-
Insecure Interaction Between Components
-
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- Mission/Business Risk
-
Common Attack Pattern Enumeration & Classification
- CAPEC-6: TCP Header
- CAPEC-15: Command Delimiters
- CAPEC-43: Exploiting Multiple Input Interpretation Layers
- CAPEC-88: OS Command Injection
- CAPEC-108: Command Line Execution through SQL Injection
-
Prevention & Mitigation Practices
-
Requirements, Architecture & Design
-
Build, Compilation, Implementation, Testing, and Documentation
-
Installation, Operation and System Configuration
-
Associated CERT Coding Rules
- ENV03-C: Sanitize the environment when invoking external programs
- ENV04-C: Do not call system() if you do not need a command processor
- STR02-C: Sanitize data passed to complex subsystems
- IDS07-J: Do not pass untrusted, unsanitized data to the Runtime.exec() method
- STR02-CPP: Sanitize data passed to complex subsystems
- ENV03-CPP: Sanitize the environment when invoking external programs
- ENV04-CPP: Do not call system() if you do not need a command processor
-
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- Mission/Business Risk
-
COmmon Attack Pattern Enumeration & Classification
- CAPEC-18: Embedding Scripts in Nonscript Elements
- CAPEC-19: Embedding Scripts within Scripts
- CAPEC-32: Embedding Scripts in HTTP Query Strings
- CAPEC-63: Simple Script Injection
- CAPEC-85: Client Network Foot printing (using AJAX/XSS)
- CAPEC-86: Embedding Script (XSS ) in HTTP Headers
- CAPEC-91: XSS in IMG Tags
- CAPEC-106: Cross-Site Scripting through Log Files
- CAPEC-198: Cross0-Site Scripting In Error Pages
- CAPEC-199: Cross-Site Scripting Using Alternate Syntax
- CAPEC-209: Cross-Site Scripting Using MIME Type Mismatch
- CAPEC-232: Exploitation of Privilege/Trust
- CAPEC-243: Cross-Site Scripting in Attributes
- CAPEC-244: Cross-Site Scripting via Encoded URI Schemes
- CAPEC-245: Cross-Site Scripting Using Doubled Characters, e.g. %3C%3Cscript
- CAPEC-246: Cross-Site Scripting Using Flash
- CAPEC-247: Cross-Sight Scripting with Masking through Invalid Characteristics in Identifiers
-
Prevention & Mitigation Practices
-
Requirements, Architecture & Design
-
Build, Compilation, Implementation, Testing, and Documentation
-
Installation, Operation and System Configuration
-
Associated CERT Coding Rules
- No CERT Coding Rules corresponding to this CWE entry.
-
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- Mission/Business Risks
-
Common Attack Pattern Enumeration & Classification
- CAPEC-7: Blind SQL Injection
- CAPEC-66: SQL Injections
- CAPEC-108: Command Line Execution through SQL Injection
- CAPEC-109: Object Relational Mapping Injection
- CAPEC-110: SQL Injection through SOAP Parameter Tampering
- CAPEC-470: Expanding Control over the OS from the Database
-
Prevention & Mitigation Practices
-
Requirements, Architecture & Design
-
Build, Compilation, Implementation, Testing, and Documentation
-
Installation, Operation and System Configuration
-
Associated CERT Coding Rules
- No CERT Coding Rules corresponding to this CWE entry.
-
CWE-352: Cross-Site Request Forgery (CSRF)
- Mission/Business Risks
-
Common Attack Pattern Enumeration & Classification
- CAPEC-62: Cross Site Request Forgery (aka Session Riding)
- CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
- CAPEC-452:Cross-Domain Search Timing
- CAPEC-467: Cross SIte Identification
-
Prevention & Mitigation Practices
-
Requirements, Architecture & Design
-
Build, Compilation, Implementation, Testing, and Documentation
- Installation, Operation and System Configuration
-
Associated CERT Coding Rules
- No CERT Coding Rules corresponding to this CWE entry.
