|
|
| Line 1: |
Line 1: |
| − | This is still a work in progress - the Wiki markup language makes it challenging to translate the [http://blog.denimgroup.com/denim_group/2010/01/mapping-between-owasp-top-10-2004-2007-wasc-242-and-sans-cwe25.html original mapping document]. Please send comments or feedback to dan.cornell _at_ owasp.org. | + | This page has been moved: |
| − | | + | [[Vulnerability Classification Mappings]] |
| − | {| class="prettytable"
| |
| − | |-
| |
| − | | <center>'''OWASP Top 10 2007'''</center>
| |
| − | | <center>'''OWASP Top 10 2004'''</center>
| |
| − | | <center>'''SANS CWE/25'''</center>
| |
| − | | <center>'''WASC 24(+2)'''</center>
| |
| − | |-
| |
| − | | A1. Cross Site Scripting (XSS)
| |
| − | | A4. Cross Site Scripting (XSS)
| |
| − | | CWE-79: Failure to preserve Web Page Structure ('Cross-site Scripting')
| |
| − | | 3.2 Cross-site Scripting
| |
| − | |-
| |
| − | | A2. Injection Flaws
| |
| − | | A6. Injection Flaws
| |
| − | | CWE-89: Failure to Preserve SQL Query Structure('SQL Injection')<br />CWE-78: Improper Sanitization of special elements used in an OS Command<br />CWE-94: Failure to Control Generation of Code ('Code Injection')
| |
| − | | 4.5 SQL Injection<br />4.4 OS commanding<br />4.6 SSI Injection<br />4.3 LDAP Injection<br />4.7 XPath Injection
| |
| − | |-
| |
| − | | A7. Broken Authentication and Session management
| |
| − | | A3. Broken Authentication and Session management
| |
| − | |
| |
| − | | 1.1 Brute Force<br />1.2 Insufficient Authentication<br />1.3 Weak Password Recovery Validation<br />2.1 Credential/Session Prediction<br />2.3 Insufficient Session Expiration<br />2.4 Session Fixation
| |
| − | |-
| |
| − | |A8. Insecure Cryptographic Storage
| |
| − | |A8. Insecure Storage
| |
| − | |CWE-327 Use of a Broken or Risky Cryptographic Algorithm
| |
| − | |
| |
| − | |-
| |
| − | |A5. Cross Site Request Forgery (CSRF)
| |
| − | |
| |
| − | |CWE-352 Cross-Site Request Forgery (CSRF)
| |
| − | |1.4 CSRF *
| |
| − | |-
| |
| − | |A6. Information Leakage and Improper Error Handling
| |
| − | |A7. Improper Error Handling
| |
| − | |CWE-209 Error message information leak
| |
| − | |5.2 Information leakage
| |
| − | |-
| |
| − | |A10. Failure to Restrict URL Access<br />A4. Insecure Direct Object Reference
| |
| − | |A2. Broken Access Control
| |
| − | |CWE-285: Improper Access Control (Authorization)<br />CWE-73: External control of file name or path
| |
| − | |2.2 Insufficient Authorization
| |
| − | |-
| |
| − | |A9. Insecure Communications
| |
| − | |
| |
| − | |CWE-319: Cleartext Transmission of Sensitive Information
| |
| − | |
| |
| − | |-
| |
| − | |
| |
| − | |A1. Unvalidated Input
| |
| − | |CWE-20: Improper Input Validation
| |
| − | |
| |
| − | |-
| |
| − | |
| |
| − | |A5. Buffer Overflows
| |
| − | |CWE-119: Failure to Constrain Operations within the Bounds of a memory Buffer
| |
| − | |4.1 Buffer Overflow
| |
| − | |-
| |
| − | |
| |
| − | |A9. Denial of Service
| |
| − | |CWE-404: Improper Resource Shutdown or Release
| |
| − | |6.2 Denial of Service
| |
| − | |-
| |
| − | |A3. Malicious File Execution
| |
| − | |
| |
| − | |CWE-494: Download of Code Without Integrity Check
| |
| − | |
| |
| − | |-
| |
| − | |
| |
| − | |A10. Insecure Configuration Management
| |
| − | |CWE-732: Incorrect Permission Assignment for Critical Resource<br />CWE-250: Execution with Unnecessary Privileges
| |
| − | |
| |
| − | |-
| |
| − | |
| |
| − | |
| |
| − | |CWE-362: Race Condition
| |
| − | |
| |
| − | |-
| |
| − | |
| |
| − | |
| |
| − | |CWE-642: External Control of Critical State Data
| |
| − | |
| |
| − | |-
| |
| − | |
| |
| − | |
| |
| − | |CWE-426: Untrusted Search Path
| |
| − | |
| |
| − | |-
| |
| − | |
| |
| − | |
| |
| − | |CWE-665: Improper Initialization
| |
| − | |
| |
| − | |-
| |
| − | |
| |
| − | |
| |
| − | |CWE-682: Incorrect Calculation
| |
| − | |
| |
| − | |-
| |
| − | |
| |
| − | |
| |
| − | |CWE-330: Use of Insufficiently Random Values
| |
| − | |
| |
| − | |-
| |
| − | |
| |
| − | |
| |
| − | |CWE-602: Client-Side Enforcement of Server-Side Security
| |
| − | |
| |
| − | |-
| |
| − | |
| |
| − | |
| |
| − | |CWE-116: Improper Encoding or Escaping of Output
| |
| − | |
| |
| − | |-
| |
| − | |
| |
| − | |
| |
| − | |
| |
| − | |3.1 Content Spoofing
| |
| − | |-
| |
| − | |
| |
| − | |
| |
| − | |
| |
| − | |3.3 HTTP Response Splitting *
| |
| − | |-
| |
| − | |
| |
| − | |
| |
| − | |
| |
| − | |4.2 Format String Attack
| |
| − | |-
| |
| − | |
| |
| − | |
| |
| − | |
| |
| − | |5.1 Directory Indexing
| |
| − | |-
| |
| − | |
| |
| − | |
| |
| − | |
| |
| − | |5.3 Path Traversal
| |
| − | |-
| |
| − | |
| |
| − | |
| |
| − | |
| |
| − | |5.4 Predictable Resource Location
| |
| − | |-
| |
| − | |
| |
| − | |
| |
| − | |
| |
| − | |6.1 Abuse of Functionality
| |
| − | |-
| |
| − | |
| |
| − | |
| |
| − | |
| |
| − | |6.3 Insufficient Anti-automation
| |
| − | |-
| |
| − | |
| |
| − | |
| |
| − | |
| |
| − | |6.4 Insufficient Process Validation
| |
| − | |}
| |
