Threat Classes and related CWE numbers
Tables showing threat classes of issues tested for by ASoC, and their related CWE numbers.
| Threat Class | CWE |
|---|---|
| Abuse of Functionality | 22, 74, 78, 79, 98, 200, 284, 288, 311, 326, 434, 441, 472, 489, 494, 497, 502, 522, 601, 618, 644, 829, 1022, 1035 |
| Broken Function Level Authorization on API | 284 |
| Broken Object Level Authorization on API | 284 |
| Brute Force | 204, 307, 340 |
| Buffer Overflow | 119, 120, 189, 825 |
| Content Spoofing | 74, 79, 327, 345 |
| Credential/Session Prediction | 330 |
| Cross-Site Request Forgery | 352, 456, 1385 |
| Cross-Site Scripting | 22, 73, 79, 89, 352, 829 |
| Denial of Service | 19, 20, 119, 310, 770, 825 |
| Directory Indexing | 20, 22, 200, 548 |
| Format String | 134 |
| HTTP Request Smuggling | 444 |
| HTTP Response Splitting | 113 |
| Improper Assets Management Vulnerability of API | 1059 |
| Information Leakage | 22, 118, 200, 209, 264, 287, 299, 311, 352, 359, 472, 522, 523, 525, 538, 540, 550, 598, 602, 614, 615, 653, 1021, 1032 |
| Insecure Indexing | 612 |
| Insufficient Authentication | 264, 287, 566, 862, 863 |
| Insufficient Authorization | 264, 285, 565 |
| Insufficient Session Expiration | 539, 613 |
| Insufficient Transport Layer Protection | 296, 297, 298, 523 |
| Integer Overflows | 190 |
| LDAP Injection | 90 |
| Mail Command Injection | 77 |
| Mass Assignment Vulnerability of API | 915 |
| Null Byte Injection | 626 |
| OS Commanding | 20, 73, 74, 77, 78, 94, 264, 284, 326, 434, 502, 552, 915 |
| Path Traversal | 22, 94 |
| Predictable Resource Location | 306, 531 |
| Remote File Inclusion | 73, 94, 98, 99, 829 |
| Server Misconfiguration | 16, 20, 327, 347, 1275 |
| Server Side Template Injection | 1336 |
| Server-Side Request Forgery | 918 |
| Session Fixation | 304, 384 |
| SOAP Array Abuse | 120 |
| SQL Injection | 22, 79, 89, 94, 209 |
| SSI Injection | 78, 97 |
| URL Redirector Abuse | 601 |
| XML Attribute Blowup | 400 |
| XML Entity Expansion | 400 |
| XML External Entities | 200, 434, 611 |
| XML Injection | 91 |
| XPath Injection | 91, 643 |
| Threat Class | CWE |
|---|---|
| Abuse of Functionality | 117, 242, 345, 367, 388, 398, 407, 447, 489, 517, 520, 543, 544, 586, 74, 98 |
| Application Misconfiguration | 16, 778 |
| Brute Force | 310, 312, 325, 327, 331 |
| Buffer Overflow | 120, 129, 131, 242 |
| Content Spoofing | 113, 425 |
| Credential/Session Prediction | 565 |
| Cross-Site Scripting | 352, 79 |
| Denial of Service | 382, 400, 404, 730 |
| Format String | 134 |
| HTTP Request Splitting | 113 |
| Improper Filesystem Permissions | 264 |
| Improper Input Handling | 112, 130, 15, 185, 20, 390, 425, 434, 538, 569, 602, 624, 74, 79, 95 |
| Improper Output Handling | 109, 116, 925 |
| Information Leakage | 20, 201, 209, 250, 311, 300 |
| Insufficient Authentication | 255, 266, 287, 521, 522 |
| Insufficient Authorization | 267, 288 |
| Insufficient Process Validation | 20 |
| Insufficient Session Expiration | 613 |
| Insufficient Transport Layer Protection | 295 |
| Integer Overflows | 190 |
| LDAP Injection | 90 |
| Mail Command Injection | 74, 79 |
| Malicious Content Tests | 470, 489, 506, 507, 511 |
| OS Commanding | 77, 78 |
| Path Traversal | 73 |
| SQL Injection | 89 |
| URL Redirector Abuse | 601 |
| XML Injection | 74, 91 |
| XPath Injection | 643 |
| Threat Class | CWE |
|---|---|
| M1: Weak Server Side Controls | 926, 927 |
| M2: Insecure Data Storage | 275, 310, 359, 451, 522 |
| M3: Insufficient Transport Layer Protection | 295, 296, 297, 300, 327, 490, 601, 754, 79, 829 |
| M4: Unintended Data Leakage | 592, 829 |
| M5: Poor Authorization and Authentication | 259, 321, 327, 338, 798 |
| M7: Client Side Injection | 112, 120, 134, 20, 275, 427, 451, 470, 490, 506, 682, 74, 754, 77, 790, 829, 88, 89, 927 |
| M8: Security Decisions Via Untrusted Inputs | 927 |
| M9: Improper Session Handling | 489, 693 |
| M10: Lack of Binary Protections | 489, 693, 829 |