-
CWE: 434: Unrestricted Upload of File with Dangerous Type
- Mission/Business Risks
-
Common Attack Pattern Enumeration & Classification
- CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
- CAPEC-122: Exploitation of Authorization
-
Prevention & Mitigation Practices
-
Requirements, Architecture & Design
-
Build, Compilation, Implementation, Testing, and Documentation
- Installation, Operation and System Configuration
-
Associated CERT Coding Rules
- No CERT Coding Rules corresponding to this CWE entry.
-
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
- Mission/Business Risks
-
Common Attack Pattern Enumeration & Classification
- CAPEC-194 Fake the Source of Data
-
Prevention & Mitigation & Classification
-
Requirements, Architecture & Design
-
Build, Compilation, Implementation, Testing, and Documentation
-
Installation, Operation and System Configuration
-
Associated CERT Coding Rules
- No CERT Coding Rules corresponding to this CWE entry.
-
Risky Resource Management
-
CWE-22:
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- Mission/Business Risks
-
Common Attack Pattern Enumeration & Classification
- CAPEC-23: File System Function Injection, Content Based
- CAPEC-64: Using Slashes and URL Encoding Combined to Bypass
Validation Logic
- CAPEC-76: Manipulating Input to FIle System Calls
- CAPEC-78: Using Escaped Slashes in Alternate Encoding
- CAPEC-79: Using Slashes in Alternate Encoding
- CAPEC-139: Relative Path Traversal

-
Prevention & Mitigation Practices
-
Requirements, Architecture & Design
-
Build, Compilation, Implementation, Testing & Documentation
-
Installation, Operation and System Configuration
-
Associated CERT Coding Rules
- FIO02-C: Canonicalize path names originating from untrusted sources
- FIO02-CPP: Canonicalize path names originating from untrusted sources
-
CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
- Mission/Business Risks
-
Common Attack Pattern Enumeration & Classification
- CAPEC-8: Buffer Overflow in an API Call
- CAPEC-9: Buffer Overflow in Local Command-Line Utilities
- CAPEC-10: Buffer Overflow via Environment Variables
- CAPEC-14: Client-side Injection-Induced Buffer Overflow
- CAPEC-24: Filter Failure through Buffer Overflow
- CAPEC-42: MIME Conversion
- CAPEC-44: Overflow Binary Resource File
- CAPEC-45: Buffer Overflow via Symbolic Links
- CAPEC-46: OVerflow Variables and Tags
- CAPEC-47: Buffer Overflow via Parameter Expansion
- CAPEC-67: String Format Overflow in syslog()
- CAPEC-92: Forced Integer Overflow
- CAPEC-100: Overflow Buffers
-
Prevention & Mitigation Practices
-
Requirements, Architecture & Design
-
Build, Compilation, Implementation, Testing & Documentation
-
Installation, Operation and System Configuration
-
Associated CERT Coding Rules
- STR35-C: Do not copy data from an unbounded source to a fixed-length array
- STR35-CPP: Do not copy data from an unbounded source to a fixed-length array
-
CWE-131: Incorrect Calculation of Buffer Size
- Mission/Business Risks
-
Common Attack Pattern Enumeration & Classification
- CAPEC-47: Buffer Overflow via Parameter Expansion
- CAPEC-100: Overflow Buffers
-
Prevention & Mitigation Practices
-
Requirements, Architecture & Design
-
Build, Compilation, Implementation, Testing & Documentation
-
Installation, Operation and System Configuration
-
Associated CERT Coding Rules
- MEM35-C: Allocate sufficient memory for an object
- MEM35-CPP: Allocate sufficient memory for an object
-
CWE-134: Uncontrolled Format String
- Mission/Business Risks
-
Common Attack Pattern Enumeration & Classification
- CAPEC-67: String Format Overflow in syslog()
- CAPEC-135: Format String Injection
-
Prevention & Mitigation Practices
-
Requirements, Architecture & Design
-
Build, Compilation, Implementation, Testing & Documentation
- Installation, Operation and System Configuration
