This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP Periodic Table of Vulnerabilities

Revision as of 03:47, 27 February 2013 by James Landis (talk | contribs)

Jump to: navigation, search

After 20 years of software engineering since the first Internet worm was written to exploit a buffer overflow vulnerability, web developers are still building insecure software. It is time for a new approach. The vast majority of software bug classes can be eliminated by building protections into perimeter technologies, platform infrastructures, and application frameworks before a developer even writes a single line of custom code. By allowing developers to focus on just a small subset of bug classes, training and standards programs can be more targeted and effective so developers can write secure code much more efficiently.

The most scalable and effective approach to addressing vulnerability classes is to fix the browsers, standards, and protocols that enable web applications. This approach can sometimes increase security for every application on the internet without changing a single custom application. Less scalable, but almost as effective is to address vulnerabilities in perimeter technologies such as application firewalls, load balancers, geocaching services and proxies.

These technologies can shield vulnerable applications without requiring changes to the applications themselves. The next most scalable approach requires upgrading popular application frameworks so they are robust against common attack classes. Finally, organizations can customize application frameworks to support their own application-specific APIs and security controls that developers can leverage during development instead of having to build the controls in during their daily coding efforts. If none of these options are possible for a given vulnerabillity class, developers will be required to protect against that class in every line of code that they write, which does not scale effectively at all.

Vulnerabilities and weaknesses from industry-recognized indexes including OWASP Top 10, WASC TCv2, and CWE-25 are analyzed to determine which of the protection options are ideal for solving the software security problem. Where changes to internet standards and protocols are required, alternatives in perimeter, framework, or custom code solutions are also provided until the internet-scale solutions are in place. If a solution can be completely implemented in perimeter or infrastructure technologies, only that solution is provided. Similarly, if any part of the solution can be provided in standard or custom frameworks, that solution is not recommended to be implemented in custom code. The guiding principle is essentially: "implement security controls as far from custom code as possible." Only if there is no other way to solve a particular security problem is a custom code solution recommended.

