Category: OWASP Top Ten 2004 Category A8 - Insecure Storage
Obsolete
Summary
Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2004.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-14 | Compiler Removal of Code to Clear Buffers | Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka "dead store removal." |
| CWE-226 | Sensitive Information in Resource Not Removed Before Reuse | The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities. |
| CWE-261 | Weak Encoding for Password | Obscuring a password with a trivial encoding does not protect the password. |
| CWE-311 | Missing Encryption of Sensitive Data | The product does not encrypt sensitive or critical information before storage or transmission. |
| CWE-321 | Use of Hard-coded Cryptographic Key | The product uses a hard-coded, unchangeable cryptographic key. |
| CWE-326 | Inadequate Encryption Strength | The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | The product uses a broken or risky cryptographic algorithm or protocol. |
| CWE-539 | Use of Persistent Cookies Containing Sensitive Information | The web application uses persistent cookies, but the cookies contain sensitive information. |
| CWE-591 | Sensitive Data Storage in Improperly Locked Memory | The product stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors. |
| CWE-598 | Use of GET Request Method With Sensitive Query Strings | The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request. |
| CWE-711 | Weaknesses in OWASP Top Ten (2004) | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.