-
Associated CERT Coding Rules
- FIO30-C: Exclude user input from format strings
- FIO30-C: Exclude user input from format strings
- IDS06-J: Exclude user input from format strings
- FIO30-CPP: Exclude user input from format strings
-
CWE-190: Integer Overflow or Wraparound
- Mission/Business Risks
-
Common Attack Pattern Enumeration & Classification
- CAPEC-92: Forced Integer Overflow
-
Prevention & Mitigation Practices
-
Requirements, Architecture & Design
-
Build, Compilation, Implementation, Testing & Documentation
- Installation, Operation and System Configuration
-
Associated CERT Coding Rules
- INT03-C: Use a secure integer library
- INT30-C: Ensure that unsigned integer operations do not wrap
- INT32-C: Ensure that operations on signed integers do not result in overflow
- INT35-C: Evaluate integer expressions in a larger size before comparing or assigning to that size
- MEM07-C: Ensure that the arguments to calloc(), when multiplied, can be represented as a size_t
- MEM35-C: Allocate sufficient memory for an object
- INT03-CPP: Use a secure integer library
- INT30-CPP: Ensure that unsigned integer operations do not wrap
- INT32-CPP: Ensure that operations on signed integers do not result in overflow
- NT35-CPP: Evaluate integer expressions in a larger size before comparing or assigning to that size
- MEM07-CPP: Ensure that the arguments to calloc(), when multiplied, can be represented as a size_t
- MEM35-CPP: Allocate sufficient memory for an object
-
CWE- 494: Download of Code Without Integrity Check
- Mission/Business Risks
-
Common Attack Pattern Enumeration & Classification
- CAPEC-184: Software Integrity Attack
- CAPEC-185: Malicious Software Download
- CAPEC-186: Malicious Software Update
- CAPEC-187: Malicious Automated Software Update
-
Prevention & Mitigation Practices
-
Requirements, Architecture & Design
-
Build, Compilation, Implementation, Testing, and Documentation
- Installation, Operation and System Configuration
-
Associated CERT Coding Rules
- SEC06-J: Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar
-
CWE-676: Use of Potentially Dangerous Function
- Mission/Business Risks
-
Common Attack Pattern Enumeration & Classification
- CAPEC-113: API Abuse/Misuse
-
Prevention & Mitigation Practices
- Requirements, Architecture & Design
- Build, Compilation, Implementation, Testing, & Documentation
- Installation, Operation & System Configuration
-
Associated CERT Coding Rules
- ERR07-C: Prefer functions that support error checking over equivalent functions that don't
- FIO01-C: Be careful using functions that use file names for identification
- INT06-C: Use strtol() or a related function to convert a string token to an integer
- INT06-CPP: Use strtol() or a related function to convert a string token to an integer
- FIO01-CPP: Be careful using functions that use file names for identification
-
CWE-829: Inclusion of Functionality from Untrusted Control Sphere
- Mission/Business Risks
-
Common Attack Pattern Enumeration & Classification
- CAPEC-38: Leveraging/Manipulating Configuration File Search Paths
- CAPEC-101: Server Side Include (SSI) Injection
- CAPEC-103: Clickjacking
- CAPEC-111: JSON HIjacking (aka JavaScript Hijacking)
- CAPEC-175: Code Injection
- CAPEC-181: Flash File Overlay
- CAPEC-184: Software Integrity Attacks
- CAPEC-185: Malicious Software Download
- CAPEC-193: PHP Remote File Inclusion
- CAPEC-222: iFrame Overlay
- CAPEC-251: Local File Inclusion
- CAPEC-252: PHP Local File Inclusion
- CAPEC-253: Remote Code Inclusion
-
Prevention & Mitigation Practices
-
Requirements, Architecture & Design
-
Build, Compilation, Implementation, Testing, and Documentation
-
Installation, Operation and System Configuration
-
Associated CERT Coding Rules
- No CERT Coding Rules corresponding to this CWE entry.
