Category: OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures
Incomplete
Summary
Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top Ten 2021.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-345 | Insufficient Verification of Data Authenticity | This vulnerability occurs when an application fails to properly check where data comes from or confirm its legitimacy, allowing untrusted or forged information to be processed as valid. |
| CWE-353 | Missing Support for Integrity Check | This vulnerability occurs when a system uses a communication protocol that lacks built-in integrity verification, such as a checksum or cryptographic hash, to detect if data has been altered or corrupted during transmission. |
| CWE-426 | Untrusted Search Path | This vulnerability occurs when an application relies on an external search path, provided by a user or environment, to find and load critical resources like executables or libraries. Because the application does not fully control this path, an attacker can manipulate it to point to malicious files. |
| CWE-494 | Download of Code Without Integrity Check | This vulnerability occurs when an application fetches and runs code from an external source—like a remote server or CDN—without properly verifying where it came from or ensuring it hasn't been tampered with. |
| CWE-502 | Deserialization of Untrusted Data | This vulnerability occurs when an application accepts and processes serialized data from an untrusted source without proper validation, allowing an attacker to manipulate the data to execute malicious code or cause unexpected behavior. |
| CWE-565 | Reliance on Cookies without Validation and Integrity Checking | This vulnerability occurs when an application uses cookies to make security decisions—like granting access or changing settings—but fails to verify that the cookie data is legitimate, unaltered, and belongs to the current user. |
| CWE-784 | Reliance on Cookies without Validation and Integrity Checking in a Security Decision | This vulnerability occurs when an application makes security decisions—like granting access or verifying identity—based solely on cookie data without first confirming the cookie's authenticity or integrity. |
| CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | This weakness occurs when an application integrates executable code, like a library or plugin, from a source it does not fully control or trust. |
| CWE-830 | Inclusion of Web Functionality from an Untrusted Source | This vulnerability occurs when a web application directly imports and executes functionality, like a widget or script, from an external, untrusted domain. Because the imported code runs within your application's own security context (origin), it gains the same level of access to user data and the DOM as your own code, potentially giving the third party full control. |
| CWE-915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | This vulnerability occurs when an application accepts user input that specifies which object attributes or fields to create or update, but fails to restrict which specific attributes can be changed. Attackers can exploit this to modify sensitive internal properties they shouldn't have access to. |
| CWE-1344 | Weaknesses in OWASP Top Ten (2021) | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2021. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.