Categories

The application stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.

The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters that could be interpreted as web-scripting elements when they are sent to an error page.

The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state.

The software has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.

The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent.

The software contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.

The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.

The software does not adequately filter user-controlled input for special elements with control implications.

The software does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.