Difference between revisions of "ASDR TOC Vulnerabilities"

From OWASP
Jump to: navigation, search
Line 103: Line 103:
 
# [[Password Plaintext Storage]]
 
# [[Password Plaintext Storage]]
 
# [[PHP File Inclusion]]
 
# [[PHP File Inclusion]]
# [[Poor Logging Practice: Logger Not Declared Static Final]]
+
# [[Poor Logging Practice]]
# [[Poor Logging Practice: Multiple Loggers]]
+
# [[Poor Logging Practice: Use of a System Output Stream]]
+
 
# [[Portability Flaw]]
 
# [[Portability Flaw]]
 
# [[Privacy Violation]]
 
# [[Privacy Violation]]

Revision as of 19:10, 17 February 2009

Back to TOC

  1. Access control enforced by presentation layer
  2. Addition of data-structure sentinel
  3. Allowing password aging
  4. ASP.NET Misconfigurations
  5. Assigning instead of comparing
  6. Authentication Bypass via Assumed-Immutable Data
  7. Behavioral problems
  8. Buffer Overflow
  9. Buffer underwrite
  10. Capture-replay
  11. Catch NullPointerException
  12. Comparing classes by name
  13. Comparing instead of assigning
  14. Comprehensive list of Threats to Authentication Procedures and Data
  15. Covert timing channel
  16. CRLF Injection
  17. Cross Site Scripting Flaw
  18. Dangerous Function
  19. Deletion of data-structure sentinel
  20. Deserialization of untrusted data
  21. Directory Restriction Error
  22. Double Free
  23. Doubly freeing memory
  24. Duplicate key in associative list (alist)
  25. Empty Catch Block
  26. Empty String Password
  27. Failure of true random number generator
  28. Failure to account for default case in switch
  29. Failure to add integrity check value
  30. Failure to check for certificate revocation
  31. Failure to check integrity check value
  32. Failure to check whether privileges were dropped successfully
  33. Failure to deallocate data
  34. Failure to drop privileges when reasonable
  35. Failure to encrypt data
  36. Failure to follow guideline/specification
  37. Failure to follow chain of trust in certificate validation
  38. Failure to protect stored data from modification
  39. Failure to provide confidentiality for stored data
  40. Failure to validate certificate expiration
  41. Failure to validate host-specific certificate data
  42. File Access Race Condition: TOCTOU
  43. Format String
  44. Guessed or visible temporary file
  45. Hard-Coded Password
  46. Heap Inspection
  47. Heap overflow
  48. Ignored function return value
  49. Illegal Pointer Value
  50. Improper cleanup on thrown exception
  51. Improper error handling
  52. Improper string length checking
  53. Improper temp file opening
  54. Incorrect block delimitation
  55. Information Leakage
  56. Injection problem
  57. Insecure Compiler Optimization
  58. Insecure Randomness
  59. Insecure Temporary File
  60. Insecure Third Party Domain Access
  61. Insecure Transport
  62. Insufficient Entropy
  63. Insufficient entropy in pseudo-random number generator
  64. Insufficient Session-ID Length
  65. Integer coercion error
  66. Integer overflow
  67. Invoking untrusted mobile code
  68. J2EE Misconfiguration: Unsafe Bean Declaration
  69. Key exchange without entity authentication
  70. Least Privilege Violation
  71. Leftover Debug Code
  72. Log Forging
  73. Log injection
  74. Member Field Race Condition
  75. Memory leak
  76. Miscalculated null termination
  77. Misinterpreted function return value
  78. Missing Error Handling
  79. Missing parameter
  80. Missing XML Validation
  81. Mutable object returned
  82. Non-cryptographic pseudo-random number generator
  83. Not allowing password aging
  84. Not using a random initialization vector with cipher block chaining mode
  85. Null Dereference
  86. Object Model Violation: Just One of equals() and hashCode() Defined
  87. Often Misused: Authentication
  88. Often Misused: Exception Handling
  89. Often Misused: File System
  90. Often Misused: Privilege Management
  91. Often Misused: String Management
  92. Omitted break statement
  93. Open forward
  94. Open redirect
  95. Overflow of static internal buffer
  96. Overly-Broad Catch Block
  97. Overly-Broad Throws Declaration
  98. Passing mutable objects to an untrusted method
  99. Password Management: Hardcoded Password
  100. Password Management: Weak Cryptography
  101. Password Plaintext Storage
  102. PHP File Inclusion
  103. Poor Logging Practice
  104. Portability Flaw
  105. Privacy Violation
  106. PRNG Seed Error
  107. Process Control
  108. Publicizing of private data when using inner classes
  109. Race condition in checking for certificate revocation
  110. Race condition in signal handler
  111. Race condition in switch
  112. Race condition within a thread
  113. Race Conditions
  114. Reflection attack in an auth protocol
  115. Reflection injection
  116. Relative path library search
  117. Reliance on data layout
  118. Relying on package-level scope
  119. Resource exhaustion
  120. Return Inside Finally Block
  121. Reusing a nonce, key pair in encryption
  122. Sign extension error
  123. Signed to unsigned conversion error
  124. Stack overflow
  125. State synchronization error
  126. Storing passwords in a recoverable format
  127. String Termination Error
  128. Struts: Duplicate Validation Forms
  129. Struts: Erroneous validate() Method
  130. Struts: Form Does Not Extend Validation Class
  131. Struts: Form Field Without Validator
  132. Struts: Plug-in Framework Not In Use
  133. Struts: Unused Validation Form
  134. Struts: Unvalidated Action Form
  135. Struts: Validator Turned Off
  136. Struts: Validator Without Form Field
  137. Symbolic name not mapping to correct object
  138. Template:Vulnerability
  139. Truncation error
  140. Trust Boundary Violation
  141. Trust of system event data
  142. Trusting self-reported DNS name
  143. Trusting self-reported IP address
  144. Uncaught exception
  145. Unchecked array indexing
  146. Unchecked Return Value: Missing Check against Null
  147. Undefined Behavior
  148. Uninitialized Variable
  149. Unintentional pointer scaling
  150. Unreleased Resource
  151. Unrestricted File Upload
  152. Unsafe function call from a signal handler
  153. Unsafe JNI
  154. Unsafe Mobile Code
  155. Unsafe Reflection
  156. Unsigned to signed conversion error
  157. Use of hard-coded password
  158. Use of Obsolete Methods
  159. Use of sizeof() on a pointer type
  160. Using a broken or risky cryptographic algorithm
  161. Using a key past its expiration date
  162. Using freed memory
  163. Using password systems
  164. Using referer field for authentication or authorization
  165. Using single-factor authentication
  166. Using the wrong operator
  167. Validation performed in client
  168. Wrap-around error
  169. Write-what-where condition

Back to TOC