When reporting the results of your web application security assessments it is important to use a common language. This makes it easier for other parties to understand your findings and adds credibility to your report. There are many different frameworks to choose from. One of the main frameworks used is the Common Weakness Enumeration framework, or CWE for short. This is a listing of all known weaknesses managed by MITRE.
Lingo |
Below is a listing of some of the more common CWE’s you will find when assessing web application. Each CWE number is hyper-linked to the corresponding page of the MITRE web site if you need more information. You may want to bookmark this page now for future reference.
CWE | Description |
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
CWE-98 | Remote File Inclusion |
CWE-120 | Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) |
CWE-131 | Incorrect Calculation of Buffer Size |
CWE-134 | Uncontrolled Format String |
CWE-190 | Integer Overflow or Wraparound |
CWE-209 | Information Exposure Through an Error Message |
CWE-250 | Execution with Unnecessary Privileges |
CWE-285 | Improper Access Control (Authorization) |
CWE-306 | Missing Authentication for Critical Function |
CWE-307 | Improper Restriction of Excessive Authentication Attempts |
CWE-311 | Missing Encryption of Sensitive Data |
CWE-319 | Cleartext Transmission of Sensitive Information |
CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
CWE-352 | Cross-Site Request Forgery (CSRF) |
CWE-384 | Session Fixation |
CWE-434 | Unrestricted Upload of File with Dangerous Type |
CWE-494 | Download of Code Without Integrity Check |
CWE-521 | Weak Password Requirements |
CWE-525 | Password Autocomplete Set |
CWE-539 | Information Exposure Through Persistent Cookies |
CWE-548 | Browsable Directories |
CWE-601 | URL Redirection to Untrusted Site (‘Open Redirect’) |
CWE-613 | Insufficient session expiration |
CWE-615 | Information Exposure Through Comments |
CWE-640 | Weak Password Recovery Mechanism for Forgotten Password |
CWE-676 | Use of Potentially Dangerous Function |
CWE-732 | Incorrect Permission Assignment for Critical Resource |
CWE-798 | Use of Hard-coded Credentials |
CWE-807 | Reliance on Untrusted Inputs in a Security Decision |
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere |
CWE-862 | Missing Authorization |
CWE-863 | Incorrect Authorization |