-
Porous Defenses
-
CWE-250: Execution with Unnecessary Privileges
- Mission/Business Risks
-
Common Attack Pattern Enumeration & Classification
- CAPEC-69: Target Programs with Elevated Privileges
- CAPEC-104: Cross Zone Scripting
- CAPEC-470: Expanding Control over the OS from the Database
-
Prevention & Mitigation Practices
-
Requirements, Architecture & Design
-
Build, Compilation, Implementation, Testing, and Documentation
- Installation, Operation and System Configuration
-
Associated CERT Coding Rules
- SER09-J: Minimize privileges before deserializing from a privilege context
-
CWE-306: Missing Authentication for Critical Functions
- Mission/Business Risk
-
Common Attack Pattern Enumeration & Classification
- CAPEC-12: Choosing a Message/Channel Identifier on a Public/Multicast Channel
- CAPEC-36: Using Unpublished Web Service APIs
- CAPEC-40: Manipulating Writeable Terminal Devices
- CAPEC-62: Cross Site Request Forgery (aka Session Riding)
- CAPEC-225: Exploitation of Authentication
-
Prevention & Mitigation Practices
-
Requirements, Architecture & Design
- Build, Compilation, Implementation, Testing, and Documentation
- Installation, Operation and System Configuration
-
Associated CERT Coding Rules
- No CERT Coding Rules corresponding to this CWE entry.
-
CWE-307: Improper Restriction of Excessive Authentication Attempts
- Mission/Business Risks
-
Common Attack Pattern Enumeration & Classification
- CAPEC-16: Dictionary-based Password Attack
- CAPEC-49: Password Brute Forcing
- CAPEC-55: Rainbow Table Password Cracking
- CAPEC-70: Try Common(default) Usernames & Passwords
- CAPEC-112: Brute Force
-
Prevention & Mitigation Practices
-
Requirements, Architecture & Design
- Build, Compilation, Implementation, Testing, and Documentation
- Installation, Operation and System Configuration
-
Associated CERT Coding Rules
- No CERT Coding Rules corresponding to this CWE entry
-
CWE-311: Missing Encryption of Sensitive Data
- Mission/Business Risks
-
Common Attack Pattern Enumeration & Classification
- CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies
- CAPEC-37: Lifting Data Embedded in Client Distributions
- CAPEC-65: Passively Sniff and Capture Application Code Bound for
Authorized Client
- CAPEC-117: Data Interception Attacks
- CAPEC-155: Screen Temporary Files for Sensitive Information
- CAPEC-157: Sniffing Attacks
- CAPEC-167: Lifting Sensitive Data from the Client
- CAPEC-204: Lifting cached, sensitive data embedded in client
distributions (thick or thin)
- CAPEC-205: Lifting credential(s)/key material embedded in client
distributions (thick or thin)
- CAPEC-258: Passively Sniffing and Capturing Application Code Bound
for an Authorized Client During Dynamic Update
- CAPEC-259: Passively Sniffing and Capturing Application Code Bound
for an Authorized Client During Patching
- CAPEC-260: Passively Sniffing and Capturing Application Code Bound
for an Authorized Client During Initial Distribution
- CAPEC-383: Harvesting Usernames or UserIDs via Application API
Event Monitoring
- CAPEC-384: Application API Message Manipulation via Man-in-the-Middle
- CAPEC-385: Transaction or Event Tampering via Application API Manipulation
- CAPEC-386: Application API Navigation Remapping
- CAPEC-387: Navigation Remapping To propagate Malicious Content
- CAPEC-388: Application API Button Hijacking
- CAPEC-389: Content Spoofing via Application API Manipulation
-
Prevention & Mitigation Practices
-
Requirements, Architecture & Design
-
Build, Compilation, Implementation, Testing, and Documentation
- Installation, Operation and System Configuration
-
Associated CERT Coding Rules
- MSC00-J: Use SSLSocket rather than Socket for secure data exchange
-
CWE-327: Use of a Broken or Risky Cryptographic Algorithm
- Mission/Business Risks
-
Common Attack Pattern Enumeration & Classification
- CAPEC-20: Encryption Brute Force
- CAPEC-97: Cryptanalysis
- CAPEC-459: Creating a Rogue Certificate Authority Certificate
-
Prevention & Mitigation Practices
-
Requirements, Architecture & Design
- Build, Compilation, Implementation, Testing, and Documentation
- Installation, Operation and System Configuration
-
Associated CERT Coding Rules
- MSC02-J: Generate strong random numbers
- MSC30-CPP: Do not use the rand() function for generating pseudorandom numbers
