Category: OWASP Top Ten 2021 Category A04:2021 - Insecure Design
Incomplete
Summary
Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top Ten 2021.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1021 | Improper Restriction of Rendered UI Layers or Frames | The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. |
| CWE-1173 | Improper Use of Validation Framework | The product does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library. |
| CWE-183 | Permissive List of Allowed Inputs | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses. |
| CWE-209 | Generation of Error Message Containing Sensitive Information | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
| CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies | The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed. |
| CWE-235 | Improper Handling of Extra Parameters | The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount. |
| CWE-256 | Plaintext Storage of a Password | The product stores a password in plaintext within resources such as memory or files. |
| CWE-257 | Storing Passwords in a Recoverable Format | The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts. |
| CWE-266 | Incorrect Privilege Assignment | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-269 | Improper Privilege Management | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
| CWE-280 | Improper Handling of Insufficient Permissions or Privileges | The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. |
| CWE-311 | Missing Encryption of Sensitive Data | The product does not encrypt sensitive or critical information before storage or transmission. |
| CWE-312 | Cleartext Storage of Sensitive Information | The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
| CWE-313 | Cleartext Storage in a File or on Disk | The product stores sensitive information in cleartext in a file, or on disk. |
| CWE-316 | Cleartext Storage of Sensitive Information in Memory | The product stores sensitive information in cleartext in memory. |
| CWE-419 | Unprotected Primary Channel | The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel. |
| CWE-430 | Deployment of Wrong Handler | The wrong "handler" is assigned to process an object. |
| CWE-434 | Unrestricted Upload of File with Dangerous Type | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-444 | Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
| CWE-451 | User Interface (UI) Misrepresentation of Critical Information | The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks. |
| CWE-472 | External Control of Assumed-Immutable Web Parameter | The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields. |
| CWE-501 | Trust Boundary Violation | The product mixes trusted and untrusted data in the same data structure or structured message. |
| CWE-522 | Insufficiently Protected Credentials | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
| CWE-525 | Use of Web Browser Cache Containing Sensitive Information | The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached. |
| CWE-539 | Use of Persistent Cookies Containing Sensitive Information | The web application uses persistent cookies, but the cookies contain sensitive information. |
| CWE-579 | J2EE Bad Practices: Non-serializable Object Stored in Session | The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability. |
| CWE-598 | Use of GET Request Method With Sensitive Query Strings | The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request. |
| CWE-602 | Client-Side Enforcement of Server-Side Security | The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. |
| CWE-642 | External Control of Critical State Data | The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors. |
| CWE-646 | Reliance on File Name or Extension of Externally-Supplied File | The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion. |
| CWE-650 | Trusting HTTP Permission Methods on the Server Side | The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state. |
| CWE-653 | Improper Isolation or Compartmentalization | The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions. |
| CWE-656 | Reliance on Security Through Obscurity | The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism. |
| CWE-657 | Violation of Secure Design Principles | The product violates well-established principles for secure design. |
| CWE-73 | External Control of File Name or Path | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
| CWE-799 | Improper Control of Interaction Frequency | The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests. |
| CWE-807 | Reliance on Untrusted Inputs in a Security Decision | The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. |
| CWE-841 | Improper Enforcement of Behavioral Workflow | The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence. |
| CWE-927 | Use of Implicit Intent for Sensitive Communication | The Android application uses an implicit intent for transmitting sensitive data to other applications. |
| CWE-1344 | Weaknesses in OWASP Top Ten (2021) | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2021. |
| CWE-840 | Business Logic Errors | Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.