|
5. Data transmission without encryption
|
336. Disable insecure TLS versions
|
|
6. Misconfiguration - Insufficient session-ID length
|
030. Avoid object reutilization
032. Avoid session ID leakages
|
|
11. Creating debug binary
|
078. Disable debugging events
|
|
13. Misconfiguration - Password in configuration file
|
026. Encrypt client-side session information
185. Encrypt sensitive information
|
|
15. External control of system or configuration setting
|
062. Define standard configurations
320. Avoid client-side control enforcement
|
|
20. Improper input validation
|
173. Discard unsafe inputs
|
|
22. Improper limitation of a pathname to a restricted directory ("path traversal")
|
037. Parameters without sensitive data
173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
|
|
23. Relative path traversal
|
037. Parameters without sensitive data
|
|
36. Absolute path traversal
|
037. Parameters without sensitive data
173. Discard unsafe inputs
320. Avoid client-side control enforcement
343. Respect the Do Not Track header
|
|
73. External control of file name or path
|
037. Parameters without sensitive data
320. Avoid client-side control enforcement
381. Use of absolute paths
|
|
74. Improper neutralization of special elements in output used by a downstream component ("injection")
|
158. Use a secure programming language
173. Discard unsafe inputs
|
|
78. Improper neutralization of special elements used in an OS command ("OS command injection")
|
173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
|
|
79. Improper neutralization of input during web page generation ("cross-site scripting")
|
029. Cookies with security attributes
173. Discard unsafe inputs
|
|
80. Improper neutralization of script-related HTML tags in a web page (basic XSS)
|
117. Do not interpret HTML code
173. Discard unsafe inputs
|
|
89. Improper neutralization of special elements used in an SQL command ("SQL injection")
|
169. Use parameterized queries
173. Discard unsafe inputs
|
|
90. Improper neutralization of special elements used in an LDAP query ('LDAP Injection')
|
173. Discard unsafe inputs
|
|
91. XML injection
|
173. Discard unsafe inputs
|
|
94. Improper control of generation of code ("code injection")
|
173. Discard unsafe inputs
|
|
95. Improper neutralization of directives in dynamically evaluated code ("eval injection")
|
173. Discard unsafe inputs
321. Avoid deserializing untrusted data
344. Avoid dynamic code execution
|
|
98. Improper control of filename for include/require statement in PHP program ("PHP remote file inclusion")
|
173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
|
|
112. Missing XML validation
|
173. Discard unsafe inputs
|
|
114. Process control
|
266. Disable insecure functionalities
|
|
116. Improper encoding or escaping of output
|
160. Encode system outputs
173. Discard unsafe inputs
348. Use consistent encoding
349. Include HTTP security headers
|
|
117. Improper output neutralization for logs
|
160. Encode system outputs
|
|
120. Buffer copy without checking size of input ("classic buffer overflow")
|
345. Establish protections against overflows
|
|
130. Buffer copy without checking size of input ("classic buffer overflow")
|
169. Use parameterized queries
342. Validate request parameters
|
|
134. Use of externally-controlled format string
|
345. Establish protections against overflows
|
|
138. Improper neutralization of special elements
|
173. Discard unsafe inputs
340. Use octet stream downloads
|
|
147. Improper neutralization of input terminators
|
173. Discard unsafe inputs
|
|
150. Improper neutralization of escape, meta, or control sequences
|
173. Discard unsafe inputs
|
|
170. Improper null termination
|
345. Establish protections against overflows
|
|
173. Improper handling of alternate encoding
|
044. Define an explicit charset
160. Encode system outputs
|
|
190. Integer overflow or wraparound
|
345. Establish protections against overflows
|
|
200. Exposure of sensitive information to an unauthorized actor
|
032. Avoid session ID leakages
119. Hide recipients
181. Transmit data using secure protocols
261. Avoid exposing sensitive information
375. Remove sensitive data from client-side applications
|
|
203. Observable discrepancy
|
225. Proper authentication responses
|
|
208. Observable timing discrepancy
|
368. Use of indistinguishable response time
|
|
209. Generation of error message containing sensitive information
|
077. Avoid disclosing technical information
|
|
210. Self-generated error message containing sensitive information
|
077. Avoid disclosing technical information
078. Disable debugging events
|
|
