Kiuwan CWE declaration

The following is the list of common software security weaknesses covered by the Kiuwan engines

 

 

 

 

CWE-5 (Java) Acegi Misconfiguration – Insecure Channel Mixing
(Java) Avoid misconfiguring security properties in web.xml descriptor
OPT.JAVA.SEC_JAVA.AcegiInsecureChannelMixingRule
OPT.JAVA.SEC_JAVA.WebXmlSecurityMisconfigurationsRule
CWE-7 (Java) Avoid misconfiguring security properties in web.xml descriptor OPT.JAVA.SEC_JAVA.WebXmlSecurityMisconfigurationsRule
CWE-11 (ASP.NET) Avoid leaving debug mode enabled. OPT.ASPNET.AvoidEnabledDebugMode
CWE-12 (ASP.NET) Configure default error handling to avoid leaking too much details. OPT.ASPNET.EnableCustomErrorPage
CWE-15 (Java) External control of system or configuration setting.
(C#) Registry manipulation.
OPT.JAVA.SEC_JAVA.ExternalControlOfConfigurationSetting
OPT.CSHARP.SEC.RegistryManipulation
CWE-20 (Java) Request parameters should not be passed into Session without sanitizing.
(ASP.NET) The value of ValidateRequest in pages must be set to true to prevent code injection attacks.
(ASP.NET) The validateRequest attribute value should be true to prevent code injection attacks.
(Cobol) Do not ACCEPT data from untrusted sources
(C#) Unvalidated model in MVC controller.
(HTML) Form validation disabled.
OPT.JAVA.SEC_JAVA.RequestParametersInSessionRule
OPT.ASPNET.AvoidDisabledValidateRequest
OPT.ASPNET.AvoidDisabledValidateRequestConfig
OPT.COBOL.SEC.NoAcceptFromUntrustedSource
OPT.CSHARP.SEC.UnvalidatedAspNetModel
OPT.HTML.FormValidationOff
CWE-22 (Java) Avoid non-neutralized user-controlled input composed in a pathname to a resource.
(Javascript) Do not allow external input to control paths used in filesystem operations.
(Abap) External control in paths used in filesystem operations
(Cobol) Avoid non-neutralized user-controlled input to be part of a pathname (file or directory) used in I/O operations
(C#) Avoid non-neutralized user-controlled input to be part of a pathname (file or directory) used in I/O operations
(Objective-C) Avoid non-neutralized user-controlled input to be part of a pathname (file or directory) used in I/O operations
(PHP) Avoid non-neutralized user-controlled input to be part of a pathname (file or directory) used in I/O operations
(RPG IV) Avoid user input in paths used in filesystem operations
OPT.JAVA.SEC_JAVA.PathTraversalRule
OPT.JAVASCRIPT.PathManipulation
OPT.ABAP.SEC.PathManipulation
OPT.COBOL.SEC.PathTraversal
OPT.CSHARP.PathTraversal
OPT.OBJECTIVEC.PathManipulationVulnerability
OPT.PHP.PathTraversal
OPT.RPG4.SEC.PathManipulation
CWE-73 (Java) Avoid non-neutralized user-controlled input composed in a pathname to a resource.
(Javascript) Do not allow external input to control paths used in filesystem operations.
(Abap) External control in paths used in filesystem operations
(Cobol) Avoid non-neutralized user-controlled input to be part of a pathname (file or directory) used in I/O operations
(C#) Avoid non-neutralized user-controlled input to be part of a pathname (file or directory) used in I/O operations
(Objective-C) Avoid non-neutralized user-controlled input to be part of a pathname (file or directory) used in I/O operations
(PHP) Avoid non-neutralized user-controlled input to be part of a pathname (file or directory) used in I/O operations
(RPG IV) Avoid user input in paths used in filesystem operations
OPT.JAVA.SEC_JAVA.PathTraversalRule
OPT.JAVASCRIPT.PathManipulation
OPT.ABAP.SEC.PathManipulation
OPT.COBOL.SEC.PathTraversal
OPT.CSHARP.PathTraversal
OPT.OBJECTIVEC.PathManipulationVulnerability
OPT.PHP.PathTraversal
OPT.RPG4.SEC.PathManipulation
CWE-78 (Java) Avoid non-neutralized user-controlled input composed in a command.
(Abap) Command Injection
(Cobol) Operating-System Command Injection
(C++) CERT C ENV04: Do not call system() if you do not need a command processor
(C++) CERT C STR02: Sanitize data passed to sensitive subsystems
(C#) Avoid non-neutralized user-controlled input to be part of an OS command
(Objective-C) Do not call system() if you do not need a command processor
(PHP) Avoid non-neutralized user-controlled input to be part of an OS command
(RPG IV) Avoid executing OS Commands potentially controlled by external input
(Python) Avoid non-neutralized user-controlled input to be part of an OS command
OPT.JAVA.SEC_JAVA.CommandInjectionRule
OPT.ABAP.SEC.CommandInjection
OPT.COBOL.SEC.OSCommandInjection
OPT.CPP.CERTC.ENV04
OPT.CPP.CERTC.STR02
OPT.CSHARP.CommandInjection
OPT.OBJECTIVEC.DoNotUseSystem
OPT.PHP.CommandInjection
OPT.RPG4.SEC.OSCommandInjection
OPT.PYTHON.SECURITY.CommandInjection
CWE-79 (Java) Improper neutralization of input during web content generation (Cross-site Scripting, XSS).
(Javascript) Avoid sending unvalidated data to a web browser.
(Abap) Improper neutralization of output during web content generation (Cross-site Scripting, XSS)
(ASP.NET) Do not set EnableViewStateMac=false.
(Cobol) Sending unvalidated data to a web browser can result in the browser executing malicious code
(C#) Web content generation from improper sanitized input and escaped output (Cross-site Scripting, XSS)
(PHP) Improper neutralization of input during web content generation (Cross-site Scripting, XSS)
(ASP.NET) Prevent MIME sniffing.
(Objective-C) Web content generation from improper sanitized input(Cross-site Scripting, XSS).
(C#) Web content generation from improper sanitized database data and escaped output (Stored Cross-site Scripting, XSS)
(PHP) Improper neutralization of stored data during web content generation (Cross-site Scripting, XSS)
OPT.JAVA.SEC_JAVA.CrossSiteScriptingRule
OPT.JAVASCRIPT.CrossSiteScripting
OPT.ABAP.SEC.CrossSiteScripting
OPT.ASPNET.EnableViewStateMac
OPT.COBOL.SEC.CrossSiteScripting
OPT.CSHARP.CrossSiteScripting
OPT.PHP.CrossSiteScripting
OPT.ASPNET.PreventMIMESniffing
OPT.OBJECTIVEC.CrossSiteScripting
OPT.CSHARP.StoredCrossSiteScripting
OPT.PHP.StoredCrossSiteScripting
CWE-80 (Javascript) Avoid sending unvalidated data to a web browser.
(Java) Use defaultHtmlEscape=true with SpringMVC for better cross-site scripting prevention.
