Improper Handling of Parameters | 233 | 18 |
Failure to Handle Missing Parameter | 234 | 2 |
Improper Handling of Extra Parameters | 235 | 2 |
Improper Handling of Undefined Parameters | 236 | 1 |
Improper Handling of Structural Elements | 237 | 1 |
Improper Handling of Incomplete Structural Elements | 238 | 0 |
Failure to Handle Incomplete Element | 239 | 1 |
Improper Handling of Inconsistent Structural Elements | 240 | 5 |
Improper Handling of Unexpected Data Type | 241 | 22 |
Use of Inherently Dangerous Function | 242 | 5 |
Creation of chroot Jail Without Changing Working Directory | 243 | 0 |
Improper Clearing of Heap Memory Before Release ('Heap Inspection') | 244 | 5 |
J2EE Bad Practices: Direct Management of Connections | 245 | 0 |
J2EE Bad Practices: Direct Use of Sockets | 246 | 0 |
Uncaught Exception | 248 | 91 |
Execution with Unnecessary Privileges | 250 | 143 |
Unchecked Return Value | 252 | 122 |
Incorrect Check of Function Return Value | 253 | 11 |
Plaintext Storage of a Password | 256 | 132 |
Storing Passwords in a Recoverable Format | 257 | 34 |
Empty Password in Configuration File | 258 | 8 |
Use of Hard-coded Password | 259 | 96 |
Password in Configuration File | 260 | 7 |
Weak Encoding for Password | 261 | 22 |
Not Using Password Aging | 262 | 3 |
Password Aging with Long Expiration | 263 | 1 |
Incorrect Privilege Assignment | 266 | 175 |
Privilege Defined With Unsafe Actions | 267 | 29 |
Privilege Chaining | 268 | 11 |
Improper Privilege Management | 269 | 2761 |
Privilege Context Switching Error | 270 | 16 |
Privilege Dropping / Lowering Errors | 271 | 7 |
Least Privilege Violation | 272 | 12 |
Improper Check for Dropped Privileges | 273 | 31 |
Improper Handling of Insufficient Privileges | 274 | 30 |
Incorrect Default Permissions | 276 | 1144 |
Insecure Inherited Permissions | 277 | 39 |
Insecure Preserved Inherited Permissions | 278 | 4 |
Incorrect Execution-Assigned Permissions | 279 | 8 |
Improper Handling of Insufficient Permissions or Privileges | 280 | 74 |
Improper Preservation of Permissions | 281 | 249 |
Improper Ownership Management | 282 | 17 |
Unverified Ownership | 283 | 8 |
Improper Access Control | 284 | 2759 |
Improper Authorization | 285 | 634 |
Incorrect User Management | 286 | 18 |
Improper Authentication | 287 | 3882 |
Authentication Bypass Using an Alternate Path or Channel | 288 | 210 |
Authentication Bypass by Alternate Name | 289 | 10 |
Authentication Bypass by Spoofing | 290 | 317 |
Reliance on IP Address for Authentication | 291 | 4 |
Using Referer Field for Authentication | 293 | 1 |
Authentication Bypass by Capture-replay | 294 | 161 |
Improper Certificate Validation | 295 | 1060 |
Improper Following of a Certificate's Chain of Trust | 296 | 6 |
Improper Validation of Certificate with Host Mismatch | 297 | 29 |
Improper Validation of Certificate Expiration | 298 | 2 |
Improper Check for Certificate Revocation | 299 | 4 |
Channel Accessible by Non-Endpoint | 300 | 42 |
Reflection Attack in an Authentication Protocol | 301 | 1 |
Authentication Bypass by Assumed-Immutable Data | 302 | 17 |
Incorrect Implementation of Authentication Algorithm | 303 | 48 |
Missing Critical Step in Authentication | 304 | 17 |
Authentication Bypass by Primary Weakness | 305 | 79 |
Missing Authentication for Critical Function | 306 | 1267 |
Improper Restriction of Excessive Authentication Attempts | 307 | 376 |
Use of Single-factor Authentication | 308 | 6 |
Use of Password System for Primary Authentication | 309 | 0 |
Missing Encryption of Sensitive Data | 311 | 478 |
Cleartext Storage of Sensitive Information | 312 | 629 |
Cleartext Storage in a File or on Disk | 313 | 15 |
Cleartext Storage in the Registry | 314 | 0 |
Cleartext Storage of Sensitive Information in a Cookie | 315 | 6 |
Cleartext Storage of Sensitive Information in Memory | 316 | 19 |
Cleartext Storage of Sensitive Information in GUI | 317 | 4 |
Cleartext Storage of Sensitive Information in Executable | 318 | 2 |
Cleartext Transmission of Sensitive Information | 319 | 675 |
Use of Hard-coded Cryptographic Key | 321 | 117 |
Key Exchange without Entity Authentication | 322 | 14 |
Reusing a Nonce, Key Pair in Encryption | 323 | 23 |
Use of a Key Past its Expiration Date | 324 | 12 |
Missing Cryptographic Step | 325 | 28 |
Inadequate Encryption Strength | 326 | 447 |
Use of a Broken or Risky Cryptographic Algorithm | 327 | 530 |
Use of Weak Hash | 328 | 24 |
Generation of Predictable IV with CBC Mode | 329 | 4 |
Use of Insufficiently Random Values | 330 | 323 |
Insufficient Entropy | 331 | 86 |
Insufficient Entropy in PRNG | 332 | 9 |
Improper Handling of Insufficient Entropy in TRNG | 333 | 0 |
Small Space of Random Values | 334 | 11 |
Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) | 335 | 32 |
Same Seed in Pseudo-Random Number Generator (PRNG) | 336 | 1 |
Predictable Seed in Pseudo-Random Number Generator (PRNG) | 337 | 6 |
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | 338 | 104 |
Small Seed Space in PRNG | 339 | 0 |
Generation of Predictable Numbers or Identifiers | 340 | 7 |
Predictable from Observable State | 341 | 7 |
Predictable Exact Value from Previous Values | 342 | 5 |
Predictable Value Range from Previous Values | 343 | 2 |