J2EE Misconfiguration: Data Transmission Without Encryption | 5 | 0 |
J2EE Misconfiguration: Insufficient Session-ID Length | 6 | 1 |
J2EE Misconfiguration: Missing Custom Error Page | 7 | 0 |
J2EE Misconfiguration: Entity Bean Declared Remote | 8 | 0 |
J2EE Misconfiguration: Weak Access Permissions for EJB Methods | 9 | 0 |
ASP.NET Misconfiguration: Creating Debug Binary | 11 | 1 |
ASP.NET Misconfiguration: Missing Custom Error Page | 12 | 1 |
ASP.NET Misconfiguration: Password in Configuration File | 13 | 0 |
Compiler Removal of Code to Clear Buffers | 14 | 0 |
External Control of System or Configuration Setting | 15 | 18 |
Improper Input Validation | 20 | 11385 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 22 | 6658 |
Relative Path Traversal | 23 | 196 |
Path Traversal: '../filedir' | 24 | 56 |
Path Traversal: '/../filedir' | 25 | 7 |
Path Traversal: '/dir/../filename' | 26 | 12 |
Path Traversal: 'dir/../../filename' | 27 | 14 |
Path Traversal: '..\filedir' | 28 | 2 |
Path Traversal: '\..\filename' | 29 | 40 |
Path Traversal: '\dir\..\filename' | 30 | 0 |
Path Traversal: 'dir\..\..\filename' | 31 | 11 |
Path Traversal: '...' (Triple Dot) | 32 | 2 |
Path Traversal: '....' (Multiple Dot) | 33 | 0 |
Path Traversal: '....//' | 34 | 1 |
Path Traversal: '.../...//' | 35 | 48 |
Absolute Path Traversal | 36 | 47 |
Path Traversal: '/absolute/pathname/here' | 37 | 3 |
Path Traversal: '\absolute\pathname\here' | 38 | 0 |
Path Traversal: 'C:dirname' | 39 | 1 |
Path Traversal: '\\UNC\share\name\' (Windows UNC Share) | 40 | 2 |
Improper Resolution of Path Equivalence | 41 | 7 |
Path Equivalence: 'filename.' (Trailing Dot) | 42 | 1 |
Path Equivalence: 'filename....' (Multiple Trailing Dot) | 43 | 0 |
Path Equivalence: 'file.name' (Internal Dot) | 44 | 0 |
Path Equivalence: 'file...name' (Multiple Internal Dot) | 45 | 0 |
Path Equivalence: 'filename ' (Trailing Space) | 46 | 0 |
Path Equivalence: ' filename' (Leading Space) | 47 | 0 |
Path Equivalence: 'file name' (Internal Whitespace) | 48 | 0 |
Path Equivalence: 'filename/' (Trailing Slash) | 49 | 0 |
Path Equivalence: '//multiple/leading/slash' | 50 | 1 |
Path Equivalence: '/multiple//internal/slash' | 51 | 0 |
Path Equivalence: '/multiple/trailing/slash//' | 52 | 0 |
Path Equivalence: '\multiple\\internal\backslash' | 53 | 0 |
Path Equivalence: 'filedir\' (Trailing Backslash) | 54 | 0 |
Path Equivalence: '/./' (Single Dot Directory) | 55 | 0 |
Path Equivalence: 'filedir*' (Wildcard) | 56 | 0 |
Path Equivalence: 'fakedir/../realdir/filename' | 57 | 1 |
Path Equivalence: Windows 8.3 Filename | 58 | 0 |
Improper Link Resolution Before File Access ('Link Following') | 59 | 1181 |
UNIX Symbolic Link (Symlink) Following | 61 | 64 |
UNIX Hard Link | 62 | 1 |
Windows Shortcut Following (.LNK) | 64 | 3 |
Windows Hard Link | 65 | 6 |
Improper Handling of File Names that Identify Virtual Resources | 66 | 0 |
Improper Handling of Windows Device Names | 67 | 2 |
Improper Handling of Windows ::DATA Alternate Data Stream | 69 | 1 |
Improper Handling of Apple HFS+ Alternate Data Stream Path | 72 | 0 |
External Control of File Name or Path | 73 | 152 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | 74 | 1406 |
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) | 75 | 33 |
Improper Neutralization of Equivalent Special Elements | 76 | 9 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') | 77 | 2525 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | 78 | 3977 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 79 | 31345 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 80 | 307 |
Improper Neutralization of Script in an Error Message Web Page | 81 | 6 |
Improper Neutralization of Script in Attributes of IMG Tags in a Web Page | 82 | 0 |
Improper Neutralization of Script in Attributes in a Web Page | 83 | 8 |
Improper Neutralization of Encoded URI Schemes in a Web Page | 84 | 5 |
Doubled Character XSS Manipulations | 85 | 1 |
Improper Neutralization of Invalid Characters in Identifiers in Web Pages | 86 | 5 |
Improper Neutralization of Alternate XSS Syntax | 87 | 18 |
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') | 88 | 244 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 89 | 13175 |
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') | 90 | 33 |
XML Injection (aka Blind XPath Injection) | 91 | 97 |
Improper Neutralization of CRLF Sequences ('CRLF Injection') | 93 | 62 |
Improper Control of Generation of Code ('Code Injection') | 94 | 4001 |
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') | 95 | 67 |
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') | 96 | 14 |
Improper Neutralization of Server-Side Includes (SSI) Within a Web Page | 97 | 2 |
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | 98 | 62 |
Improper Control of Resource Identifiers ('Resource Injection') | 99 | 26 |
Struts: Duplicate Validation Forms | 102 | 0 |
Struts: Incomplete validate() Method Definition | 103 | 0 |
Struts: Form Bean Does Not Extend Validation Class | 104 | 0 |
Struts: Form Field Without Validator | 105 | 0 |
Struts: Plug-in Framework not in Use | 106 | 0 |
Struts: Unused Validation Form | 107 | 0 |
Struts: Unvalidated Action Form | 108 | 1 |
Struts: Validator Turned Off | 109 | 0 |
Struts: Validator Without Form Field | 110 | 0 |
Direct Use of Unsafe JNI | 111 | 2 |
Missing XML Validation | 112 | 7 |
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') | 113 | 53 |
Process Control | 114 | 13 |
Misinterpretation of Input | 115 | 21 |
Improper Encoding or Escaping of Output | 116 | 280 |
Improper Output Neutralization for Logs | 117 | 81 |
Incorrect Access of Indexable Resource ('Range Error') | 118 | 21 |