OPT.JAVASCRIPT.CrossSiteScripting
OPT.JAVA.SEC_JAVA.SpringNoAntiXssConfiguration
CWE-88 (C++) CERT C ENV04: Do not call system() if you do not need a command processor
(C++) CERT C STR02: Sanitize data passed to sensitive subsystems
(Objective-C) Do not call system() if you do not need a command processor
OPT.CPP.CERTC.ENV04
OPT.CPP.CERTC.STR02
OPT.OBJECTIVEC.DoNotUseSystem
CWE-89 (Java) Use bind (or named) parameters in HQL and native SQL queries
(Java) Avoid SQL code formed with non neutralized user input in iBatis.
(Java) Avoid SQL code formed with non neutralized user input.
(Javascript) Do not allow the construction of dynamic SQL statements with an external input.
(Transact-SQL) Avoid dynamic SQL statements as much as possible
(Abap) Dynamic SQL with user input allows execution of unintended SQL commands
(Cobol) Avoid SQL code formed with non neutralized user input (vulnerable to SQL Injection attacks)
(C#) Avoid SQL code formed with non neutralized user input (vulnerable to SQL Injection attacks)
(Objective-C) Avoid SQL injection vulnerabilities
(Oracle Forms) Avoid SQL Injection issues in Oracle Forms
(PHP) Avoid SQL code formed with non neutralized user input (vulnerable to SQL Injection attacks)
(RPG IV) Avoid dynamic SQL statements without parameters (SQL Injection)
(Java) Content Provider URI Injection
OPT.HIBERNATE.BindParametersInQueries
OPT.JAVA.SEC_JAVA.IBatisSqlInjectionRule
OPT.JAVA.SEC_JAVA.SqlInjectionRule
OPT.JAVASCRIPT.SqlInjection
OPT.TRANSACTSQL.AvoidDynamicSql
OPT.ABAP.SEC.SqlInjection
OPT.COBOL.SEC.SqlInjection
OPT.CSHARP.SqlInjection
OPT.OBJECTIVEC.AvoidSqlInjection
OPT.ORACLEFORMS.SqlInjection
OPT.PHP.SqlInjection
OPT.RPG4.SEC.SqlInjection
OPT.JAVA.ANDROID.ContentProviderUriInjection
CWE-90 (Java) Avoid non-neutralized user-controlled input in LDAP search filters.
(C#) Avoid non-neutralized user-controlled input in LDAP search filters.
(PHP) Avoid non-neutralized user-controlled input in LDAP search filters
OPT.JAVA.SEC_JAVA.LdapInjectionRule
OPT.CSHARP.LdapInjection
OPT.PHP.LdapInjection
CWE-91 (Java) XSLT Injection
(C#) Avoid using non-neutralized user-controlled input in JSON entities
(C#) Avoid using non-neutralized user-controlled input when creating XML documents
(Objective-C) Avoid using non-neutralized user-controlled input into JSON entities.
OPT.JAVA.SEC_JAVA.XsltInjection
OPT.CSHARP.JSONInjection
OPT.CSHARP.XMLInjection
OPT.OBJECTIVEC.JSONInjection
CWE-93 (Java) Mail Command Injection
(PHP) SMTP Header manipulation.
OPT.JAVA.SEC_JAVA.MailCommandInjection
OPT.PHP.MailHeaderManipulation
CWE-94 (Java) Dynamic code injection during XML deserialization
(Javascript) Avoid interpreting user-controlled instructions at run-time.
(JSP) JSP File Inclusion vulnerability
(C#) Avoid non-neutralized user-controlled input in dynamic code evaluation.
(Objective-C) Avoid non-neutralized user-controlled input in dynamic code evaluation.
(ASP.NET) Do not use Content Delivery Network (CDN) for JavaScript code.
OPT.JAVA.SEC_JAVA.CodeInjectionWithDeserializationRule
OPT.JAVASCRIPT.CodeInjection
OPT.JSP.SEC_JSP.FileInclusionVulnerability
OPT.CSHARP.CodeInjection
OPT.OBJECTIVEC.CodeInjection
OPT.ASPNET.AvoidContentDeliveryNetwork
CWE-95 (Java) Dynamic code injection in scripting API
(Javascript) Avoid interpreting user-controlled instructions at run-time.
(Abap) Avoid Dynamic Code constructs
(Abap) Avoid dynamic constructs controlled by external input
(JSP) Expression Language (EL / OGNL) injection
(PHP) Do not use eval()
(PHP) Avoid non-neutralized user-controlled input to be part of code executed by PHP engine
(Objective-C) Avoid non-neutralized user-controlled input in dynamic code evaluation.
OPT.JAVA.SEC_JAVA.CodeInjectionRule
OPT.JAVASCRIPT.CodeInjection
OPT.ABAP.SEC.DynamicCode
OPT.ABAP.SEC.DynamicConstructs
OPT.JSP.SEC_JSP.ExpressionLanguageInjection
OPT.PHP.AvoidEval
OPT.PHP.CodeInjection
OPT.OBJECTIVEC.CodeInjection
CWE-98 (PHP) Improper Control of filename for include / require statement OPT.PHP.IncludeFileInjection
CWE-99 (Javascript) Do not allow external input to control resource identifiers.
(Cobol) Avoid unchecked control of a system resource whose name could depend on user-controlled input
(PHP) Avoid non-neutralized user-controlled input in resource identifiers for connection-oriented functions
(Java) Intent Manipulation
(C#) Connection string polluted with untrusted input.
(C#) Improper control of resource identifiers (“Resource Injection”)
OPT.JAVASCRIPT.ResourceInjection
OPT.COBOL.SEC.Cobol_ResourceInjection
OPT.PHP.ResourceInjection
OPT.JAVA.ANDROID.IntentManipulation
OPT.CSHARP.SEC.ConnectionStringParameterPollution
OPT.CSHARP.SEC.ResourceInjection
CWE-111 (Java) Avoid calls from Java to native (JNI) code. OPT.JAVA.SEC_JAVA.AvoidNativeCallsRule
CWE-113 (Java) Improper neutralization of CR/LF Sequences in HTTP headers.
(Javascript) Avoid including unvalidated data in HTTP response header or in Cookies.
(Abap) Unvalidated data in HTTP response header
(ASP.NET) Non strict HTTP header validation.
(Cobol) Unvalidated data in HTTP response header
(PHP) Improper neutralization of CR/LF Sequences in HTTP headers
(C#) Improper neutralization of CR/LF Sequences in HTTP headers.
OPT.JAVA.SEC_JAVA.HttpSplittingRule
OPT.JAVASCRIPT.HeaderManipulation
OPT.ABAP.SEC.HttpHeaderManipulation
OPT.ASPNET.HeaderValidationMisconfiguration
OPT.COBOL.SEC.HTTPHeaderManipulation
OPT.PHP.HttpSplitting
OPT.CSHARP.SEC.HttpSplittingRule
CWE-114 (Java) Library loaded from untrusted source
(Abap) Avoid dynamic constructs controlled by external input
(Cobol) Avoid calling subprogram where its name could be controlled by user input
(Java) Discourage dynamically loading code.
(RPG IV) Avoid calling subprogram where its name could be controlled by user input
(C#) Do not load executables or libraries from untrusted sources.
