Category: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Incomplete
Summary
Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top Ten 2021.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1275 | Sensitive Cookie with Improper SameSite Attribute | The SameSite attribute for sensitive cookies is not set, or an insecure value is used. |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-201 | Insertion of Sensitive Information Into Sent Data | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
| CWE-219 | Storage of File with Sensitive Data Under Web Root | The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties. |
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-23 | Relative Path Traversal | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
| CWE-276 | Incorrect Default Permissions | During installation, installed file permissions are set to allow anyone to modify those files. |
| CWE-284 | Improper Access Control | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-285 | Improper Authorization | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-35 | Path Traversal: '.../...//' | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. |
| CWE-352 | Cross-Site Request Forgery (CSRF) | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
| CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. |
| CWE-377 | Insecure Temporary File | Creating and using insecure temporary files can leave application and system data vulnerable to attack. |
| CWE-402 | Transmission of Private Resources into a New Sphere ('Resource Leak') | The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product. |
| CWE-425 | Direct Request ('Forced Browsing') | The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. |
| CWE-441 | Unintended Proxy or Intermediary ('Confused Deputy') | The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor. |
| CWE-497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does. |
| CWE-538 | Insertion of Sensitive Information into Externally-Accessible File or Directory | The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information. |
| CWE-540 | Inclusion of Sensitive Information in Source Code | Source code on a web server or repository often contains sensitive information and should generally not be accessible to users. |
| CWE-548 | Exposure of Information Through Directory Listing | The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory. |
| CWE-552 | Files or Directories Accessible to External Parties | The product makes files or directories accessible to unauthorized actors, even though they should not be. |
| CWE-566 | Authorization Bypass Through User-Controlled SQL Primary Key | The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor. |
| CWE-59 | Improper Link Resolution Before File Access ('Link Following') | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
| CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
| CWE-639 | Authorization Bypass Through User-Controlled Key | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| CWE-651 | Exposure of WSDL File Containing Sensitive Information | The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g. what parameters they expect and what types they return). |
| CWE-668 | Exposure of Resource to Wrong Sphere | The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. |
| CWE-706 | Use of Incorrectly-Resolved Name or Reference | The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. |
| CWE-862 | Missing Authorization | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-863 | Incorrect Authorization | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-913 | Improper Control of Dynamically-Managed Code Resources | The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements. |
| CWE-922 | Insecure Storage of Sensitive Information | The product stores sensitive information without properly limiting read or write access by unauthorized actors. |
| CWE-1344 | Weaknesses in OWASP Top Ten (2021) | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2021. |
| CWE-264 | Permissions, Privileges, and Access Controls | Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control. |
| CWE-275 | Permission Issues | Weaknesses in this category are related to improper assignment or handling of permissions. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.