This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Vulnerability Classification Mappings
From OWASP
Revision as of 01:47, 22 January 2010 by Dancornell (talk | contribs) (Created page with 'This is still a work in progress - the Wiki markup language makes it challenging to translate the [http://blog.denimgroup.com/denim_group/2010/01/mapping-between-owasp-top-10-200…')
This is still a work in progress - the Wiki markup language makes it challenging to translate the original mapping document. Please send comments or feedback to dan.cornell _at_ owasp.org.
| |
|
|
|
| A1. Cross Site Scripting (XSS) | A4. Cross Site Scripting (XSS) | CWE-79: Failure to preserve Web Page Structure ('Cross-site Scripting') | 3.2 Cross-site Scripting |
| A2. Injection Flaws | A6. Injection Flaws | CWE-89: Failure to Preserve SQL Query Structure('SQL Injection') CWE-78: Improper Sanitization of special elements used in an OS Command CWE-94: Failure to Control Generation of Code ('Code Injection') |
4.5 SQL Injection 4.4 OS commanding 4.6 SSI Injection 4.3 LDAP Injection 4.7 XPath Injection |
| A7. Broken Authentication and Session management | A3. Broken Authentication and Session management | 1.1 Brute Force 1.2 Insufficient Authentication 1.3 Weak Password Recovery Validation 2.1 Credential/Session Prediction 2.3 Insufficient Session Expiration 2.4 Session Fixation | |
| A8. Insecure Cryptographic Storage | A8. Insecure Storage | CWE-327 Use of a Broken or Risky Cryptographic Algorithm | |
| A5. Cross Site Request Forgery (CSRF) | CWE-352 Cross-Site Request Forgery (CSRF) | 1.4 CSRF * | |
| A6. Information Leakage and Improper Error Handling | A7. Improper Error Handling | CWE-209 Error message information leak | 5.2 Information leakage |
| A10. Failure to Restrict URL Access A4. Insecure Direct Object Reference |
A2. Broken Access Control | CWE-285: Improper Access Control (Authorization) CWE-73: External control of file name or path |
2.2 Insufficient Authorization |
| A9. Insecure Communications | CWE-319: Cleartext Transmission of Sensitive Information | ||
| A1. Unvalidated Input | CWE-20: Improper Input Validation | ||
| A5. Buffer Overflows | CWE-119: Failure to Constrain Operations within the Bounds of a memory Buffer | 4.1 Buffer Overflow | |
| A9. Denial of Service | CWE-404: Improper Resource Shutdown or Release | 6.2 Denial of Service | |
| A3. Malicious File Execution | CWE-494: Download of Code Without Integrity Check | ||
| A10. Insecure Configuration Management | CWE-732: Incorrect Permission Assignment for Critical Resource CWE-250: Execution with Unnecessary Privileges |
||
| CWE-362: Race Condition | |||
| CWE-642: External Control of Critical State Data | |||
| CWE-426: Untrusted Search Path | |||
| CWE-665: Improper Initialization | |||
| CWE-682: Incorrect Calculation | |||
| CWE-330: Use of Insufficiently Random Values | |||
| CWE-602: Client-Side Enforcement of Server-Side Security | |||
| CWE-116: Improper Encoding or Escaping of Output | |||
| 3.1 Content Spoofing | |||
| 3.3 HTTP Response Splitting * | |||
| 4.2 Format String Attack | |||
| 5.1 Directory Indexing | |||
| 5.3 Path Traversal | |||
| 5.4 Predictable Resource Location | |||
| 6.1 Abuse of Functionality | |||
| 6.3 Insufficient Anti-automation | |||
| 6.4 Insufficient Process Validation |
