Category: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Incomplete
Summary
Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top Ten 2021.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1004 | Sensitive Cookie Without 'HttpOnly' Flag | This vulnerability occurs when an application stores sensitive data in a cookie but fails to set the 'HttpOnly' flag, leaving the cookie accessible to client-side scripts. |
| CWE-11 | ASP.NET Misconfiguration: Creating Debug Binary | Deploying an ASP.NET application with debug binaries enabled exposes detailed system information, which attackers can use to map your infrastructure and plan targeted exploits. |
| CWE-1174 | ASP.NET Misconfiguration: Improper Model Validation | This vulnerability occurs when an ASP.NET application either completely bypasses the built-in model validation system or implements it incorrectly, allowing untrusted data to flow into the application without proper checks. |
| CWE-13 | ASP.NET Misconfiguration: Password in Configuration File | This vulnerability occurs when an ASP.NET application stores passwords or other sensitive credentials in plaintext within configuration files like web.config. This exposes those credentials to anyone with file system access, effectively bypassing security controls and granting unauthorized access to protected resources. |
| CWE-15 | External Control of System or Configuration Setting | This vulnerability occurs when an application allows users to directly modify critical system settings or configuration values from an external source. |
| CWE-260 | Password in Configuration File | This vulnerability occurs when an application stores sensitive passwords directly within a configuration file, making them easily readable to anyone with access to that file. |
| CWE-315 | Cleartext Storage of Sensitive Information in a Cookie | This vulnerability occurs when an application directly stores sensitive data, like session tokens or personal details, in a browser cookie without encryption. |
| CWE-520 | .NET Misconfiguration: Use of Impersonation | This vulnerability occurs when a .NET application is configured to run with impersonation, potentially granting it excessive system-level permissions that attackers could exploit. |
| CWE-526 | Cleartext Storage of Sensitive Information in an Environment Variable | This vulnerability occurs when an application stores sensitive data, such as passwords or API keys, as plain text in an environment variable. |
| CWE-537 | Java Runtime Error Message Containing Sensitive Information | This vulnerability occurs when a Java application's runtime error messages reveal sensitive details about the system, such as file paths, internal IP addresses, or stack traces. Attackers can exploit these overly informative error messages to map the application's structure and gather intelligence for further attacks. |
| CWE-541 | Inclusion of Sensitive Information in an Include File | This vulnerability occurs when sensitive data like passwords or system details is placed inside a publicly accessible include file. Attackers can directly request these files to steal credentials and compromise the application. |
| CWE-547 | Use of Hard-coded, Security-relevant Constants | This vulnerability occurs when code directly embeds security-critical values like passwords, cryptographic keys, or access levels as raw numbers or strings, instead of using named constants or configuration files. This practice makes the code brittle and error-prone during updates or security reviews. |
| CWE-611 | Improper Restriction of XML External Entity Reference | This vulnerability occurs when an application processes XML input without properly restricting external entity references. Attackers can exploit this to read local files, trigger internal network requests, or cause denial of service. |
| CWE-614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | This vulnerability occurs when a web application transmits sensitive cookies over an HTTPS connection but fails to set the 'Secure' attribute on those cookies. |
| CWE-756 | Missing Custom Error Page | This vulnerability occurs when an application fails to display its own user-friendly error pages, instead falling back to default system messages that can leak sensitive technical details. |
| CWE-776 | Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') | This vulnerability occurs when an XML parser allows Document Type Definitions (DTDs) to contain recursively defined entities without proper limits, enabling malicious data structures. |
| CWE-942 | Permissive Cross-domain Security Policy with Untrusted Domains | This vulnerability occurs when a web application's cross-domain security policy, like a Content Security Policy (CSP), explicitly allows communication with untrusted or overly permissive external domains. |
| CWE-1344 | Weaknesses in OWASP Top Ten (2021) | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2021. |
| CWE-1032 | OWASP Top Ten 2017 Category A6 - Security Misconfiguration | Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2017. |
| CWE-16 | Configuration | Weaknesses in this category are typically introduced during the configuration of the software. |
| CWE-2 | 7PK - Environment | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms." |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.