OPT.JAVA.SEC_JAVA.ProcessControlRule
OPT.ABAP.SEC.DynamicConstructs
OPT.COBOL.SEC.Cobol_ProcessControl
OPT.JAVA.ANDROID.DynamicallyLoadingCode
OPT.RPG4.SEC.ProcessControl
OPT.CSHARP.SEC.ProcessControl
CWE-116 (PHP) CSV Excel macro injection. OPT.PHP.CsvFormulaInjection
CWE-117 (Java) Unvalidated untrusted input in log.
(PHP) Unvalidated untrusted input in log.
OPT.JAVA.SEC_JAVA.LogForging
OPT.PHP.LogForging
CWE-119 (C++) CERT C ARR33: Guarantee that copies are made into storage of sufficient size
(C++) CERT C ARR35: Do not allow loops to iterate beyond the end of an array
(C++) CERT C ENV01: Do not make assumptions about the size of an environment variable
(C++) CERT C STR31: Guarantee that storage for strings has sufficient space for character data and the null terminator
(C++) CERT C STR33: Size wide character strings correctly
OPT.CPP.CERTC.ARR33
OPT.CPP.CERTC.ARR35
OPT.CPP.CERTC.ENV01
OPT.CPP.CERTC.STR31
OPT.CPP.CERTC.STR33
CWE-120 (C++) CERT C STR35: Do not copy data from an unbounded source to a fixed-length array
(Objective-C) Avoid C library functions that do not check for bounds.
(C#) Potential memory corruption.
OPT.CPP.CERTC.STR35
OPT.OBJECTIVEC.AvoidInsecureCStringFunctions
OPT.CSHARP.SEC.BufferOverflow
CWE-129 (C++) CERT C ARR38: Do not add or subtract an integer to a pointer if resulting value does not refer to a valid array element OPT.CPP.CERTC.ARR38
CWE-134 (Java) Exclude unsanitized user input from format strings.
(C++) CERT C FIO30: Exclude user input from format strings
(Objective-C) Exclude user input from format strings
OPT.JAVA.SEC_JAVA.FormatStringInjectionRule
OPT.CPP.CERTC.FIO30
OPT.OBJECTIVEC.FormatStringVulnerability
CWE-135 (C++) CERT C STR33: Size wide character strings correctly OPT.CPP.CERTC.STR33
CWE-159 (Java) Connection string polluted with untrusted input.
(PHP) Connection string polluted with untrusted input.
OPT.JAVA.SEC_JAVA.ConnectionStringParameterPollution
OPT.PHP.ConnectionStringParameterPollution
CWE-170 (C++) CERT C POS30: Use the readlink() function properly
(C++) CERT C STR32: Null-terminate byte strings as required
OPT.CPP.CERTC.POS30
OPT.CPP.CERTC.STR32
CWE-171 (Java) Always canonicalize path names. OPT.JAVA.SEC_JAVA.InputPathNotCanonicalizedRule
CWE-180 (Java) Always normalize system inputs. OPT.JAVA.SEC_JAVA.UnnormalizedInputString
CWE-185 (Java) Regular expression injection.
(C#) Prevent denial of service attack through malicious regular expression
(Objective-C) DoS caused by regular expression injection.
(Abap) Regular expression injection.
(ASP.NET) Regular expression in RegularExpressionValidator may be used for denial of service.
(PHP) Prevent denial of service attack through malicious regular expression
OPT.JAVA.SEC_JAVA.RegexInjectionRule
OPT.CSHARP.DoSRegexp
OPT.OBJECTIVEC.DoSRegularExpression
OPT.ABAP.SEC.RegexInjection
OPT.ASPNET.ReDoSInRegularExpressionValidator
OPT.PHP.DoSRegexp
CWE-190 (C++) CERT C INT35: Evaluate integer expressions in a larger size before comparing or assigning to that size OPT.CPP.CERTC.INT35
CWE-193 (C++) CERT C STR31: Guarantee that storage for strings has sufficient space for character data and the null terminator OPT.CPP.CERTC.STR31
CWE-200 (Java) Generate server-side cookies with adequate security properties.
(Java) Check the HTTP method used to send the request.
(Java) Specify an endpoint interface to avoid exposing all the public methods.
(ASP.NET) Service metadata exposure.
(PHP) Zend framework session management configuration.
(RPG IV) Every READE command must be preceeded by SETLL
(C#) Generate server-side cookies with adequate security properties.
(C#) Insecure Mail Transport.
(Abap) Avoid hardcoding into the code current server date checks (sy-datum).
(Abap) Avoid hardcoding sensitive information.
OPT.JAVA.SEC_JAVA.UnsafeCookieRule
OPT.JAVA.JAX.CheckHTTPMethods
OPT.JAVA.JAX.AvoidExposingAllEndpointlPublicMethods
OPT.ASPNET.ServiceMetadataVisibility
OPT.PHP.ZendConfiguration
OPT.RPG4.SEC.PositionBeforeReadFile
OPT.CSHARP.SEC.UnsafeCookie
OPT.CSHARP.SEC.InsecureEmailTransport
OPT.ABAP.SEC.HardcodedDateCheck
OPT.ABAP.SEC.HardcodedSensitiveData
CWE-203 (C#) Cross-Site History Manipulation (XSHM). OPT.CSHARP.SEC.CrossSiteHistoryManipulation
CWE-215 (Cobol) Information Exposure Through Debug Information OPT.COBOL.SEC.NoActiveDebug
CWE-233 (C#) Request data is accessed in an ambiguous way, which can leave it open to attack. OPT.CSHARP.SEC.HttpRequestValueShadowing
CWE-235 (Java) HTTP parameter pollution (HPP)
(C#) HTTP parameter pollution (HPP)
(PHP) HTTP parameter pollution (HPP)
OPT.JAVA.SEC_JAVA.HttpParameterPollutionRule
OPT.CSHARP.SEC.HttpParameterPollution
OPT.PHP.HttpParameterPollution
CWE-242 (C++) CERT C POS33: Do not use vfork() OPT.CPP.CERTC.POS33
CWE-245 (Java) Avoid direct database connection in J2EE applications. OPT.JAVA.SEC_JAVA.AvoidJ2EEDirectDatabaseConnection
CWE-246 (Java) Avoid explicit socket usage in J2EE applications. OPT.JAVA.SEC_JAVA.AvoidJ2EEExplicitSocket
CWE-252 (Cobol) Validate return code for cryptographic operations
(C++) CERT C MEM32: Detect and handle memory allocation errors
(C#) Ignoring the result of a method may cause that software overlook States or unexpected conditions.
(RPG IV) Validate return code for cryptographic operations.
OPT.COBOL.SEC.CheckCryptoReturnCode
OPT.CPP.CERTC.MEM32
OPT.CSHARP.UncheckedReturnValue
OPT.RPG4.SEC.CheckCryptoReturnCode
CWE-259 (Javascript) Empty or hardcoded passwords may compromise system security in a way that cannot be easily remedied.
(Abap) Avoid hard-coded or in-comment credentials (username / password) in code
(ASP.NET) Password exposure in Web.config file.
