ASDR TOC Vulnerabilities


Source: https://www.owasp.org/index.php/ASDR_TOC_Vulnerabilities

  • Access control enforced by presentation layer
  • Addition of data-structure sentinel
  • Allowing password aging
  • ASP.NET Misconfigurations
  • Assigning instead of comparing
  • Authentication Bypass via Assumed-Immutable Data
  • Buffer Overflow
  • Buffer underwrite
  • Business logic vulnerability
  • Capture-replay
  • Catch NullPointerException
  • Comparing classes by name
  • Comparing instead of assigning
  • Comprehensive list of Threats to Authentication Procedures and Data
  • Covert timing channel
  • CRLF Injection
  • Cross Site Scripting Flaw
  • Dangerous Function
  • Deletion of data-structure sentinel
  • Deserialization of untrusted data
  • Directory Restriction Error
  • Double Free
  • Doubly freeing memory
  • Duplicate key in associative list (alist)
  • Empty Catch Block
  • Empty String Password
  • Failure of true random number generator
  • Failure to account for default case in switch
  • Failure to add integrity check value
  • Failure to check for certificate revocation
  • Failure to check integrity check value
  • Failure to check whether privileges were dropped successfully
  • Failure to deallocate data
  • Failure to drop privileges when reasonable
  • Failure to encrypt data
  • Failure to follow chain of trust in certificate validation
  • Failure to follow guideline/specification
  • Failure to protect stored data from modification
  • Failure to provide confidentiality for stored data
  • Failure to validate certificate expiration
  • Failure to validate host-specific certificate data
  • File Access Race Condition: TOCTOU
  • Format String
  • Guessed or visible temporary file
  • Hard-Coded Password
  • Heap Inspection
  • Heap overflow
  • Ignored function return value
  • Illegal Pointer Value
  • Improper cleanup on thrown exception
  • Improper Data Validation
  • Improper error handling
  • Improper string length checking
  • Improper temp file opening
  • Incorrect block delimitation
  • Information Leakage
  • Information leak through class cloning
  • Information leak through serialization
  • Injection problem
  • Insecure Compiler Optimization
  • Insecure Randomness
  • Insecure Temporary File
  • Insecure Third Party Domain Access
  • Insecure Transport
  • Insufficient Entropy
  • Insufficient entropy in pseudo-random number generator
  • Insufficient Session-ID Length
  • Integer coercion error
  • Integer overflow
  • Invoking untrusted mobile code
  • J2EE Misconfiguration: Unsafe Bean Declaration
  • Key exchange without entity authentication
  • Least Privilege Violation
  • Leftover Debug Code
  • Log Forging
  • Log injection
  • Member Field Race Condition
  • Memory leak
  • Miscalculated null termination
  • Misinterpreted function return value
  • Missing Error Handling
  • Missing parameter
  • Missing XML Validation
  • Mutable object returned
  • Non-cryptographic pseudo-random number generator
  • Not allowing password aging
  • Not using a random initialization vector with cipher block chaining mode
  • Null Dereference
  • Object Model Violation: Just One of equals() and hashCode() Defined
  • Often Misused: Authentication
  • Often Misused: Exception Handling
  • Often Misused: File System
  • Often Misused: Privilege Management
  • Often Misused: String Management
  • Omitted break statement
  • Open forward
  • Open redirect
  • Overflow of static internal buffer
  • Overly-Broad Catch Block
  • Overly-Broad Throws Declaration
  • Passing mutable objects to an untrusted method
  • Password Management: Hardcoded Password
  • Password Management: Weak Cryptography
  • Password Plaintext Storage
  • PHP File Inclusion
  • Poor Logging Practice
  • Portability Flaw
  • Privacy Violation
  • PRNG Seed Error
  • Process Control
  • Publicizing of private data when using inner classes
  • Race Conditions
  • Reflection attack in an auth protocol
  • Reflection injection
  • Relative path library search
  • Reliance on data layout
  • Relying on package-level scope
  • Resource exhaustion
  • Return Inside Finally Block
  • Reusing a nonce, key pair in encryption
  • Session_Fixation
  • Sign extension error
  • Signed to unsigned conversion error
  • Stack overflow
  • State synchronization error
  • Storing passwords in a recoverable format
  • String Termination Error
  • Symbolic name not mapping to correct object
  • Template:Vulnerability
  • Truncation error
  • Trust Boundary Violation
  • Trust of system event data
  • Trusting self-reported DNS name
  • Trusting self-reported IP address
  • Uncaught exception
  • Unchecked array indexing
  • Unchecked Return Value: Missing Check against Null
  • Undefined Behavior
  • Uninitialized Variable
  • Unintentional pointer scaling
  • Unreleased Resource
  • Unrestricted File Upload
  • Unsafe function call from a signal handler
  • Unsafe JNI
  • Unsafe Mobile Code
  • Unsafe Reflection
  • Unsigned to signed conversion error
  • Use of hard-coded password
  • Use of Obsolete Methods
  • Use of sizeof() on a pointer type
  • Using a broken or risky cryptographic algorithm
  • Using a key past its expiration date
  • Using freed memory
  • Using password systems
  • Using referer field for authentication or authorization
  • Using single-factor authentication
  • Using the wrong operator
  • Validation performed in client
  • Wrap-around error
  • Write-what-where condition
Amazing Christmas Web element from graphic river
Related articles

Google Plus & RSS

 
  Google+

Search

Categories