Category: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Incomplete
Summary
Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top Ten 2021.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1004 | Sensitive Cookie Without 'HttpOnly' Flag | The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. |
| CWE-11 | ASP.NET Misconfiguration: Creating Debug Binary | Debugging messages help attackers learn about the system and plan a form of attack. |
| CWE-1174 | ASP.NET Misconfiguration: Improper Model Validation | The ASP.NET application does not use, or incorrectly uses, the model validation framework. |
| CWE-13 | ASP.NET Misconfiguration: Password in Configuration File | Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers. |
| CWE-15 | External Control of System or Configuration Setting | One or more system settings or configuration elements can be externally controlled by a user. |
| CWE-260 | Password in Configuration File | The product stores a password in a configuration file that might be accessible to actors who do not know the password. |
| CWE-315 | Cleartext Storage of Sensitive Information in a Cookie | The product stores sensitive information in cleartext in a cookie. |
| CWE-520 | .NET Misconfiguration: Use of Impersonation | Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks. |
| CWE-526 | Cleartext Storage of Sensitive Information in an Environment Variable | The product uses an environment variable to store unencrypted sensitive information. |
| CWE-537 | Java Runtime Error Message Containing Sensitive Information | In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system. |
| CWE-541 | Inclusion of Sensitive Information in an Include File | If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system. |
| CWE-547 | Use of Hard-coded, Security-relevant Constants | The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. |
| CWE-611 | Improper Restriction of XML External Entity Reference | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
| CWE-614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | The Secure attribute for sensitive cookies in HTTPS sessions is not set. |
| CWE-756 | Missing Custom Error Page | The product does not return custom error pages to the user, possibly exposing sensitive information. |
| CWE-776 | Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') | The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. |
| CWE-942 | Permissive Cross-domain Security Policy with Untrusted Domains | The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate. |
| CWE-1344 | Weaknesses in OWASP Top Ten (2021) | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2021. |
| CWE-1032 | OWASP Top Ten 2017 Category A6 - Security Misconfiguration | Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2017. |
| CWE-16 | Configuration | Weaknesses in this category are typically introduced during the configuration of the software. |
| CWE-2 | 7PK - Environment | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms." |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.