Categories

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. eval).

The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.

The software establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software does not also use a salt as part of the input.

An exception is thrown from a function, but it is not caught.

The software uses a cross-domain policy file that includes domains that should not be trusted.

The product mixes trusted and untrusted data in the same data structure or structured message.

The software does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.