Category: OWASP Top Ten 2004 Category A8 - Insecure Storage
Obsolete
Summary
Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2004.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-14 | Compiler Removal of Code to Clear Buffers | A compiler optimization can remove security-critical code intended to wipe sensitive data from memory, leaving secrets exposed. This happens when the compiler identifies buffer-clearing operations as unnecessary 'dead stores' and eliminates them. |
| CWE-226 | Sensitive Information in Resource Not Removed Before Reuse | This vulnerability occurs when a system releases a resource like memory or a file for reuse but fails to erase the sensitive data it previously contained. The old information remains accessible when the resource is allocated to a new process or used in a different context. |
| CWE-261 | Weak Encoding for Password | Using simple encoding like Base64 to hide a password provides no real security, as it can be easily reversed. |
| CWE-311 | Missing Encryption of Sensitive Data | This vulnerability occurs when an application stores or sends sensitive information without first encrypting it, leaving the data exposed. |
| CWE-321 | Use of Hard-coded Cryptographic Key | This vulnerability occurs when an application embeds a fixed, unchangeable cryptographic key directly within its source code or configuration files. |
| CWE-326 | Inadequate Encryption Strength | This vulnerability occurs when an application protects sensitive information with encryption, but the specific algorithm or key strength used is too weak to withstand modern attack methods. |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | The software relies on a cryptographic algorithm or protocol that is either fundamentally flawed or considered too weak by modern security standards. |
| CWE-539 | Use of Persistent Cookies Containing Sensitive Information | This vulnerability occurs when a web application stores sensitive data, like authentication details or personal information, within persistent cookies that remain on a user's device. |
| CWE-591 | Sensitive Data Storage in Improperly Locked Memory | This vulnerability occurs when an application stores sensitive information, like passwords or encryption keys, in system memory that isn't properly secured from being written to disk. If the memory isn't locked, the operating system's virtual memory manager can swap it to a page or swap file, leaving the data exposed on the storage drive where attackers could potentially recover it. |
| CWE-598 | Use of GET Request Method With Sensitive Query Strings | This vulnerability occurs when a web application handles sensitive data, like passwords or session tokens, by passing them within the URL's query string using an HTTP GET request. |
| CWE-711 | Weaknesses in OWASP Top Ten (2004) | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.