ASDR TOC Vulnerabilities

From OWASP
Revision as of 04:18, 11 July 2012 by Hugh Pearse (Talk | contribs)

Jump to: navigation, search
  1. Access control enforced by presentation layer
  2. Addition of data-structure sentinel
  3. Allowing password aging
  4. ASP.NET Misconfigurations
  5. Assigning instead of comparing
  6. Authentication Bypass via Assumed-Immutable Data
  7. Buffer Overflow
  8. Buffer underwrite
  9. Business logic vulnerability
  10. Capture-replay
  11. Catch NullPointerException
  12. Comparing classes by name
  13. Comparing instead of assigning
  14. Comprehensive list of Threats to Authentication Procedures and Data
  15. Covert timing channel
  16. CRLF Injection
  17. Cross Site Scripting Flaw
  18. Dangerous Function
  19. Deletion of data-structure sentinel
  20. Deserialization of untrusted data
  21. Directory Restriction Error
  22. Double Free
  23. Doubly freeing memory
  24. Duplicate key in associative list (alist)
  25. Empty Catch Block
  26. Empty String Password
  27. Failure of true random number generator
  28. Failure to account for default case in switch
  29. Failure to add integrity check value
  30. Failure to check for certificate revocation
  31. Failure to check integrity check value
  32. Failure to check whether privileges were dropped successfully
  33. Failure to deallocate data
  34. Failure to drop privileges when reasonable
  35. Failure to encrypt data
  36. Failure to follow chain of trust in certificate validation
  37. Failure to follow guideline/specification
  38. Failure to protect stored data from modification
  39. Failure to provide confidentiality for stored data
  40. Failure to validate certificate expiration
  41. Failure to validate host-specific certificate data
  42. File Access Race Condition: TOCTOU
  43. Format String
  44. Guessed or visible temporary file
  45. Hard-Coded Password
  46. Heap Inspection
  47. Heap overflow
  48. HTTP Parameter Pollution
  49. Ignored function return value
  50. Illegal Pointer Value
  51. Improper cleanup on thrown exception
  52. Improper Data Validation
  53. Improper error handling
  54. Improper string length checking
  55. Improper temp file opening
  56. Incorrect block delimitation
  57. Information Leakage
  58. Information leak through class cloning
  59. Information leak through serialization
  60. Injection problem
  61. Insecure Compiler Optimization
  62. Insecure Randomness
  63. Insecure Temporary File
  64. Insecure Third Party Domain Access
  65. Insecure Transport
  66. Insufficient Entropy
  67. Insufficient entropy in pseudo-random number generator
  68. Insufficient Session-ID Length
  69. Integer coercion error
  70. Integer overflow
  71. Invoking untrusted mobile code
  72. J2EE Misconfiguration: Unsafe Bean Declaration
  73. Key exchange without entity authentication
  74. Least Privilege Violation
  75. Leftover Debug Code
  76. Log Forging
  77. Log injection
  78. Member Field Race Condition
  79. Memory leak
  80. Miscalculated null termination
  81. Misinterpreted function return value
  82. Missing Error Handling
  83. Missing parameter
  84. Missing XML Validation
  85. Mutable object returned
  86. Non-cryptographic pseudo-random number generator
  87. Not allowing password aging
  88. Not using a random initialization vector with cipher block chaining mode
  89. Null Dereference
  90. Object Model Violation: Just One of equals() and hashCode() Defined
  91. Often Misused: Authentication
  92. Often Misused: Exception Handling
  93. Often Misused: File System
  94. Often Misused: Privilege Management
  95. Often Misused: String Management
  96. Omitted break statement
  97. Open forward
  98. Open redirect
  99. Overflow of static internal buffer
  100. Overly-Broad Catch Block
  101. Overly-Broad Throws Declaration
  102. Passing mutable objects to an untrusted method
  103. Password Management: Hardcoded Password
  104. Password Management: Weak Cryptography
  105. Password Plaintext Storage
  106. PHP File Inclusion
  107. Poor Logging Practice
  108. Portability Flaw
  109. Privacy Violation
  110. PRNG Seed Error
  111. Process Control
  112. Publicizing of private data when using inner classes
  113. Race Conditions
  114. Reflection attack in an auth protocol
  115. Reflection injection
  116. Relative path library search
  117. Reliance on data layout
  118. Relying on package-level scope
  119. Resource exhaustion
  120. Return Inside Finally Block
  121. Reusing a nonce, key pair in encryption
  122. Session_Fixation
  123. Sign extension error
  124. Signed to unsigned conversion error
  125. Stack overflow
  126. State synchronization error
  127. Storing passwords in a recoverable format
  128. String Termination Error
  129. Symbolic name not mapping to correct object
  130. Template:Vulnerability
  131. Truncation error
  132. Trust Boundary Violation
  133. Trust of system event data
  134. Trusting self-reported DNS name
  135. Trusting self-reported IP address
  136. Uncaught exception
  137. Unchecked array indexing
  138. Unchecked Return Value: Missing Check against Null
  139. Undefined Behavior
  140. Uninitialized Variable
  141. Unintentional pointer scaling
  142. Unreleased Resource
  143. Unrestricted File Upload
  144. Unsafe function call from a signal handler
  145. Unsafe JNI
  146. Unsafe Mobile Code
  147. Unsafe Reflection
  148. Unsigned to signed conversion error
  149. Use of hard-coded password
  150. Use of Obsolete Methods
  151. Use of sizeof() on a pointer type
  152. Using a broken or risky cryptographic algorithm
  153. Using a key past its expiration date
  154. Using freed memory
  155. Using password systems
  156. Using referer field for authentication or authorization
  157. Using single-factor authentication
  158. Using the wrong operator
  159. Validation performed in client
  160. Wrap-around error
  161. Write-what-where condition