212. Improper removal of sensitive information before storage or transfer
|
183. Delete sensitive data securely
360. Remove unnecessary sensitive information
|
|
219. Storage of file with sensitive data under web root
|
339. Avoid storing sensitive files in the web root
|
|
221. Information loss or omission
|
075. Record exceptional events in logs
376. Register severity level
|
|
223. Omission of security-relevant information
|
376. Register severity level
|
|
226. Sensitive information in resource not removed before reuse
|
183. Delete sensitive data securely
360. Remove unnecessary sensitive information
|
|
233. Improper handling of parameters
|
342. Validate request parameters
|
|
235. Improper handling of extra parameters
|
342. Validate request parameters
|
|
250. Execution with unnecessary privileges
|
095. Define users with privileges
096. Set user's required privileges
186. Use the principle of least privilege
|
|
256. Plaintext storage of a password
|
127. Store hashed passwords
380. Define a password management tool
|
|
257. Storing passwords in a recoverable format
|
238. Establish safe recovery
|
|
259. Use of hard-coded password
|
156. Source code without sensitive information
172. Encrypt connection strings
|
|
263. Password aging with long expiration
|
130. Limit password lifespan
138. Define lifespan for temporary passwords
367. Proper generation of temporary passwords
|
|
266. Incorrect privilege assignment
|
095. Define users with privileges
|
|
267. Privilege defined with unsafe actions
|
035. Manage privilege modifications
|
|
269. Improper privilege management
|
035. Manage privilege modifications
186. Use the principle of least privilege
|
|
272. Least privilege violation
|
186. Use the principle of least privilege
|
|
276. Incorrect default permissions
|
095. Define users with privileges
096. Set user's required privileges
186. Use the principle of least privilege
341. Use the principle of deny by default
|
|
284. Improper access control
|
176. Restrict system objects
229. Request access credentials
266. Disable insecure functionalities
320. Avoid client-side control enforcement
|
|
285. Improper authorization
|
095. Define users with privileges
177. Avoid caching and temporary files
320. Avoid client-side control enforcement
341. Use the principle of deny by default
|
|
287. Improper authentication
|
122. Validate credential ownership
228. Authenticate using standard protocols
236. Establish authentication time
264. Request authentication
319. Make authentication options equally secure
334. Avoid knowledge-based authentication
362. Assign MFA mechanisms to a single account
|
|
290. Authentication bypass by spoofing
|
173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
|
|
294. Authentication bypass by capture-replay
|
030. Avoid object reutilization
335. Define out of band token lifespan
|
|
295. Improper certificate validation
|
089. Limit validity of certificates
091. Use internally signed certificates
093. Use consistent certificates
364. Provide extended validation (EV) certificates
|
|
297. Improper validation of certificate with host mismatch
|
093. Use consistent certificates
373. Use certificate pinning
|
|
298. Improper validation of certificate expiration
|
089. Limit validity of certificates
090. Use valid certificates
364. Provide extended validation (EV) certificates
|
|
299. Improper check for certificate revocation
|
088. Request client certificates
089. Limit validity of certificates
090. Use valid certificates
|
|
306. Missing authentication for critical function
|
229. Request access credentials
264. Request authentication
265. Restrict access to critical processes
319. Make authentication options equally secure
|
|
307. Improper restriction of excessive authentication attempts
|
210. Delete information from mobile devices
237. Ascertain human interaction
327. Set a rate limit
|
|
308. Use of single-factor authentication
|
030. Avoid object reutilization
231. Implement a biometric verification component
|
|
311. Missing encryption of sensitive data
|
172. Encrypt connection strings
181. Transmit data using secure protocols
185. Encrypt sensitive information
|
|
319. Cleartext transmission of sensitive information
|
181. Transmit data using secure protocols
338. Implement perfect forward secrecy
|
|
321. Use of hard-coded cryptographic key
|
145. Protect system cryptographic keys
224. Use secure cryptographic mechanisms
|
|
322. Key exchange without entity authentication
|
145. Protect system cryptographic keys
|
|
323. Reusing a nonce, key Pair in encryption
|
145. Protect system cryptographic keys
|
|
324. Use of a key past its expiration date
|
