  90. Extra Unhandled Features
  91. Extra Value Error
  92. Fails poorly due to insufficient permissions
  93. Failure of true random number generator
  94. Failure to account for default case in switch
  95. Failure to add integrity check value
  96. Failure to check for certificate revocation
  97. Failure to check integrity check value
  98. Failure to check whether privileges were dropped successfully
  99. Failure to deallocate data
  100. Failure to drop privileges when reasonable
  101. Failure to encrypt data
  102. Failure to follow chain of trust in certificate validation
  103. Failure to protect stored data from modification
  104. Failure to provide confidentiality for stored data
  105. Failure to validate certificate expiration
  106. Failure to validate host-specific certificate data
  107. File Access Race Condition: TOCTOU
  108. Format String
  109. Format string problem
  110. General Special Element Problems
  111. Grouping Element / Paired Delimiter
  112. Guessed or visible temporary file
  113. Hard-Coded Password
  114. Heap Inspection
  115. Heap overflow
  116. Ignored function return value
  117. Illegal Pointer Value
  118. Improper cleanup on thrown exception
  119. Improper error handling
  120. Improper Handler Deployment
  121. Improper Null Termination
  122. Improper resource shutdown or release
  123. Improper string length checking
  124. Improper temp file opening
  125. Improperly Implemented Security Check for Standard
  126. Improperly Trusted Reverse DNS
  127. Improperly Verified Signature
  128. Inadvertent
  129. Incomplete Blacklist
  130. Incomplete Cleanup
  131. Incomplete Element
  132. Incomplete Internal State Distinction
  133. Inconsistent Elements
  134. Inconsistent Implementations
  135. Inconsistent Special Elements
  136. Incorrect block delimitation
  137. Incorrect initialization
  138. Incorrect Privilege Assignment
  139. Infoleak Using Debug Information
  140. Information Leak (information disclosure)
  141. Information leak through class cloning
  142. Information leak through serialization
  143. Information loss or omission
  144. Initialization and Cleanup Errors
  145. Injection problem
  146. Input Terminator
  147. Insecure Compiler Optimization
  148. Insecure Default Permissions
  149. Insecure default variable initialization
  150. Insecure execution-assigned permissions
  151. Insecure inherited permissions
  152. Insecure preserved inherited permissions
  153. Insecure Randomness
  154. Insecure Temporary File
  155. Installation Issues
  156. Insufficient Entropy
  157. Insufficient entropy in pseudo-random number generator
  158. Insufficient privileges
  159. Insufficient Resource Locking
  160. Insufficient Resource Pool
  161. Insufficient Type Distinction
  162. Insufficient UI warning of dangerous operations
  163. Insufficient Verification of Data
  164. Integer coercion error
  165. Integer overflow
  166. Integer Overflow
  167. Integer underflow (wrap or wraparound)
  168. Intended information leak
  169. Interaction Errors
  170. Internal behavioral inconsistency infoleak
  171. Internal Special Element
  172. Invalid Characters in Identifiers
  173. Invoking untrusted mobile code
  174. J2EE Bad Practices: getConnection()
  175. J2EE Bad Practices: JSP Expressions
  176. J2EE Bad Practices: Sockets
  177. J2EE Bad Practices: System.exit()
  178. J2EE Bad Practices: Threads
  179. J2EE Misconfiguration: Insecure Transport
  180. J2EE Misconfiguration: Insufficient Session-ID Length
  181. J2EE Misconfiguration: Missing Error Handling
  182. J2EE Misconfiguration: Unsafe Bean Declaration
  183. J2EE Misconfiguration: Weak Access Permissions
  184. J2EE Time and State Issues
  185. Key exchange without entity authentication
  186. Key management errors
  187. Leading Special Element
  188. Least Privilege Violation
  189. Leftover Debug Code
  190. Length Parameter Inconsistency
  191. Line Delimiter
  192. Log Forging
  193. Log injection
  194. Mac virtual file problems
  195. Macro symbol
  196. Member Field Race Condition
  197. Memory leak
  198. Memory Leak
  199. Miscalculated null termination
  200. Misinterpretation error
  201. Misinterpreted function return value
  202. Missing access control
  203. Missing critical step in authentication
  204. Missing element error
  205. Missing error status code
  206. Missing handler
  207. Missing initialization
  208. Missing lock check
  209. Missing parameter
  210. Missing parameter error
  211. Missing required cryptographic step
  212. Missing special element
  213. Missing value error
  214. Missing XML Validation
  215. Mixed encoding
  216. Modification of assumed-immutable data
  217. Multiple failed authentication attempts not prevented
  218. Multiple internal special element
  219. Multiple interpretation error (MIE)
  220. Multiple interpretations of UI input
  221. Multiple Leading Special Elements
  222. Multiple Trailing Special Elements
  223. Mutable object returned
  224. Mutable objects passed by reference
  225. No authentication for critical function
  226. Non-cryptographic pseudo-random number generator
  227. Non-exit on failed initialization
  228. Non-replicating
  229. Not allowing password aging
  230. Not using a random initialization vector with cipher block chaining mode
  231. Null character / null byte
  232. Null Dereference
  233. Null-pointer dereference
  234. Numeric Byte Ordering Error
  235. Numeric Errors
  236. Object Model Violation: Just One of equals() and hashCode() Defined
  237. Obscured Security-relevant Information by Alternate Name
  238. Obsolete feature in UI
  239. Off-by-one Error
  240. Often Misused: Authentication
  241. Often Misused: Exception Handling
  242. Often Misused: File System
  243. Often Misused: Path Manipulation
  244. Often Misused: Privilege Management
  245. Often Misused: String Management
  246. Omission of Security-relevant Information
  247. Omitted break statement
  248. Open forward
  249. Open redirect
  250. Origin Validation Error
  251. Other length calculation error
  252. Out-of-bounds Read
  253. Overflow of static internal buffer
  254. Overly Restrictive Regular Expression
  255. Overly-Broad Catch Block
  256. Overly-Broad Throws Declaration
  257. Ownership errors
  258. Parameter Problems
  259. Partial Comparison
  260. Passing mutable objects to an untrusted method
  261. Password Management: Hardcoded Password
  262. Password Management: Weak Cryptography
  263. Password Plaintext Storage
  264. Patch Issues
  265. Path Equivalence
  266. Path Issue - asterix wildcard - filedir*
  267. Path Issue - backslash absolute path - /absolute/pathname/here
  268. Path Issue - directory doubled dot dot backslash
  269. Path Issue - directory doubled dot dot slash
  270. Path Issue - dirname/fakechild/
  271. Path Issue - dot dot backslash
  272. Path Issue - doubled dot dot slash
  273. Path Issue - doubled triple dot slash
  274. Path Issue - drive letter or Windows volume - 'C:dirname'
  275. Path Issue - internal dot - 'file.ordir'
  276. Path Issue - internal space - file(SPACE)name
  277. Path Issue - leading directory dot dot backslash
  278. Path Issue - leading directory dot dot slash
  279. Path Issue - leading dot dot backslash
  280. Path Issue - leading dot dot slash
  281. Path Issue - leading space
  282. Path Issue - multiple dot
  283. Path Issue - multiple internal backslash
  284. Path Issue - multiple leading slash
  285. Path Issue - multiple trailing dot

Back to TOC