ASDR TOC Vulnerabilities

From OWASP
Revision as of 18:49, 7 April 2009 by KirstenS (Talk | contribs)

Jump to: navigation, search
  1. Access control enforced by presentation layer
  2. Addition of data-structure sentinel
  3. Allowing password aging
  4. ASP.NET Misconfigurations
  5. Assigning instead of comparing
  6. Authentication Bypass via Assumed-Immutable Data
  7. Buffer Overflow
  8. Buffer underwrite
  9. Business logic vulnerability
  10. Capture-replay
  11. Catch NullPointerException
  12. Comparing classes by name
  13. Comparing instead of assigning
  14. Comprehensive list of Threats to Authentication Procedures and Data
  15. Covert timing channel
  16. CRLF Injection
  17. Cross Site Scripting Flaw
  18. Dangerous Function
  19. Deletion of data-structure sentinel
  20. Deserialization of untrusted data
  21. Directory Restriction Error
  22. Double Free
  23. Doubly freeing memory
  24. Duplicate key in associative list (alist)
  25. Empty Catch Block
  26. Empty String Password
  27. Failure of true random number generator
  28. Failure to account for default case in switch
  29. Failure to add integrity check value
  30. Failure to check for certificate revocation
  31. Failure to check integrity check value
  32. Failure to check whether privileges were dropped successfully
  33. Failure to deallocate data
  34. Failure to drop privileges when reasonable
  35. Failure to encrypt data
  36. Failure to follow chain of trust in certificate validation
  37. Failure to follow guideline/specification
  38. Failure to protect stored data from modification
  39. Failure to provide confidentiality for stored data
  40. Failure to validate certificate expiration
  41. Failure to validate host-specific certificate data
  42. File Access Race Condition: TOCTOU
  43. Format String
  44. Guessed or visible temporary file
  45. Hard-Coded Password
  46. Heap Inspection
  47. Heap overflow
  48. Ignored function return value
  49. Illegal Pointer Value
  50. Improper cleanup on thrown exception
  51. Improper Data Validation
  52. Improper error handling
  53. Improper string length checking
  54. Improper temp file opening
  55. Incorrect block delimitation
  56. Information Leakage
  57. Information leak through class cloning
  58. Information leak through serialization
  59. Injection problem
  60. Insecure Compiler Optimization
  61. Insecure Randomness
  62. Insecure Temporary File
  63. Insecure Third Party Domain Access
  64. Insecure Transport
  65. Insufficient Entropy
  66. Insufficient entropy in pseudo-random number generator
  67. Insufficient Session-ID Length
  68. Integer coercion error
  69. Integer overflow
  70. Invoking untrusted mobile code
  71. J2EE Misconfiguration: Unsafe Bean Declaration
  72. Key exchange without entity authentication
  73. Least Privilege Violation
  74. Leftover Debug Code
  75. Log Forging
  76. Log injection
  77. Member Field Race Condition
  78. Memory leak
  79. Miscalculated null termination
  80. Misinterpreted function return value
  81. Missing Error Handling
  82. Missing parameter
  83. Missing XML Validation
  84. Mutable object returned
  85. Non-cryptographic pseudo-random number generator
  86. Not allowing password aging
  87. Not using a random initialization vector with cipher block chaining mode
  88. Null Dereference
  89. Object Model Violation: Just One of equals() and hashCode() Defined
  90. Often Misused: Authentication
  91. Often Misused: Exception Handling
  92. Often Misused: File System
  93. Often Misused: Privilege Management
  94. Often Misused: String Management
  95. Omitted break statement
  96. Open forward
  97. Open redirect
  98. Overflow of static internal buffer
  99. Overly-Broad Catch Block
  100. Overly-Broad Throws Declaration
  101. Passing mutable objects to an untrusted method
  102. Password Management: Hardcoded Password
  103. Password Management: Weak Cryptography
  104. Password Plaintext Storage
  105. PHP File Inclusion
  106. Poor Logging Practice
  107. Portability Flaw
  108. Privacy Violation
  109. PRNG Seed Error
  110. Process Control
  111. Publicizing of private data when using inner classes
  112. Race Conditions
  113. Reflection attack in an auth protocol
  114. Reflection injection
  115. Relative path library search
  116. Reliance on data layout
  117. Relying on package-level scope
  118. Resource exhaustion
  119. Return Inside Finally Block
  120. Reusing a nonce, key pair in encryption
  121. Session_Fixation
  122. Sign extension error
  123. Signed to unsigned conversion error
  124. Stack overflow
  125. State synchronization error
  126. Storing passwords in a recoverable format
  127. String Termination Error
  128. Symbolic name not mapping to correct object
  129. Template:Vulnerability
  130. Truncation error
  131. Trust Boundary Violation
  132. Trust of system event data
  133. Trusting self-reported DNS name
  134. Trusting self-reported IP address
  135. Uncaught exception
  136. Unchecked array indexing
  137. Unchecked Return Value: Missing Check against Null
  138. Undefined Behavior
  139. Uninitialized Variable
  140. Unintentional pointer scaling
  141. Unreleased Resource
  142. Unrestricted File Upload
  143. Unsafe function call from a signal handler
  144. Unsafe JNI
  145. Unsafe Mobile Code
  146. Unsafe Reflection
  147. Unsigned to signed conversion error
  148. Use of hard-coded password
  149. Use of Obsolete Methods
  150. Use of sizeof() on a pointer type
  151. Using a broken or risky cryptographic algorithm
  152. Using a key past its expiration date
  153. Using freed memory
  154. Using password systems
  155. Using referer field for authentication or authorization
  156. Using single-factor authentication
  157. Using the wrong operator
  158. Validation performed in client
  159. Wrap-around error
  160. Write-what-where condition

Back to TOC