361. Replace cryptographic keys
|
|
326. Inadequate encryption strength
|
147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
346. Use initialization vectors once
|
|
327. Use of a broken or risky cryptographic algorithm
|
147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
|
|
328. Use of weak hash
|
150. Set minimum size for hash functions
|
|
330. Use of insufficiently random values
|
223. Uniform distribution in random numbers
|
|
331. Insufficient entropy
|
223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
|
|
334. Small space of random values
|
223. Uniform distribution in random numbers
|
|
340. Generation of predictable numbers or identifiers
|
223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
|
|
345. Insufficient verification of data authenticity
|
030. Avoid object reutilization
178. Use digital signatures
238. Establish safe recovery
|
|
346. Origin validation error
|
128. Define unique data source
|
|
347. Improper verification of cryptographic signature
|
178. Use digital signatures
|
|
350. Reliance on reverse DNS resolution for a security-critical action
|
062. Define standard configurations
356. Verify sub-domain names
|
|
352. Cross-site request forgery (CSRF)
|
029. Cookies with security attributes
174. Transactions without a distinguishable pattern
|
|
353. Missing support for integrity check
|
178. Use digital signatures
262. Verify third-party components
330. Verify Subresource Integrity
|
|
359. Exposure of private personal information to an unauthorized actor
|
180. Use mock data
184. Obfuscate application data
261. Avoid exposing sensitive information
300. Mask sensitive data
|
|
362. Concurrent execution using shared resource with improper synchronization ("race condition")
|
337. Make critical logic flows thread safe
|
|
367. Time-of-check time-of-use (TOCTOU) race condition
|
337. Make critical logic flows thread safe
353. Schedule firmware updates
|
|
377. Insecure temporary file
|
036. Do not deploy temporary files
177. Avoid caching and temporary files
|
|
384. Session fixation
|
030. Avoid object reutilization
|
|
390. Detection of error condition without action
|
075. Record exceptional events in logs
|
|
396. Declaration of catch for generic exception
|
359. Avoid using generic exceptions
|
|
397. Declaration of throws for generic exception
|
359. Avoid using generic exceptions
|
|
400. Uncontrolled resource consumption
|
072. Set maximum response time
158. Use a secure programming language
164. Use optimized structures
173. Discard unsafe inputs
|
|
404. Improper resource shutdown or release
|
023. Terminate inactive user sessions
167. Close unused resources
|
|
409. Improper handling of highly compressed data (data amplification)
|
039. Define maximum file size
|
|
419. Unprotected primary channel
|
033. Restrict administrative access
|
|
434. Unrestricted upload of file with dangerous type
|
040. Compare file format and extension
|
|
444. Inconsistent interpretation of HTTP requests ("HTTP request smuggling")
|
062. Define standard configurations
173. Discard unsafe inputs
266. Disable insecure functionalities
|
|
453. Insecure default variable initialization
|
161. Define secure default options
|
|
456. Missing initialization of a variable
|
168. Initialize variables explicitly
|
|
457. Use of uninitialized variable
|
168. Initialize variables explicitly
|
|
459. Incomplete cleanup
|
183. Delete sensitive data securely
210. Delete information from mobile devices
|
|
474. Use of function with inconsistent implementations
|
162. Avoid duplicate code
|
|
494. Download of code without integrity check
|
330. Verify Subresource Integrity
|
|
497. Exposure of sensitive system information to an unauthorized control sphere
|
078. Disable debugging events
095. Define users with privileges
|
|
502. Deserialization of untrusted data
|
321. Avoid deserializing untrusted data
|
|
507. Trojan horse
|
155. Application free of malicious code
262. Verify third-party components
|
|
509. Replicating malicious code (virus or worm)
|
041. Scan files for malicious code
118. Inspect attachments
|
|
510. Trapdoor
|
154. Eliminate backdoors
155. Application free of malicious code
|
|
511. Logic/Time bomb
|
155. Application free of malicious code
|
|
512. Spyware
|
273. Define a fixed security suite
|
|
521. Weak password requirements
|
127. Store hashed passwords
129. Validate previous passwords
130. Limit password lifespan
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
332. Prevent the use of breached passwords
|
|
522. Insufficiently protected credentials
|
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
134. Store passwords with salt