Vulnerability Standards Infrastructure Generic Framework Custom Framework Custom Code
Abuse of Functionality All features should have defined abuse cases and implemented protections against these abuses.
Application Misconfiguration Ensure proper application settings are deployed in configuration file/s. Varies by platform and technology stack.
Brute Force (Generic) / Insufficient Anti-automation Perimeter technologies including geocaching/proxy services must support automatic and/or manual "panic button" anti-automation, enforcing progressive CAPTCHA for unvalidated requests, triggering on excessive 5XX responses, or direct signal from application. Provide configurable per-user/session request rate limits. Provide a common configuration functionality available to any feature. Any feature sensitive to high transaction rates should expose configurable rate limits per user or globally per feature.
Brute Force Login Provide progressive lockout for failed authentication requests to a single account and detection/alerting for fixed-password variable-username attack detection.
Brute Force Session Identifier Detect and alert on a configurable rate of session ID cache misses.
Brute Force Predictable Resource Location/Insecure Indexing Generic anti-automation response should trigger during spikes in 4XX responses. Provide a configurable GUID-based obfuscator for sensitive parameter values. Do not expose administrative interfaces on the same path as user interfaces. Require authentication wherever possible. Create independent interfaces for administrative access and enforce stricter authentication rules.
Buffer Overflow Defend infrastructure from known exploit signatures (e.g. CodeRed) and alert/block parameter anomalies. Build on a memory-managed code platform or otherwise prohibit direct memory management.
Clickjacking Browser vendors should standardize on CSP directives to support safe framing options for framed sites. Support configurable options for setting X-Frame-Options header and automatically embedding framebusting code in HTML/Script/CSS for older user agents that do not support XFO.
Content Spoofing Provide a new response status code for "File not found, but show custom 404 content body AND replace the URL displayed in the title bar because the current requested URL will confuse users". If the framework supports user-supplied content, such content must be clearly marked as such in the display context. Alert when custom 404 is displayed.
Cookie Theft/Session Hijacking Terminate/regenerate session if the session token is transmitted insecurely. Enforce Secure and HttpOnly flags for all cookies. Alert user and deauthorize oldest session when multiple simultaneous login is detected. Terminate session if User-Agent string or other client fingerprinting changes. Terminate session if user acceses login page.
Credential/Session Prediction Provide a secure random token generator AND use it to generate session IDs.
Cross-Site Scripting (XSS) Browser vendors and standards bodies should agree on markup for elements to contain dynamic content (e.g. Flash, JavaScript, HTML, etc.) inline without allowing the dynamic content to perform malicious actions such as navigating the parent window, reading or writing data across trust boundaries, or other undesirable behaviors as determined by the owner of the containing page. Automatically sanitize any dynamic content before writing it into HTML, XML, or other documents that might be rendered by user agents that execute active content. If dynamic content must include dangerous elements, provide APIs which filter and sanitize potentially dangerous attributes of these elements. Exceptions and attribute configurations should be described by a policy file instead of hard-coded into the framework itself or into function calls.
Cross Site Scripting (XSS) - DOM-Based "Web 2.0" frameworks must expose an API for page creation/modification that does not use document.write/ln or allow dynamic data to be injected into innerHTML or similar DOM element attributes.
Cross-Site Request Forgery Change default browser behavior to look for policy file for cross-domain writes instead of "default allow", transitioning through CSP framework. Automatically generate and check tokens for all POST requests by default, with configuration-based exclusion list.
Denial of Service (Application Based) See Brute Force (Generic) Profile resource-dependent transactions and build transaction queues and alerting when queues reach thresholds. Enforce transaction-based rate limits.
Denial of Service (Connection Based) Recognize and dynamically adapt to deliberately slowed connection attempts by dropping slower connections during a detected event. The perimeter should protect itself and the Web server from saturation by slow connections.
Directory Indexing Disable directory listings in the web- or application-server configuration by default.
Fingerprinting Infrastructure should not leak any information which can be used to identify the platform or infrastructure technology. Perimeter technologies should strip all such information from outgoing responses. URL structure should not reveal the underlying technology.
Format String Alert and/or block on known format string signatures. Prohibit access to vulnerable APIs and provide safe wrappers of those APIs instead.
HTTP Request/Response Smuggling Tighten RFC standards to describe precise behavior for malformed request/response data. Shame non-conforming implementations into compliance. Increase SSL adoption to prevent proxy tampering. Enforce strict parity match between requests and responses, discarding extraneous Content-Length headers and canonicalizing requests/responses.
HTTP Response Splitting Automatically URL-encode CRLF characters in dynamic data before writing to HTTP response headers.
HTTP Request Splitting Tighten RFC standards to describe precise behavior for malformed requests. Shame non-conforming implementations into compliance. Increase SSL adoption to prevent proxy poisoning. Enforce strict canonicalization on all incoming HTTP requests.
Implicit Logout Detect when a user browses away from the site and automatically log the user out of the application.
Improper Filesystem Permissions Ensure that proper file and directory permissions are applied. Enforce stricter default permissions.
