This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "CWE ESAPI"
From OWASP
(New page: == CWE and ESAPI == This page covers the relationships between ESAPI controls and the CWE entries that are eliminated or reduced by the application of those controls. * Validation * Can...) |
(→CWE and ESAPI) |
||
| Line 4: | Line 4: | ||
* Validation | * Validation | ||
| + | |||
| + | ** CWE-20: Insufficient Input Validation | ||
| + | |||
| + | ** CWE-116: Insufficient Output Sanitization | ||
| + | |||
| + | ** CWE-228: Failure to Handle Syntactically Invalid Structure | ||
* Canonicalization | * Canonicalization | ||
| + | |||
| + | ** CWE-22: Path Traversal | ||
| + | |||
| + | ** CWE-41: Failure to Resolve Path Equivalence | ||
| + | |||
| + | ** CWE-178: Failure to Resolve Case Sensitivity | ||
* Encoding | * Encoding | ||
| + | |||
| + | ** CWE-113: Failure to Sanitize CRLF Sequences in HTTP Headers (aka 'HTTP Response Splitting') | ||
| + | |||
| + | ** CWE-79: Failure to Sanitize Directives in a Web Page (aka 'Cross-site scripting' (XSS)) | ||
| + | |||
| + | ** CWE-89: Failure to Sanitize Data within SQL Queries (aka 'SQL Injection') | ||
* Authentication | * Authentication | ||
| Line 30: | Line 48: | ||
* Filters | * Filters | ||
| + | |||
| + | == Method == | ||
| + | |||
| + | Only CWE identifiers associated with weaknesses were reviewed. (Some CWE entries are arbitrary groupings that organize weaknesses instead of being weaknesses themselves). | ||
| + | Only the most abstract CWE identifiers were mapped, implying that lower-level variants are also covered (based on the hierarchy imposed by CWE-1000, the research view, which has a different hierarchical structure than CWE-699, the developer view). | ||
Revision as of 19:26, 11 December 2008
CWE and ESAPI
This page covers the relationships between ESAPI controls and the CWE entries that are eliminated or reduced by the application of those controls.
- Validation
- CWE-20: Insufficient Input Validation
- CWE-116: Insufficient Output Sanitization
- CWE-228: Failure to Handle Syntactically Invalid Structure
- Canonicalization
- CWE-22: Path Traversal
- CWE-41: Failure to Resolve Path Equivalence
- CWE-178: Failure to Resolve Case Sensitivity
- Encoding
- CWE-113: Failure to Sanitize CRLF Sequences in HTTP Headers (aka 'HTTP Response Splitting')
- CWE-79: Failure to Sanitize Directives in a Web Page (aka 'Cross-site scripting' (XSS))
- CWE-89: Failure to Sanitize Data within SQL Queries (aka 'SQL Injection')
- Authentication
- Session Management
- Access Control
- Encryption
- Randomizer
- Error Handling
- Logging
- Intrusion Detection
- HTTP Protection
- Utilities
- Filters
Method
Only CWE identifiers associated with weaknesses were reviewed. (Some CWE entries are arbitrary groupings that organize weaknesses instead of being weaknesses themselves). Only the most abstract CWE identifiers were mapped, implying that lower-level variants are also covered (based on the hierarchy imposed by CWE-1000, the research view, which has a different hierarchical structure than CWE-699, the developer view).
