Vulnerability library

Browse

If you’re new here, start with the OWASP Top 10. The rest is a deeper set of categories and checks.

CWE spotlights

• CWE-78 OS Command Injection
• CWE-79 Cross-Site Scripting
• CWE-89 SQL Injection (multi-hop proof page)
• CWE-22 Path Traversal
• CWE-20 Improper Input Validation
• CWE-23 Relative Path Traversal
• CWE-36 Absolute Path Traversal
• CWE-59 Link Following
• CWE-61 UNIX Symlink Following
• CWE-352 Cross-Site Request Forgery
• CWE-287 Improper Authentication
• CWE-798 Hard-coded Credentials
• CWE-502 Unsafe Deserialization
• CWE-611 XML External Entity (XXE)
• CWE-918 Server-Side Request Forgery
• CWE-200 Sensitive Data Exposure
• CWE-201 Sensitive Data in Sent Data
• CWE-219 Sensitive Data Under Web Root
• CWE-276 Incorrect Default Permissions
• CWE-400 Uncontrolled Resource Consumption
• CWE-120 Buffer Overflow
• CWE-125 Out-of-bounds Read
• CWE-334 Small Space of Random Values
• CWE-454 External Initialization of Trusted Variables
• CWE-1125 Excessive Attack Surface
• CWE-113 HTTP Response Splitting
• CWE-256 Plaintext Storage of a Password
• CWE-1392 Use of Default Credentials
• CWE-96 Static Code Injection
• CWE-306 Missing Authentication
• CWE-327 Broken Cryptographic Algorithm
• CWE-601 Open Redirect
• CWE-532 Sensitive Data in Logs
• CWE-614 Insecure Cookie
• CWE-362 Race Condition (TOCTOU)
• CWE-190 Integer Overflow
• CWE-476 NULL Pointer Dereference
• CWE-94 Code Injection
• CWE-119 Memory Buffer Error
• CWE-787 Out-of-bounds Write
• CWE-863 Incorrect Authorization
• CWE-269 Improper Privilege Management
• CWE-434 Unrestricted File Upload
• CWE-382 Claims of Insufficient Testing
• CWE-384 Session Fixation
• CWE-261 Weak Encoding for Password
• CWE-296 Improper Certificate Validation
• CWE-319 Cleartext Transmission
• CWE-321 Hard-coded Cryptographic Key
• CWE-323 Reused Nonce or IV
• CWE-326 Inadequate Encryption Strength
• CWE-328 Reversible One-Way Hash
• CWE-329 No Random IV with CBC
• CWE-330 Insufficiently Random Values
• CWE-331 Insufficient Entropy
• CWE-338 Cryptographically Weak PRNG
• CWE-347 Improper Signature Verification
• CWE-523 Unprotected Transport of Credentials
• CWE-757 Algorithm Downgrade
• CWE-759 Hash without Salt
• CWE-760 Predictable Salt
• CWE-916 Insufficient Hash Effort
• CWE-1240 Risky Crypto Implementation
• CWE-74 Injection
• CWE-76 Special Elements
• CWE-77 Command Injection
• CWE-80 Basic XSS
• CWE-83 XSS in Attributes
• CWE-86 Invalid Characters
• CWE-88 Argument Injection
• CWE-90 LDAP Injection
• CWE-91 XPath Injection
• CWE-93 CRLF Injection
• CWE-95 Eval Injection
• CWE-97 SSI Injection
• CWE-98 Remote File Inclusion
• CWE-99 Resource Injection
• CWE-103 Struts Incomplete Validation
• CWE-104 Struts Form Bean Without Validation
• CWE-112 Missing XML Validation
• CWE-114 Process Control
• CWE-116 Improper Encoding or Escaping of Output
• CWE-129 Array Index Validation
• CWE-470 Unsafe Reflection
• CWE-564 Hibernate SQL Injection
• CWE-610 Externally Controlled Reference
• CWE-628 Function Call with Incorrectly Specified Arguments
• CWE-643 XPath Injection
• CWE-644 HTTP Header Script Injection
• CWE-917 Expression Language Injection
• CWE-73 External Control of File Name or Path
• CWE-183 Permissive List of Allowed Inputs
• CWE-436 Interpretation Conflict
• CWE-646 Reliance on File Name or Extension
• CWE-807 Reliance on Untrusted Inputs
• CWE-451 User Interface Misrepresentation
• CWE-525 Information Exposure Through the Browser
• CWE-539 Information Exposure Through Persistent Storage
• CWE-598 Information Exposure Through Query Strings
• CWE-311 Missing Encryption of Sensitive Data
• CWE-312 Cleartext Storage of Sensitive Information
• CWE-313 Cleartext Storage in a File or on Disk
• CWE-316 Cleartext Storage in Memory
• CWE-522 Insufficiently Protected Credentials
• CWE-266 Incorrect Privilege Assignment
• CWE-286 Incorrect Authorization
• CWE-602 Client-Side Enforcement
• CWE-472 External Control of Assumed-Immutable Data
• CWE-501 Trust Boundary Violation
• CWE-642 External Control of Critical State Data
• CWE-1021 UI Layer Restrictions Missing
• CWE-1022 UI Redress Attacks
• CWE-419 Uncontrolled Resource Consumption
• CWE-653 Insufficient Protection Mechanism
• CWE-656 Reliance on Security Measures
• CWE-657 Violation of Secure Design Principles
• CWE-676 Use of Potentially Dangerous Function
• CWE-693 Protection Mechanism Failure
• CWE-799 Improper Control of Interaction Frequency
• CWE-841 Improper Enforcement of Workflow
• CWE-444 Inconsistent Interpretation of HTTP Requests
• CWE-295 Improper Certificate Validation
• CWE-829 Untrusted Control Sphere
• CWE-922 Insecure Storage of Sensitive Information

These links point to the current markdown entries that ship with the site.