Improper Input Handling Provide canonicalization and positive validation APIs for common data types, with configurable rules to reject or sanitize bad data. Provide canonicalization and positive validation APIs for custom data types, strictly enforcing business rules, with configurable rules to reject or sanitize bad data. Never use primitives in custom code.
Improper Output Handling Provide context-sensitive encoders for all common data types in all output contexts, ensuring no custom code can write directly to output. Provide context-sensitive encoders for all custom data types in all output contexts, ensuring no custom code can write directly to output.
Information Leakage Alert, block, or sanitize classified data in responses. Automatically scrub HTML, JavaScript, CSS, and other data formats of comment data and stack traces. Configure platform to return generic error codes by default and log locally. Provide common error-handling framework and APIs which take two error messages as parameters: one to be displayed to the user and one to be written to logs. Don't leak information via error parity mismatches.
Insufficient Authentication/Authorization Provide configuration-based authentication and authorization platform. Apply least-privilege principle to all transactions, requiring authentication and authorization where applicable.
Insufficient Data Protection Provide a configuration-based suite of encryption utilities for all data security needs including HMAC, symmetric, password hash, and asymmetric encryption requirements.
Insufficient Password Recovery Provide generic credential recovery with configurable "secret question" and multi-factor side-channel authentication functionality (e.g. SMS, email, etc.).
Insufficient Process Validation Require state validation rules to be specified for multi-step flows. Enforce state validation for asynchronous transactions.
Insufficient Session Expiration Provide and enforce configurable absolute and inactivity-based session timeouts.
Insufficient Transport Layer Protection Fix DNS and browser technologies so that the intent of domain owners can be more strictly followed. Enforce Strict Transport Security and redirect any HTTP request to HTTPS.
Integer Overflow/Underflow Provide safe wrappers for primitive numeric types. Never use primitives without strict checking for underflow/overflow conditions.
LDAP Injection Provide safe libraries for LDAP communication which properly encode dynamic data.
Mail Command Injection Provide safe libraries for SMTP and IMAP interaction that properly encode dynamic data.
Null Byte Injection Alert and/or block on known null byte attacks. Provide safe libraries that automatically encode dynamic data in any context which uses null bytes as control characters.
OS Commanding Build safe wrappers for system calls which prevent dynamic data from changing the intended meaning of the call.
Path Traversal Canonicalize URLs and prevent directory access outside the web root. Provide safe libraries for accessing the file system which canonicalize path references and enforce proper access control.
Race Conditions Prevent singletons from instantiating class-scope objects. Provide transaction integrity for task queues.
Remote File Inclusion Define a standard for safe inclusion of 3rd-party code and content which enforces namespace separation and mediates namespace/DOM access. Provide proxy library to sanitize/sandbox third-party code and content for safe inclusion (e.g. Caja).
Routing Detour Provide configuration-based whitelist for WS Routing destinations.
Server Misconfiguration Ensure proper application settings are deployed in configuration file/s. Provide secure default settings.
Session Fixation Do not start sessions with user-provided tokens and rotate session IDs periodically during longer sessions. Reissue new tokens automatically whenever the privilege level of the user changes.
SOAP Array Abuse, XML Attribute Blowup, XML Entity Expansion Perform schema validation of XML structure on incoming requests.
SSI Injection Do not support SSI with dynamic file names.
SQL Injection Provide safe libraries for communicating with SQL servers which enforce parameterized query patterns. Do not create queries with dynamic data in stored procedures.
URL Redirector Abuse Provide configurable white list for redirection URLs in 3XX responses, Refresh headers, and JavaScript redirects.
Weak Authentication Methods Reject HTTP Basic Auth, NTLM, and Digest Authentication requests.
XPath Injection Provide safe libraries for constructing XPath queries with dynamic data.
XML External Entities Disable External Entities within the XML parser.
XML Injection Provide safe libraries for constructing XML documents which automatically encode dynamic data.
XQuery Injection Provide safe libraries for XQuery construction which parameterize query values.
What does this OWASP project offer you?
What releases are available for this project?
what is this project?
Name: OWASP_Periodic_Table_of_Vulnerabilities (home page)
Purpose: There are many anthologies of vulnerabilities and weaknesses (including CWE-25, TCv2, and OWASP top 10), but there is no attempt to classify these issues based on how they should best be solved. In the past, we have tried to teach developers how to avoid introducing these problems, but it appears via the lesson of Buffer Overflow that the only way we'll ever eliminate them is to make it impossible for developers to write vulnerable code at all. The periodic table classifies issues based on the most scalable solution, whether that be in frameworks, perimeter technologies, custom code, or fixing the browsers and standards responsible.
License: Creative Commons Attribution ShareAlike 3.0 License
who is working on this project?
Project Leader(s):
  • James Landis @
Project Contributor(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact James Landis @ to contribute to this project
  • Contact James Landis @ to review or sponsor this project
current release
Not Yet Published
last reviewed release
Not Yet Reviewed

other releases

This project is part of the OWASP Builders community.
Feel free to browse other projects within the Defenders, Builders, and Breakers communities.