135. Passwords with random salt
139. Set minimum OTP length
150. Set minimum size for hash functions
|
|
523. Unprotected transport of credentials
|
153. Out of band transactions
181. Transmit data using secure protocols
|
|
524. Use of cache containing sensitive information
|
177. Avoid caching and temporary files
209. Manage passwords in cache
|
|
525. Use of web browser cache containing sensitive information
|
177. Avoid caching and temporary files
349. Include HTTP security headers
|
|
526. Cleartext Storage of Sensitive Information in an Environment Variable
|
185. Encrypt sensitive information
300. Mask sensitive data
|
|
532. Insertion of sensitive information into log file
|
083. Avoid logging sensitive data
|
|
539. Use of persistent cookies containing sensitive information
|
029. Cookies with security attributes
342. Validate request parameters
|
|
540. Inclusion of sensitive information in source code
|
156. Source code without sensitive information
|
|
548. Exposure of information through directory listing
|
176. Restrict system objects
266. Disable insecure functionalities
|
|
549. Missing password field masking
|
300. Mask sensitive data
|
|
561. Dead code
|
162. Avoid duplicate code
|
|
598. Use of GET request method with sensitive query strings
|
169. Use parameterized queries
342. Validate request parameters
|
|
601. URL redirection to untrusted site ("open redirect")
|
324. Control redirects
|
|
602. Client-side enforcement of server-side security
|
266. Disable insecure functionalities
320. Avoid client-side control enforcement
|
|
603. Use of client-side authentication
|
264. Request authentication
|
|
611. Improper restriction of XML External Entity reference
|
157. Use the strict mode
173. Discard unsafe inputs
|
|
613. Insufficient session expiration
|
023. Terminate inactive user sessions
030. Avoid object reutilization
031. Discard user session data
369. Set a maximum lifetime in sessions
|
|
614. Sensitive cookie in HTTPS session without 'secure' attribute
|
029. Cookies with security attributes
|
|
615. Inclusion of sensitive information in source code comments
|
156. Source code without sensitive information
|
|
620. Unverified password change
|
131. Deny multiple password changing attempts
238. Establish safe recovery
301. Notify configuration changes
|
|
639. Authorization bypass through user-controlled key
|
035. Manage privilege modifications
176. Restrict system objects
320. Avoid client-side control enforcement
|
|
640. Weak password recovery mechanism for forgotten password
|
126. Set a password regeneration mechanism
130. Limit password lifespan
131. Deny multiple password changing attempts
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
139. Set minimum OTP length
238. Establish safe recovery
332. Prevent the use of breached passwords
334. Avoid knowledge-based authentication
367. Proper generation of temporary passwords
|
|
642. External control of critical state data
|
026. Encrypt client-side session information
328. Request MFA for critical systems
|
|
643. Improper neutralization of data within XPath expressions ("XPath injection")
|
173. Discard unsafe inputs
|
|
644. Improper neutralization of HTTP headers for scripting syntax
|
349. Include HTTP security headers
|
|
645. Overly restrictive account lockout mechanism
|
226. Avoid account lockouts
|
|
646. Reliance on file name or extension of externally-supplied file
|
040. Compare file format and extension
042. Validate file format
340. Use octet stream downloads
|
|
651. Exposure of WSDL file containing sensitive information
|
325. Protect WSDL files
|
|
693. Protection mechanism failure
|
266. Disable insecure functionalities
326. Detect rooted devices
351. Assign unique keys to each device
352. Enable trusted execution
354. Prevent firmware downgrades
|
|
710. Improper adherence to coding standards
|
158. Use a secure programming language
366. Associate type to variables
381. Use of absolute paths
|
|
732. Incorrect permission assignment for critical resource
|
186. Use the principle of least privilege
341. Use the principle of deny by default
|
|
749. Exposed dangerous method or function
|
041. Scan files for malicious code
266. Disable insecure functionalities
|
|
759. Use of a one-way hash without a salt
|
134. Store passwords with salt
135. Passwords with random salt
|
|
760. Use of a one-way hash with a predictable salt
|
134. Store passwords with salt
135. Passwords with random salt
|
|
770. Allocation of resources without limits or throttling
|
039. Define maximum file size
072. Set maximum response time
327. Set a rate limit
|
|
778. Insufficient logging
|
075. Record exceptional events in logs
376. Register severity level
|
|
779. Logging of excessive data
|
322. Avoid excessive logging
|
|
780. Use of RSA algorithm without OAEP
|
370. Use OAEP padding with RSA
|
|
798. Use of hard-coded credentials
|
156. Source code without sensitive information
172. Encrypt connection strings
357. Use stateless session tokens
|
|
799. Improper control of interaction frequency
|
237. Ascertain human interaction
327. Set a rate limit
|
|
804. Guessable CAPTCHA
|
237. Ascertain human interaction
|
|
830. Inclusion of web functionality from an untrusted source
|
050. Control calls to interpreted code
353. Schedule firmware updates
|
|
838. Inappropriate encoding for output context
|
348. Use consistent encoding
|
|
862. Missing authorization
|
319. Make authentication options equally secure
|
|
915. Improperly controlled modification of dynamically-determined object attributes
|
342. Validate request parameters
344. Avoid dynamic code execution
|
|
916. Use of password hash with insufficient computational effort
|
127. Store hashed passwords
134. Store passwords with salt
135. Passwords with random salt
333. Store salt values separately
|
|
918. Server-side request forgery (SSRF)
|
173. Discard unsafe inputs
324. Control redirects
|
|
922. Insecure storage of sensitive information
|
329. Keep client-side storage without sensitive data
339. Avoid storing sensitive files in the web root
|
|
923. Improper restriction of communication channel to intended endpoints
|
259. Segment the organization network
273. Define a fixed security suite
|
|
1004. Sensitive cookie without 'HttpOnly' flag
|
029. Cookies with security attributes
|
|
1021. Improper restriction of rendered UI layers or frames
|
340. Use octet stream downloads
349. Include HTTP security headers
|
|
1022. Use of web link to untrusted target with window.opener access
|
324. Control redirects
|
|
1041. Use of redundant code
|
171. Remove commented-out code
|
|
1085. Invokable control element with excessive volume of commented-out code
|
171. Remove commented-out code
|
|
1120. Excessive code complexity
|
379. Keep low McCabe cyclomatic complexity
|
|
1121. Excessive McCabe cyclomatic complexity
|
379. Keep low McCabe cyclomatic complexity
|
|
1192. System-on-Chip (SoC) using components without unique identifiers
|
352. Enable trusted execution
|
|
1204. Generation of weak initialization vector (IV)
|
372. Proper Use of Initialization Vector (IV)
|
|
1230. Exposure of sensitive information through metadata
|
045. Remove metadata when sharing files
|
|
1233. Improper hardware lock protection for security sensitive controls
|
351. Assign unique keys to each device
352. Enable trusted execution
|
|
1262. Improper access control for register interface
|
235. Define credential interface
252. Configure key encryption
|
|
1269. Product released in non-release configuration
|
078. Disable debugging events
154. Eliminate backdoors
159. Obfuscate code
|
|
1272. Sensitive information uncleared before debug/power state transition
|
360. Remove unnecessary sensitive information
|
|
1275. Sensitive cookie with improper sameSite attribute
|
029. Cookies with security attributes
|
|
1284. Improper validation of specified quantity in input
|
173. Discard unsafe inputs
|
|
1287. Improper validation of specified type of input
|
173. Discard unsafe inputs
|
|
1295. Debug messages revealing unnecessary information
|
083. Avoid logging sensitive data
|
|
1325. Improperly controlled sequential memory allocation
|
072. Set maximum response time
158. Use a secure programming language
164. Use optimized structures
173. Discard unsafe inputs
|
|
1390. Weak Authentication
|
228. Authenticate using standard protocols
264. Request authentication
319. Make authentication options equally secure
334. Avoid knowledge-based authentication
362. Assign MFA mechanisms to a single account
|
|
1391. Use of Weak Credentials
|
130. Limit password lifespan
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
135. Passwords with random salt
139. Set minimum OTP length
332. Prevent the use of breached passwords
|
|
1392. Use of Default Credentials
|
142. Change system default credentials
266. Disable insecure functionalities
|
|
1393. Use of Default Password
|
142. Change system default credentials
266. Disable insecure functionalities
|
|
1394. Use of Default Cryptographic Key
|
142. Change system default credentials
266. Disable insecure functionalities
|
|
1395. Dependency on Vulnerable Third-Party Component
|
262. Verify third-party components
|
|
1419. Incorrect Initialization of Resource
|
366. Associate type to variables
|