- MSC32-CPP: Ensure your random number generator is properly seeded
-
CWE-732: Incorrect Permission Assignment for Critical Resource
- Mission/Business Risks
-
Common Attack Patterns Enumeration & Classification
- CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
- CAPEC-17: Accessing, Modifying or Executing Executable Files
- CAPEC-60: Reusing Session IDs (aka Session Replay)
- CAPEC-61: Session Fixation
- CAPEC-62: Cross Site Request Forgery (aka Session Riding)
- CAPEC-122: Exploitation of Authorization
- CAPEC-127: Directory Indexing
- CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
- CAPEC-232: Exploitation of Privilege/Trust
- CAPEC-234: Hijacking a privileged process
-
Prevention & Mitigation Practices
-
Requirements, Architecture & Design
-
Build, Compilation, Implementation, Testing, and Documentation
-
Installation, Operation and System Configuration
-
Associated CERT Coding Rules
- FIO03-J: Create files with appropriate access permission
- SEC01-J: Do not allow tainted variables in privileged blocks
- ENV03-J: Do not grant dangerous combinations of permissions
- FIO06-CPP: Create files with appropriate access permissions
- FIO06-C: Create files with appropriate access permissions
-
CWE-759: Use of a One-Way Hash without a Salt
- Mission/Business Risks
-
Common Attack Patterns Enumeration & Classification
- CAPEC-20: Encryption Brute Forcing
- CAPEC-55: Rainbow Table Password Cracking
- CAPEC-97: Cryptanalysis
-
Prevention & Mitigation Practice
-
Requirements, Architecture & Design
- Build, Compilation, Implementation, Testing, and Documentation
- Installation, Operation and System Configuration
-
Associated CERT Coding Rules
- No CERT Coding Rules corresponding to this CWE entry.
-
CWE-798: Use of Hard-coded Credentials
- Mission/Business Risks
-
Common Attack Patterns Enumeration & Classification
- CAPEC-70: Try Common (default) Usernames and Passwords
- CAPEC-188: Reverse Engineering
- CAPEC-189: Software Reverse Engineering
- CAPEC-190: Reverse Engineering an Executable to Expose Assumed Hidden Functionality or Content
- CAPEC-191: Read Sensitive Strings Within an Executable
- CAPEC-205: Lifting credential(s)/Key material embedded in client distributions (thick or thin)
-
Prevention & Mitigation Practice
-
Requirements, Architecture & Design
- Build, Compilation, Implementation, Testing, and Documentation
- Installation, Operation and System Configuration
-
Associated CERT Coding Rules
- MSC03-J: Never hard code sensitive information
-
CWE-807: Reliance on Untrusted Inputs in a Security Decision
- Mission/Business Risks
-
Common Attack Pattern Enumeration & Classification
- CAPEC-232: Exploitation of Privilege/Trust
-
Prevention & Mitigation Practices
-
Requirements, Architecture & Design
- Build, Compilation, Implementation, Testing, and Documentation
- Installation, Operation and System Configuration
-
Associated CERT Coding Rules
- ENV03-CPP: Sanitize the environment when invoking external programs
- SEC09-J: Do not base security checks on untrusted sources
-
CWE-862: Missing Authentication
- Mission/Business Risk
-
Common Attack Pattern Enumeration & Classification
- CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
- CAPEC-17: Accessing, Modifying or Executing Executable Files
- CAPEC-58: Restful Privilege Elevation
- CAPEC-122: Exploitation of Authorization
- CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
-
Prevention & Mitigation Practices
-
Requirements, Architecture & Design
- Build, Compilation, Implementation, Testing, and Documentation
- Installation, Operation and System Configuration
-
Associated CERT Coding Rules
- No CERT Coding Rules corresponding to this CWE entry.
-
CWE-863: Incorrect Authorization
- Mission/Business Risks
-
Common Attack Pattern Enumeration & Classification
- CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
- CAPEC-122: Exploitation of Authorization
- CAPEC-58: Restful Privilege Elevation
- CAPEC-17: Accessing, Modifying or Executing Executable Files
- CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
-
Prevention & Mitigation Practices
-
Requirements, Architecture & Design
- Build, Compilation, Implementation, Testing, and Documentation
- Installation, Operation and System Configuration
-
Associated CERT Coding Rules
- No CERT Coding Rules corresponding to this CWE entry.