(Cobol) Hardcoded passwords can compromise system security in a way that cannot be easily remedied
OPT.JAVASCRIPT.EmptyOrHardcodedPassword
OPT.ABAP.SEC.PasswordManagement
OPT.ASPNET.CredentialsMisconfiguration
OPT.COBOL.SEC.Cobol_HardcodedPassword
CWE-261 (Cobol) Avoid obscuring a password with a trivial encoding OPT.COBOL.SEC.Cobol_PasswordWithWeakCrypto
CWE-264 (Objective-C) Avoid using sudo programmatically OPT.OBJECTIVEC.AvoidSudo
CWE-271 (Objective-C) Avoid setuid() / setreuid() / setguid() / setregid() to change program privilege levels OPT.OBJECTIVEC.AvoidConfusingUserIdCalls
CWE-272 (RPG IV) Least privilege failure due to special authority granted. OPT.RPG4.SEC.SpecialAuthorityGranted
CWE-273 (C++) CERT C POS37: Ensure that privilege relinquishment is successful OPT.CPP.CERTC.POS37
CWE-284 (Java) Java access restriction subverted OPT.JAVA.SEC_JAVA.AccessibilitySubversionRule
CWE-285 (Java) Access Control – Anonymous LDAP Bind
(Javascript) Avoid post cross-document messages with an overly permissive target origin.
(Java) Dynamic method invocation in Struts 2
(Abap) Improper implementation of authorization check
(Abap) Authorization check must be done explicitely before CALL TRANSACTION.
(Abap) Authorization check must be done explicitly in RFC-enabled functions.
(Abap) Authorization check must be done explicitely on SQL statements
(ASP.NET) Do not use transport security mode in WCF.
(Abap) Any report must perform an authority checking.
(C#) Access Control – Anonymous LDAP Bind.
OPT.JAVA.SEC_JAVA.AnonymousLdapBindRule
OPT.JAVASCRIPT.AvoidOverlyPermissiveMessagePosting
OPT.JAVA.SEC_JAVA.DynamicMethodInvocation
OPT.ABAP.SEC.BadAuthorizationCheck
OPT.ABAP.SEC.NoAuthorizationCheckCallTransaction
OPT.ABAP.SEC.NoAuthorizationCheckRFC
OPT.ABAP.SEC.NoAuthorizationCheckSQL
OPT.ASPNET.WCFTransportSecurity
OPT.ABAP.SEC.CheckAuthInAllPrograms
OPT.CSHARP.SEC.AnonymousLdapBind
CWE-287 (Javascript) Avoid post cross-document messages with an overly permissive target origin.
(Java) Use SOAP messages authentication.
OPT.JAVASCRIPT.AvoidOverlyPermissiveMessagePosting
OPT.JAVA.JAX.UseAuthenticatedSOAPMessages
CWE-288 (ASP.NET) Misconfiguration in authorization rules allowing HTTP Verb Tampering. OPT.ASPNET.HTTPVerbTampering
CWE-295 (Java) Avoid using HTTP instead of HTTPS.
(ASP.NET) Untrusty certificate verification.
(Objective-C) Do not bypass certificate validation fails.
OPT.JAVA.JAX.UseSecuredTransportLayer
OPT.ASPNET.CertificateVerificationMisconfiguration
OPT.OBJECTIVEC.CertificateVerifyFailedBypass
CWE-296 (Java) Insecure SSL configuration OPT.JAVA.SEC_JAVA.InsecureSSL
CWE-297 (Java) Insecure SSL configuration OPT.JAVA.SEC_JAVA.InsecureSSL
CWE-298 (Java) Insecure SSL configuration OPT.JAVA.SEC_JAVA.InsecureSSL
CWE-299 (Java) Insecure SSL configuration OPT.JAVA.SEC_JAVA.InsecureSSL
CWE-300 (Abap) Insecure randomness – bad seed or insecure random generation in a sensitive context. OPT.ABAP.SEC.InsecureRandomness
CWE-302 (ASP.NET) Unprotected roles in cookies. OPT.ASPNET.UnprotectedRolesInCookies
CWE-310 (Java) Weak cryptography, insufficient key length
(C#) Weak cryptography, insufficient key length
OPT.JAVA.SEC_JAVA.InsufficientKeySizeRule
OPT.CSHARP.WeakKeySize
CWE-311 (Java) Use encrypted SOAP messages.
(PHP) Do not use HTTP protocol to send sensitive data.
(Objective-C) Avoid using HTTP instead of HTTPS.
(PHP) Weak cookies configuration.
OPT.JAVA.JAX.UseEncryptedSOAPMessages
OPT.PHP.HttpToSendData
OPT.OBJECTIVEC.InsecureTransportLayer
OPT.PHP.SessionCookieConfiguration
CWE-315 (Java) The application stores sensitive data in cookies without adequate encoding. OPT.JAVA.SEC_JAVA.PlaintextStorageInACookieRule
CWE-321 (C#) Hardcoded cryptographic keys.
(PHP) Hardcoded cryptographic keys.
OPT.CSHARP.SEC.HardcodedCryptoKey
OPT.PHP.HardcodedCryptoKey
CWE-325 (Java) Inadequate padding.
(C#) Insufficient RSA key length.
OPT.JAVA.SEC_JAVA.InadequatePaddingRule
OPT.CSHARP.WeakEncryption
CWE-326 (Java) A hardcoded salt can compromise system security.
(Javascript) An otherwise strong encryption algorithm is vulnerable to brute force attack when a small key size is used.
OPT.JAVA.SEC_JAVA.HardcodedSaltRule
OPT.JAVASCRIPT.InsuficientKeySize
CWE-327 (Java) The program uses a weak encryption algorithm that cannot guarantee the confidentiality of sensitive data.
(Javascript) A trivial encoding of a password does not protect it properly.
(Javascript) Do not use weak encryption algorithms.
(PHP) Weak encryption algorithm.
(Objective-C) Avoid weak encryption algorithms that cannot guarantee the confidentiality of sensitive data.
(RPG IV) A weak encryption algorithm cannot guarantee data confidentiality
(C#) Do not use weak symmetric encryption algorithms.
(C#) Do not use weak modes of operation with symmetric encryption.
OPT.JAVA.SEC_JAVA.WeakEncryptionRule
OPT.JAVASCRIPT.WeakCryptography
OPT.JAVASCRIPT.WeakEncryption
OPT.PHP.WeakEncryptionAlgorithm
OPT.OBJECTIVEC.WeakEncryption
OPT.RPG4.SEC.WeakEncryptionAlgorithm
OPT.CSHARP.WeakSymmetricEncryptionAlgorithm
OPT.CSHARP.WeakSymmetricEncryptionModeOfOperation
CWE-328 (Java) Weak cryptographic hashes cannot guarantee data integrity.
(Javascript) Weak cryptographic hashes cannot guarantee data integrity.
(Cobol) Weak cryptographic hashes cannot guarantee data integrity
(C#) Weak cryptographic hashes cannot guarantee data integrity.
(PHP) Use of weak cryptographic hash.
(RPG IV) Weak cryptographic hashes cannot guarantee data integrity
(Objective-C) Weak cryptographic hashes cannot guarantee data integrity.
(Abap) Weak cryptographic hashes cannot guarantee data integrity.
OPT.JAVA.SEC_JAVA.WeakCryptographicHashRule
OPT.JAVASCRIPT.WeakCryptographicHash
OPT.COBOL.SEC.WeakCryptoHash
OPT.CSHARP.WeakCryptographicHash
OPT.PHP.WeakCryptographicHash
OPT.RPG4.SEC.WeakCryptoHash
OPT.OBJECTIVEC.WeakCryptographicHash
OPT.ABAP.SEC.WeakHashAlgorithm
CWE-330 (Java) Standard pseudo-random number generators cannot withstand cryptographic attacks.
(Javascript) Do not use easy-to-guess Web SQL database name.
(Javascript) Standard pseudo-random number generators cannot withstand cryptographic attacks.
(C#) Standard pseudo-random number generators cannot withstand cryptographic attacks.
(PHP) Standard pseudo-random number generators cannot withstand cryptographic attacks.
OPT.JAVA.SEC_JAVA.InsecureRandomnessRule
OPT.JAVASCRIPT.EasyToGuestDatabaseName
OPT.JAVASCRIPT.InsecureRandomness
OPT.CSHARP.InsecureRandomness
OPT.PHP.InsecureRandomness
CWE-338 (Java) Standard pseudo-random number generators cannot withstand cryptographic attacks.
(Javascript) Standard pseudo-random number generators cannot withstand cryptographic attacks.
(C#) Standard pseudo-random number generators cannot withstand cryptographic attacks.
(Abap) Insecure randomness – bad seed or insecure random generation in a sensitive context.
(PHP) Standard pseudo-random number generators cannot withstand cryptographic attacks.
OPT.JAVA.SEC_JAVA.InsecureRandomnessRule
OPT.JAVASCRIPT.InsecureRandomness
OPT.CSHARP.InsecureRandomness
OPT.ABAP.SEC.InsecureRandomness
OPT.PHP.InsecureRandomness
CWE-345 (Java) JSON Injection
(C#) Prevent over-posting attacks in model definition
(C#) Prevent under-posting attacks in model composition.
(C#) Prevent under-posting attacks in model definition
(Objective-C) Avoid using non-neutralized user-controlled input into JSON entities.
OPT.JAVA.SEC_JAVA.JSONInjection
OPT.CSHARP.MVCPreventOverpostingModelDefinition
OPT.CSHARP.MVCPreventUnderpostingModelComposition
OPT.CSHARP.MVCPreventUnderpostingModelDefinition
OPT.OBJECTIVEC.JSONInjection
CWE-346 (Java) Too much allowed origins in HTML5 Access-Control-Allow-Origin header.
(ASP.NET) CORS policy (Cross-origin resource sharing) too broad.
(PHP) CORS policy (Cross-origin resource sharing) too broad.
OPT.JAVA.SEC_JAVA.TooMuchOriginsAllowedRule
OPT.ASPNET.TooBroadCORSPolicy
OPT.PHP.TooBroadCORSPolicy
CWE-350 (Java) Avoid checks on client-side hostname, that are not reliable due to DNS poisoning. OPT.JAVA.SEC_JAVA.AvoidHostNameChecksRule
CWE-352 (Java) Cross-site request forgery (CSRF)
(Javascript) HTTP requests must contain an user-specific secret.
(C#) Execution of an action on user behalf in a previously authenticated web site (cross-site request forgery, CSRF)
(C#) Restrict allowed HTTP verbs for state-change operations in MVC controllers.
(PHP) Execution of an action on user behalf in a previously authenticated web site (cross-site request forgery, CSRF)
OPT.JAVA.SEC_JAVA.CrossSiteRequestForgeryRule
OPT.JAVASCRIPT.CrossSiteRequestForgery
OPT.CSHARP.CrossSiteRequestForgery
OPT.CSHARP.MVCPostInControllers
OPT.PHP.CrossSiteRequestForgery
CWE-358 (Java) Methods that perform a security check must be declared private or final
(Java) Not overridable method
OPT.JAVA.SEC_JAVA.SecurityCheckInOverridableMethodRule
OPT.JAVA.SEC_JAVA.NotOverridableMethodRule
CWE-359 (Java) Password Management – Password in Redirect.
(Javascript) Avoid mishandling private user information.
(Cobol) Avoid output of information that could violate privacy regulations, unless explicitly permitted
(Java) Inadecuate backup configuration.
(HTML) Password in GET FORM.
(PHP) Exposure of Private Information.
OPT.JAVA.SEC_JAVA.PasswordInRedirectRule
OPT.JAVASCRIPT.PrivacyViolation
OPT.COBOL.SEC.Cobol_PrivacyViolation
OPT.JAVA.ANDROID.PreventBackupVulnerability
OPT.HTML.PasswordInHttpGet
OPT.PHP.PrivacyViolation
CWE-362 (Java) Race condition with non thread-safe object fields. OPT.JAVA.SEC_JAVA.RaceConditionFormatFlaw
CWE-363 (C++) CERT C POS35: Avoid race conditions while checking for the existence of a symbolic link OPT.CPP.CERTC.POS35
CWE-367 (C++) CERT C FIO01: Be careful using functions that use file names for identification
(Objective-C) Use safe file access POSIX functions
OPT.CPP.CERTC.FIO01
OPT.OBJECTIVEC.AvoidUnsafeFileFunctions
CWE-374 (Java) Do not directly return or store references to mutable members. OPT.JAVA.DoNotReturnStoreMutableMembers
CWE-375 (Java) Do not directly return or store references to mutable members. OPT.JAVA.DoNotReturnStoreMutableMembers
CWE-377 (C#) Temporary files not deleted. OPT.CSHARP.SEC.TemporaryFilesLeft
CWE-379 (C++) CERT C FIO43: Do not create temporary files in shared directories OPT.CPP.CERTC.FIO43
CWE-382 (Java) Avoid JVM shutdown code in EJB.
(Java) Avoid JVM shutdown code in J2EE applications.
OPT.JAVA.SEC_JAVA.AvoidEJBJVMShutdown
OPT.JAVA.SEC_JAVA.AvoidJ2EEJvmExit
CWE-383 (Java) Avoid explicit thread management in EJB.
(Java) Avoid explicit thread management in J2EE applications.
OPT.JAVA.SEC_JAVA.AvoidEJBExplicitThreadManagement
OPT.JAVA.SEC_JAVA.AvoidJ2EEExplicitThreadManagement
CWE-384 (Java) Avoid misconfiguring security properties in web.xml descriptor OPT.JAVA.SEC_JAVA.WebXmlSecurityMisconfigurationsRule
CWE-388 (ASP.NET) Audit of security events misconfiguration in WCF. OPT.ASPNET.WCFAuditMisconfiguration
CWE-390 (C#) Avoid empty catch blocks. OPT.CSHARP.Csharp.AvoidEmptyCatchBlock
CWE-391 (Java) Unhandled SSL exception.
(Cobol) Ignoring error conditions may allow an attacker to induce unexpected behavior unnoticed.
(RPG IV) Ignoring error conditions may allow an attacker to induce unexpected behavior unnoticed.
OPT.JAVA.SEC_JAVA.UnhandledSSLExceptionRule
OPT.COBOL.SEC.PoorErrorHandling
OPT.RPG4.SEC.PoorErrorHandling
CWE-395 (C#) Normally the exception of type NullReferenceException should not be captured. OPT.CSHARP.AvoidNullReferenceException
CWE-396 (C#) Do not catch general exception types. OPT.CSHARP.Csharp.DoNotCatchGeneralExceptionTypes
CWE-398 (Javascript) The Content-Length header should not have a negative value.
(C#) Using Console.Out or Console.Error rather than a dedicated log interface, makes it more difficult to monitor the behavior of the software.
OPT.JAVASCRIPT.AvoidNegativeContentLenght
OPT.CSHARP.AvoidSystemOutputStream
CWE-400 (Java) Use signed SOAP messages. OPT.JAVA.JAX.UseSignedSOAPMessages
CWE-401 (Cobol) Potential dynamic storage area leak
(RPG IV) Check that allocated memory is properly freed.
OPT.COBOL.SEC.DynamicStorageLeakRule
OPT.RPG4.REL.AllocHeapMisuse
CWE-404 (C#) Unreleased database resource
(C#) Unreleased stream resource
(C#) Unreleased LDAP resource.
(C#) Unreleased unmanaged resource
OPT.CSHARP.ResourceLeakDatabase
OPT.CSHARP.ResourceLeakStream
OPT.CSHARP.ResourceLeakLdap
OPT.CSHARP.ResourceLeakUnmanaged
CWE-415 (C++) CERT C MEM00: Allocate and free memory in the same module at the same level of abstraction
(C++) CERT C MEM31: Free dynamically allocated memory exactly once
(RPG IV) Check that allocated memory is properly freed.
OPT.CPP.CERTC.MEM00
OPT.CPP.CERTC.MEM31
OPT.RPG4.REL.AllocHeapMisuse
CWE-416 (C++) CERT C MEM00: Allocate and free memory in the same module at the same level of abstraction
(C++) CERT C MEM30: Do not access freed memory
(RPG IV) Check that allocated memory is properly freed.
OPT.CPP.CERTC.MEM00
OPT.CPP.CERTC.MEM30
OPT.RPG4.REL.AllocHeapMisuse
CWE-426 (C#) Do not hardcode absolute paths. OPT.CSHARP.HardcodedAbsolutePath
CWE-434 (C#) Dangerous file upload.
(HTML) File upload enabled.
(PHP) Dangerous file upload.
OPT.CSHARP.SEC.DangerousFileUpload
OPT.HTML.FileUploadEnabled
OPT.PHP.DangerousFileUpload
CWE-449 (C#) Implement Dispose method provided by IDisposable interface. OPT.CSHARP.Csharp.ImplementIDisposableWithFinalize
CWE-457 (C++) CERT C EXP33: Do not reference uninitialized memory OPT.CPP.CERTC.EXP33
CWE-459 (C#) Call Dispose method of fields that implements System.IDisposable.
(C#) Dispose objects before losing scope..
OPT.CSHARP.Csharp.DisposableFieldsShouldBeDisposed
OPT.CSHARP.Csharp.DisposeObjectsBeforeLosingScope
CWE-467 (C++) CERT C ARR01: Do not apply the sizeof operator to a pointer when taking the size of an array
(C++) CERT C EXP01: Do not take the size of a pointer to determine the size of the pointed-to type
OPT.CPP.CERTC.ARR01
OPT.CPP.CERTC.EXP01
CWE-470 (Java) External control over reflection
(Java) Activities extending PreferenceActivity should not be exported.
(Objective-C) Avoid external control over performSelector.
(C#) External control over reflection.
OPT.JAVA.SEC_JAVA.UnsafeReflection
OPT.JAVA.ANDROID.ExportedPreferenceActivity
OPT.OBJECTIVEC.PerformSelectorWithUntrustedData
OPT.CSHARP.SEC.UnsafeReflection
CWE-473 (PHP) External variable modification. OPT.PHP.ExternalVariableModification
CWE-476 (Javascript) Avoid accessing unreliable variable properties.
(C++) CERT C EXP34: Ensure a null pointer is not dereferenced
(C++) CERT C MEM32: Detect and handle memory allocation errors
(C#) Avoid null dereferences
OPT.JAVASCRIPT.AvoidAccesingUnreliableVariableProperties
OPT.CPP.CERTC.EXP34
OPT.CPP.CERTC.MEM32
OPT.CSHARP.NullDereference
CWE-479 (C++) CERT C SIG30: Call only asynchronous-safe functions within signal handlers
(C++) CERT C SIG32: Do not call longjmp() from inside a signal handler
OPT.CPP.CERTC.SIG30
OPT.CPP.CERTC.SIG32
CWE-488 (Abap) Do not bypass SAP client separation mechanism
(Abap) Hardcoded SAP client check (sy-mandt).
OPT.ABAP.SEC.CrossClientDatabaseAccess
OPT.ABAP.SEC.HardcodedClientCheck
CWE-489 (Java) Avoid leftover debug code in J2EE applications.
(Abap) Remove BREAK-POINT statements from production code.
(Abap) Avoid development/test backdoors in production code
(PHP) CakePHP framework weak configuration.
(RPG IV) Do not use DEBUG in control-specification statements.
(RPG IV) Information Exposure Through Debug Information
(ASP.NET) Avoid enabling WCF debug information.
(C#) Main() method not allowed in web application.
OPT.JAVA.SEC_JAVA.AvoidJ2EELeftoverDebugCode
OPT.ABAP.APBR.NoBreakPointStatements
OPT.ABAP.SEC.Backdoors
OPT.PHP.CakePHPConfiguration
OPT.RPG4.AvoidDebugControlSentences
OPT.RPG4.SEC.NoActiveDebugRule
OPT.ASPNET.WCFAvoidEnabledDebug
OPT.CSHARP.SEC.MainMethodInWebApplication
CWE-494 (Java) Library loaded from untrusted source
(C#) Avoid using non-neutralized user-controlled input when creating XSL stylesheets
(Objective-C) Avoid external control over performSelector.
(C#) Do not load executables or libraries from untrusted sources.
OPT.JAVA.SEC_JAVA.ProcessControlRule
OPT.CSHARP.XSLTInjection
OPT.OBJECTIVEC.PerformSelectorWithUntrustedData
OPT.CSHARP.SEC.ProcessControl
CWE-497 (Java) Do not send detail error information to client.
(ASP.NET) Trace information enabled and remotely accessible.
(Cobol) Avoid dumping system info (typically for debugging) in production code
(C#) System or debugging information exposure.
(C#) Remove ASP.NET MVC version from HTTP headers
OPT.JAVA.SEC_JAVA.DetailErrorLeakRule
OPT.ASPNET.TraceEnabled
OPT.COBOL.SEC.Cobol_SystemInformationLeak
OPT.CSHARP.SystemInformationLeak
OPT.CSHARP.MVCRemoveVersionHeader
CWE-499 (Java) Avoid exposing sensitive data into a serializable class. OPT.JAVA.SEC_JAVA.SerializableClassContainingSensitiveData
CWE-501 (Java) Trust boundary violation.
(Javascript) Avoid transferring data between localStorage and sessionStorage as it can expose confidential information.
(Javascript) Do not use JavaScript to transport sensitive data.
(C#) Trust boundary violation.
OPT.JAVA.SEC_JAVA.TrustBoundaryViolationRule
OPT.JAVASCRIPT.AvoidTransferValuesLocalSessionStorage
OPT.JAVASCRIPT.HijackingAdHocAjax
OPT.CSHARP.SEC.TrustBoundaryViolation
CWE-502 (PHP) Deserialization of untrusted data. OPT.PHP.SerializationInjection
CWE-525 (HTML) Autocomplete enabled for sensitive form fields. OPT.HTML.AutocompleteOnForSensitiveFields
CWE-532 (Java) Avoid exposing sensible information through log. OPT.JAVA.SEC_JAVA.InformationExposureThroughDebugLog
CWE-539 (Java) Generate server-side cookies with adequate security properties.
(PHP) Weak cookies configuration.
(C#) Generate server-side cookies with adequate security properties.
(PHP) Weak cookies configuration.
OPT.JAVA.SEC_JAVA.UnsafeCookieRule
OPT.PHP.CookiesConfiguration
OPT.CSHARP.SEC.UnsafeCookie
OPT.PHP.SessionCookieConfiguration
CWE-544 (C#) Missing standard error handling (ASP.Net). OPT.CSHARP.SEC.MissingStandardErrorHandling
CWE-548 (ASP.NET) Directory Browsing enabled OPT.ASPNET.DirectoryBrowsing
CWE-552 (Java) File disclosure in server-side J2EE forward/include. OPT.JAVA.SEC_JAVA.J2eeFileDisclosureRule
CWE-561 (Python) Statements after a jump are dead code.
(Python) Avoid dead code.
(Python) Avoid unreachable code.
OPT.PYTHON.MAINTAINABILITY.RemoveStatementsAfterJump
OPT.PYTHON.MAINTAINABILITY.DeadCode
OPT.PYTHON.RELIABILITY.UnreachableCode
CWE-566 (Cobol) Check user input used in SQL queries
(Java) Avoid queries in the database except from the specific classes.
(RPG IV) Check user input used in SQL queries
OPT.COBOL.SEC.Cobol_AccessControlDatabase
OPT.JAVA.SEC_JAVA.DatabaseAccessControlRule
OPT.RPG4.SEC.UnexpectedKeySelect
CWE-567 (Java) Static database connection / session. OPT.JAVA.SEC_JAVA.StaticDatabaseConnection
CWE-574 (Java) Avoid use of synchronization primitives in EJB. OPT.JAVA.SEC_JAVA.AvoidEJBSynchronizationPrimitives
CWE-575 (Java) Avoid usage of AWT / Swing in EJB. OPT.JAVA.SEC_JAVA.AvoidEJBAWTSwing
CWE-576 (Java) Avoid usage of java.io in EJB. OPT.JAVA.SEC_JAVA.AvoidEJBJavaIo
CWE-577 (Java) Avoid explicit (server) socket usage. OPT.JAVA.SEC_JAVA.AvoidEJBExplicitServerSocket
CWE-578 (Java) Avoid changing the input, output, and error streams in EJB.
(Java) Avoid setting context ClassLoader in EJB.
(Java) Avoid setting system SecurityManager in EJB.
OPT.JAVA.SEC_JAVA.AvoidEJBRedirectStreams
OPT.JAVA.SEC_JAVA.AvoidEJBSetClassLoader
OPT.JAVA.SEC_JAVA.AvoidEJBSetSecurityManager
CWE-579 (Java) Avoid non-serializable objects stored in session in J2EE applications. OPT.JAVA.SEC_JAVA.AvoidJ2EENonSerializableObjectsStored
CWE-581 (C#) Any type that overrides GetHashCode method should also override Equals method. OPT.CSHARP.Csharp.OverridingEqualsAndGetHashCode
CWE-590 (C++) CERT C MEM34: Only free memory allocated dynamically OPT.CPP.CERTC.MEM34
CWE-601 (Java) URL Redirection to Untrusted Site (Open Redirect)
(Javascript) Do not allow to control the URL used in a redirect by an unvalidated input.
(Abap) URL redirection to untrusted site (Open Redirect)
(C#) Avoid using unvalidated input to build the URL used in a redirect.
(PHP) Avoid using unvalidated input to build the URL used in a redirect.
(Objective-C) Avoid using unvalidated input to build the URL used in a redirect.
OPT.JAVA.SEC_JAVA.OpenRedirectRule
OPT.JAVASCRIPT.OpenRedirect
OPT.ABAP.SEC.OpenRedirect
OPT.CSHARP.OpenRedirect
OPT.PHP.OpenRedirect
OPT.OBJECTIVEC.OpenRedirect
CWE-606 (Abap) Use WHILE instead of unconditional DO loops. OPT.ABAP.APFR.SuggestWhileInsteadOfDo
CWE-611 (Java) XML entity injection.
(Objective-C) Avoid XML entity injection.
OPT.JAVA.SEC_JAVA.XmlEntityInjectionRule
OPT.OBJECTIVEC.XMLEntityInjection
CWE-613 (Java) Checks that session expiration interval is positive and does not exceed a limit.
(Java) Avoid misconfiguring security properties in web.xml descriptor
(PHP) CakePHP framework weak configuration.
(ASP.NET) Set expiration timeout for authentication cookies
OPT.JAVA.SEC_JAVA.InsufficientSessionExpirationRule
OPT.JAVA.SEC_JAVA.WebXmlSecurityMisconfigurationsRule
OPT.PHP.CakePHPConfiguration
OPT.ASPNET.FormsAuthenticacionTimeout
CWE-614 (Java) Generate server-side cookies with adequate security properties.
(ASP.NET) Send Cookies using SSL.
(C#) A cookie is created without requiring SSL.
(PHP) Weak cookies configuration.
(PHP) Zend framework session management configuration.
(Objective-C) Avoid creating cookies without security attributes.
OPT.JAVA.SEC_JAVA.UnsafeCookieRule
OPT.ASPNET.AvoidSendCookiesWithoutSSL
OPT.CSHARP.CookieSecurityOverSSL
OPT.PHP.CookiesConfiguration
OPT.PHP.ZendConfiguration
OPT.OBJECTIVEC.CookieWithoutSSL
CWE-615 (Java) Hardcoded passwords can compromise system security in a way that cannot be easily remedied.
(Javascript) Storing passwords or password details in plaintext anywhere in the system or system code can compromise system security
(Abap) Avoid hard-coded or in-comment credentials (username / password) in code
(Cobol) Avoid placing passwords and other sensitive info in code comments
(PHP) Use of empty or hardcoded password, or storing password in comments.
OPT.JAVA.SEC_JAVA.PasswordInCommentRule
OPT.JAVASCRIPT.PasswordInComments
OPT.ABAP.SEC.PasswordManagement
OPT.COBOL.SEC.Cobol_PasswordInComment
OPT.PHP.PasswordManagement
CWE-628 (Cobol) Parameter mismatch in CALL
(C++) CERT C MEM08: Use realloc() only to resize dynamically allocated arrays
(RPG IV) Parameter mismatch in call
OPT.COBOL.SEC.CallParameterMismatch
OPT.CPP.CERTC.MEM08
OPT.RPG4.REL.CallParameterMismatch
CWE-639 (Cobol) Check user input used in DL/I (IMS) queries
(Cobol) Do not allow user input to control fields of MQSeries descriptor
(RPG IV) A record UPDATE or DELETE operation must be preceeded by a record read operation (CHAIN or READxxx)
OPT.COBOL.SEC.Cobol_AccessControlDLI
OPT.COBOL.SEC.Cobol_AccessControlMQ
OPT.RPG4.SEC.ReadRecordBeforeUpdateDelete
CWE-642 (Abap) Inadequate usage of ABAP System field OPT.ABAP.SEC.OverwriteSystemFields
CWE-643 (Java) Avoid XPath expressions formed with non neutralized user input.
(C#) Avoid non-neutralized user-controlled input in XPath location paths
(PHP) Avoid non-neutralized user-controlled input in XPath location paths
(Objective-C) Avoid XPath expressions formed with non neutralized user input.
OPT.JAVA.SEC_JAVA.XPathInjectionRule
OPT.CSHARP.XPathInjection
OPT.PHP.XPathInjection
OPT.OBJECTIVEC.XPathInjection
CWE-652 (C#) Avoid using non-neutralized user-controlled input when creating XQuery expressions OPT.CSHARP.XQueryInjection
CWE-653 (Abap) Hardcoded System ID check (sy-sysid). OPT.ABAP.SEC.HardcodedSystemIdCheck
CWE-676 (Abap) Do not call system / kernel functions from ABAP application code.
(PHP) Use of potentially dangerous function.
OPT.ABAP.AGR.CallSysFunction
OPT.PHP.UnsafeFunction
CWE-682 (C++) CERT C INT13: Use bitwise operators only on unsigned operands OPT.CPP.CERTC.INT13
CWE-684 (C++) CERT C PRE09: Do not replace secure functions with less secure functions
(Objective-C) Do not replace secure functions with less secure functions
OPT.CPP.CERTC.PRE09
OPT.OBJECTIVEC.ReplaceWithLessSecureFunc
CWE-691 (Cobol) Avoid ALTER. OPT.COBOL.SEC.AvoidAlter
CWE-693 (ASP.NET) No clickjacking protection configured. OPT.ASPNET.ClickjackingProtection
CWE-696 (C++) CERT C POS36: Observe correct revocation order while relinquishing privileges OPT.CPP.CERTC.POS36
CWE-705 (C++) CERT C ENV32: No atexit handler should terminate in any way other than by returning OPT.CPP.CERTC.ENV32
CWE-710 (RPG IV) Do not use GOTO / TAG, CABXX and COMP statements. OPT.RPG4.AvoidDangerousConditionalSentences
CWE-724 (Java) Acegi Misconfiguration – Run-As Authentication Replacement OPT.JAVA.SEC_JAVA.AcegiRunAsAuthenticationReplacementRule
CWE-730 (Javascript) An attacker could cause the program becomes unavailable to legitimate users. OPT.JAVASCRIPT.DenialOfService
CWE-749 (Java) Enabling JavaScript is not recommended.
(Java) Potential code injection via WebView.addJavaScriptInterface().
OPT.JAVA.ANDROID.JavascriptEnabled
OPT.JAVA.ANDROID.JavascriptInterfaceAnnotation
CWE-754 (C#) Ignoring the result of a method may cause that software overlook States or unexpected conditions. OPT.CSHARP.UncheckedReturnValue
CWE-759 (Objective-C) Weak cryptographic hashes cannot guarantee data integrity. OPT.OBJECTIVEC.WeakCryptographicHash
CWE-760 (PHP) Use of hardcoded salt.
(Objective-C) Weak cryptographic hashes cannot guarantee data integrity.
OPT.PHP.HardcodedSalt
OPT.OBJECTIVEC.WeakCryptographicHash
CWE-776 (Java) XML entity injection.
(Objective-C) Avoid XML entity injection.
OPT.JAVA.SEC_JAVA.XmlEntityInjectionRule
OPT.OBJECTIVEC.XMLEntityInjection
CWE-778 (Abap) Include audit fields in custom tables.
(ASP.NET) Audit of security events misconfiguration in WCF.
OPT.ABAP.ASR.ControlFieldsClientTables
OPT.ASPNET.WCFAuditMisconfiguration
CWE-780 (C#) Use proper padding for cryptographic operations with RSA. OPT.CSHARP.SEC.ProperPaddingWithPublicKeyCrypto
CWE-784 (Java) Untrusted cookies used in a security decision. OPT.JAVA.SEC_JAVA.CookiesInSecurityDecision
CWE-798 (Javascript) Empty or hardcoded passwords may compromise system security in a way that cannot be easily remedied.
(Java) Hardcoded username / password.
(Abap) Avoid hard-coded or in-comment credentials (username / password) in code
(Python) Avoid hardcoding sensitive authorization data.
(C#) Use of hard-coded credentials.
OPT.JAVASCRIPT.EmptyOrHardcodedPassword
OPT.JAVA.SEC_JAVA.HardcodedUsernamePassword
OPT.ABAP.SEC.PasswordManagement
OPT.PYTHON.SECURITY.HardcodedAuthData
OPT.CSHARP.SEC.HardcodedCredential
CWE-807 (ASP.NET) If authentication is through Forms enable the sending of information through SSL.
(ASP.NET) A misconfiguration makes easier performing Session hijacking attacks.
(C#) An attacker could replace the DNS entries.
OPT.ASPNET.AuthenticationFormsWithoutSSL
OPT.ASPNET.SessionHijackingMisconfiguration
OPT.CSHARP.OftenMisusedAuthentication
CWE-813 (Abap) Avoid queries on sensitive tables from ABAP code.
(Abap) SQL Bad Practices – Direct Update
OPT.ABAP.ASR.SecuritySelectTables
OPT.ABAP.SEC.DirectUpdate
CWE-823 (Cobol) Avoid pointer arithmetic in Cobol
(RPG IV) Avoid pointer arithmetic in RPG
OPT.COBOL.SEC.PointerArithmetic
OPT.RPG4.SEC.PointerArithmetic
CWE-824 (Cobol) Access of uninitialized pointer OPT.COBOL.SEC.IllegalValuesForPointers
CWE-862 (Abap) Avoid called transactions corresponding to a certain module.
(C#) Protect public methods that are not action methods in controllers
OPT.ABAP.AGR.CallTx
OPT.CSHARP.MVCNonActionPublicMethods
CWE-863 (ASP.NET) Dangerous application setting. OPT.ASPNET.DangerousAppSetting
CWE-916 (Objective-C) Weak cryptographic hashes cannot guarantee data integrity. OPT.OBJECTIVEC.WeakCryptographicHash
CWE-917 (JSP) Expression Language (EL / OGNL) injection OPT.JSP.SEC_JSP.ExpressionLanguageInjection
CWE-918 (Java) Server-Side Request Forgery (SSRF)
(C#) Creation of requests from a vulnerable server using untrusted input (server side request forgery, SSRF)
(PHP) Creation of requests from a vulnerable server using untrusted input (server side request forgery, SSRF)
OPT.JAVA.SEC_JAVA.ServerSideRequestForgeryRule
OPT.CSHARP.ServerSideRequestForgery
OPT.PHP.ServerSideRequestForgery
CWE-927 (Java) Avoid Sticky Broadcasts OPT.JAVA.ANDROID.AndroidStickyBroadcast
CWE-939 (Objective-C) Verify invoker application identity. OPT.OBJECTIVEC.URLSchemesHandling