ASDR TOC Vulnerabilities

From OWASP
Revision as of 19:53, 17 February 2009 by KirstenS (Talk | contribs)

Jump to: navigation, search

Back to TOC

  1. Access control enforced by presentation layer
  2. Addition of data-structure sentinel
  3. Allowing password aging
  4. ASP.NET Misconfigurations
  5. Assigning instead of comparing
  6. Authentication Bypass via Assumed-Immutable Data
  7. Behavioral problems
  8. Buffer Overflow
  9. Buffer underwrite
  10. Capture-replay
  11. Catch NullPointerException
  12. Comparing classes by name
  13. Comparing instead of assigning
  14. Comprehensive list of Threats to Authentication Procedures and Data
  15. Covert timing channel
  16. CRLF Injection
  17. Cross Site Scripting Flaw
  18. Dangerous Function
  19. Deletion of data-structure sentinel
  20. Deserialization of untrusted data
  21. Directory Restriction Error
  22. Double Free
  23. Doubly freeing memory
  24. Duplicate key in associative list (alist)
  25. Empty Catch Block
  26. Empty String Password
  27. Failure of true random number generator
  28. Failure to account for default case in switch
  29. Failure to add integrity check value
  30. Failure to check for certificate revocation
  31. Failure to check integrity check value
  32. Failure to check whether privileges were dropped successfully
  33. Failure to deallocate data
  34. Failure to drop privileges when reasonable
  35. Failure to encrypt data
  36. Failure to follow guideline/specification
  37. Failure to follow chain of trust in certificate validation
  38. Failure to protect stored data from modification
  39. Failure to provide confidentiality for stored data
  40. Failure to validate certificate expiration
  41. Failure to validate host-specific certificate data
  42. File Access Race Condition: TOCTOU
  43. Format String
  44. Guessed or visible temporary file
  45. Hard-Coded Password
  46. Heap Inspection
  47. Heap overflow
  48. Ignored function return value
  49. Illegal Pointer Value
  50. Improper cleanup on thrown exception
  51. Improper data validation
  52. Improper error handling
  53. Improper string length checking
  54. Improper temp file opening
  55. Incorrect block delimitation
  56. Information Leakage
  57. Injection problem
  58. Insecure Compiler Optimization
  59. Insecure Randomness
  60. Insecure Temporary File
  61. Insecure Third Party Domain Access
  62. Insecure Transport
  63. Insufficient Entropy
  64. Insufficient entropy in pseudo-random number generator
  65. Insufficient Session-ID Length
  66. Integer coercion error
  67. Integer overflow
  68. Invoking untrusted mobile code
  69. J2EE Misconfiguration: Unsafe Bean Declaration
  70. Key exchange without entity authentication
  71. Least Privilege Violation
  72. Leftover Debug Code
  73. Log Forging
  74. Log injection
  75. Member Field Race Condition
  76. Memory leak
  77. Miscalculated null termination
  78. Misinterpreted function return value
  79. Missing Error Handling
  80. Missing parameter
  81. Missing XML Validation
  82. Mutable object returned
  83. Non-cryptographic pseudo-random number generator
  84. Not allowing password aging
  85. Not using a random initialization vector with cipher block chaining mode
  86. Null Dereference
  87. Object Model Violation: Just One of equals() and hashCode() Defined
  88. Often Misused: Authentication
  89. Often Misused: Exception Handling
  90. Often Misused: File System
  91. Often Misused: Privilege Management
  92. Often Misused: String Management
  93. Omitted break statement
  94. Open forward
  95. Open redirect
  96. Overflow of static internal buffer
  97. Overly-Broad Catch Block
  98. Overly-Broad Throws Declaration
  99. Passing mutable objects to an untrusted method
  100. Password Management: Hardcoded Password
  101. Password Management: Weak Cryptography
  102. Password Plaintext Storage
  103. PHP File Inclusion
  104. Poor Logging Practice
  105. Portability Flaw
  106. Privacy Violation
  107. PRNG Seed Error
  108. Process Control
  109. Publicizing of private data when using inner classes
  110. Race Conditions
  111. Reflection attack in an auth protocol
  112. Reflection injection
  113. Relative path library search
  114. Reliance on data layout
  115. Relying on package-level scope
  116. Resource exhaustion
  117. Return Inside Finally Block
  118. Reusing a nonce, key pair in encryption
  119. Sign extension error
  120. Signed to unsigned conversion error
  121. Stack overflow
  122. State synchronization error
  123. Storing passwords in a recoverable format
  124. String Termination Error
  125. Symbolic name not mapping to correct object
  126. Template:Vulnerability
  127. Truncation error
  128. Trust Boundary Violation
  129. Trust of system event data
  130. Trusting self-reported DNS name
  131. Trusting self-reported IP address
  132. Uncaught exception
  133. Unchecked array indexing
  134. Unchecked Return Value: Missing Check against Null
  135. Undefined Behavior
  136. Uninitialized Variable
  137. Unintentional pointer scaling
  138. Unreleased Resource
  139. Unrestricted File Upload
  140. Unsafe function call from a signal handler
  141. Unsafe JNI
  142. Unsafe Mobile Code
  143. Unsafe Reflection
  144. Unsigned to signed conversion error
  145. Use of hard-coded password
  146. Use of Obsolete Methods
  147. Use of sizeof() on a pointer type
  148. Using a broken or risky cryptographic algorithm
  149. Using a key past its expiration date
  150. Using freed memory
  151. Using password systems
  152. Using referer field for authentication or authorization
  153. Using single-factor authentication
  154. Using the wrong operator
  155. Validation performed in client
  156. Wrap-around error
  157. Write-what-where condition

Back to TOC