Created
February 28, 2022 23:04
-
-
Save kurt-r2c/5c0ff1f21d5d7ed1589caae710ddfe9e to your computer and use it in GitHub Desktop.
OWASP Top 10 2017 categories and their associated CWEs. Compiled from https://cwe.mitre.org/data/slices/1026.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
A01:2017 - Injection: | |
- 'CWE CATEGORY: OWASP Top Ten 2017 Category A1 - Injection' | |
- 'CWE-77: Improper Neutralization of Special Elements used in a Command (''Command | |
Injection'')' | |
- 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS | |
Command Injection'')' | |
- 'CWE-88: Improper Neutralization of Argument Delimiters in a Command (''Argument | |
Injection'')' | |
- 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL | |
Injection'')' | |
- 'CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (''LDAP | |
Injection'')' | |
- 'CWE-91: XML Injection (aka Blind XPath Injection)' | |
- 'CWE-564: SQL Injection: Hibernate' | |
- 'CWE-917: Improper Neutralization of Special Elements used in an Expression Language | |
Statement (''Expression Language Injection'')' | |
- 'CWE-943: Improper Neutralization of Special Elements in Data Query Logic' | |
A02:2017 - Broken Authentication: | |
- 'CWE CATEGORY: OWASP Top Ten 2017 Category A2 - Broken Authentication' | |
- 'CWE-287: Improper Authentication' | |
- 'CWE-256: Plaintext Storage of a Password' | |
- 'CWE-308: Use of Single-factor Authentication' | |
- 'CWE-384: Session Fixation' | |
- 'CWE-522: Insufficiently Protected Credentials' | |
- 'CWE-523: Unprotected Transport of Credentials' | |
- 'CWE-613: Insufficient Session Expiration' | |
- 'CWE-620: Unverified Password Change' | |
- 'CWE-640: Weak Password Recovery Mechanism for Forgotten Password' | |
A03:2017 - Sensitive Data Exposure: | |
- 'CWE CATEGORY: OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure' | |
- 'CWE-220: Storage of File With Sensitive Data Under FTP Root' | |
- 'CWE-295: Improper Certificate Validation' | |
- 'CWE-311: Missing Encryption of Sensitive Data' | |
- 'CWE-312: Cleartext Storage of Sensitive Information' | |
- 'CWE-319: Cleartext Transmission of Sensitive Information' | |
- 'CWE CATEGORY: Key Management Errors' | |
- 'CWE-325: Missing Cryptographic Step' | |
- 'CWE-326: Inadequate Encryption Strength' | |
- 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' | |
- 'CWE-328: Use of Weak Hash' | |
- 'CWE-359: Exposure of Private Personal Information to an Unauthorized Actor' | |
A04:2017 - XML External Entities (XXE): | |
- 'CWE CATEGORY: OWASP Top Ten 2017 Category A4 - XML External Entities (XXE)' | |
- 'CWE-611: Improper Restriction of XML External Entity Reference' | |
- 'CWE-776: Improper Restriction of Recursive Entity References in DTDs (''XML Entity | |
Expansion'')' | |
A05:2017 - Broken Access Control: | |
- 'CWE CATEGORY: OWASP Top Ten 2017 Category A5 - Broken Access Control' | |
- 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')' | |
- 'CWE-284: Improper Access Control' | |
- 'CWE-285: Improper Authorization' | |
- 'CWE-425: Direct Request (''Forced Browsing'')' | |
- 'CWE-639: Authorization Bypass Through User-Controlled Key' | |
A06:2017 - Security Misconfiguration: | |
- 'CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration' | |
- 'CWE CATEGORY: Configuration' | |
- 'CWE-209: Generation of Error Message Containing Sensitive Information' | |
- 'CWE-548: Exposure of Information Through Directory Listing' | |
A07:2017 - Cross-Site Scripting (XSS): | |
- 'CWE CATEGORY: OWASP Top Ten 2017 Category A7 - Cross-Site Scripting (XSS)' | |
- 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site | |
Scripting'')' | |
A08:2017 - Insecure Deserialization: | |
- 'CWE CATEGORY: OWASP Top Ten 2017 Category A8 - Insecure Deserialization' | |
- 'CWE-502: Deserialization of Untrusted Data' | |
A09:2017 - Using Components with Known Vulnerabilities: | |
- 'CWE CATEGORY: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities' | |
A10:2017 - Insufficient Logging & Monitoring: | |
- 'CWE CATEGORY: OWASP Top Ten 2017 Category A10 - Insufficient Logging & Monitoring' | |
- 'CWE-223: Omission of Security-relevant Information' | |
- 'CWE-778: Insufficient Logging' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment