Appendix: CWEs That Violate Security Standards

Results and Reports

This appendix lists all the CWEs that violate the security standards you can apply to your policies in the Veracode Platform. It also indicates which CWEs are supported by Veracode Static Analysis as well as DynamicDS, DynamicMP, and Dynamic Analysis. Veracode Manual Penetration Testing scans may report any valid CWE, including those not listed here.

OWASP 2017

This table lists all the CWEs that may cause an application to fail a policy that includes an OWASP 2017 policy rule.

CWE ID CWE Name Static Support Dynamic Support
5 J2EE Misconfiguration: Data Transmission Without Encryption    
9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods    
13 ASP.NET Misconfiguration: Password in Configuration File    
16 Configuration   X
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') X X
23 Relative Path Traversal    
24 Path Traversal: '../filedir'    
25 Path Traversal: '/../filedir'    
26 Path Traversal: '/dir/../filename'    
27 Path Traversal: 'dir/../../filename'    
28 Path Traversal: '..\filedir'    
29 Path Traversal: '\..\filename'    
30 Path Traversal: '\dir\..\filename'    
31 Path Traversal: 'dir\..\..\filename'    
32 Path Traversal: '...' (Triple Dot)    
33 Path Traversal: '....' (Multiple Dot)    
34 Path Traversal: '....//'    
35 Path Traversal: '.../...//'    
36 Absolute Path Traversal    
37 Path Traversal: '/absolute/pathname/here'    
38 Path Traversal: '\absolute\pathname\here'    
39 Path Traversal: 'C:dirname'    
40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)    
74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')    
75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)    
76 Improper Neutralization of Equivalent Special Elements    
77 Improper Neutralization of Special Elements used in a Command ('Command Injection') X  
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') X X
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')   X
80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) X X
81 Improper Neutralization of Script in an Error Message Web Page    
82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page    
83 Improper Neutralization of Script in Attributes in a Web Page   X
84 Improper Neutralization of Encoded URI Schemes in a Web Page    
85 Doubled Character XSS Manipulations    
86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages X  
87 Improper Neutralization of Alternate XSS Syntax    
88 Argument Injection or Modification X  
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') X X
90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') X  
91 XML Injection (aka Blind XPath Injection) X  
93 Improper Neutralization of CRLF Sequences ('CRLF Injection') X  
94 Improper Control of Generation of Code ('Code Injection') X  
95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') X  
96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')    
97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page    
98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') X X
99 Improper Control of Resource Identifiers ('Resource Injection') X  
102 Struts: Duplicate Validation Forms    
113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') X X
117 Improper Output Neutralization for Logs X  
134 Use of Externally-Controlled Format String X  
202 Exposure of Sensitive Data Through Data Queries    
209 Information Exposure Through an Error Message X X
210 Information Exposure Through Self-generated Error Message    
211 Information Exposure Through Externally-Generated Error Message    
219 Sensitive Data Under Web Root    
220 Sensitive Data Under FTP Root    
223 Omission of Security-relevant Information X  
256 Unprotected Storage of Credentials X  
257 Storing Passwords in a Recoverable Format    
258 Empty Password in Configuration File    
259 Use of Hard-coded Password X X
260 Password in Configuration File    
261 Weak Cryptography for Passwords X  
262 Not Using Password Aging    
263 Password Aging with Long Expiration    
266 Incorrect Privilege Assignment    
267 Privilege Defined With Unsafe Actions    
268 Privilege Chaining    
269 Improper Privilege Management    
270 Privilege Context Switching Error    
271 Privilege Dropping / Lowering Errors    
272 Least Privilege Violation X  
276 Incorrect Default Permissions    
277 Insecure Inherited Permissions    
278 Insecure Preserved Inherited Permissions    
279 Incorrect Execution-Assigned Permissions    
281 Improper Preservation of Permissions    
282 Improper Ownership Management    
283 Unverified Ownership    
284 Improper Access Control    
285 Improper Authorization X X
286 Incorrect User Management    
287 Improper Authentication    
288 Authentication Bypass Using an Alternate Path or Channel    
289 Authentication Bypass by Alternate Name    
290 Authentication Bypass by Spoofing    
291 Reliance on IP Address for Authentication    
293 Using Referer Field for Authentication    
294 Authentication Bypass by Capture-replay    
295 Improper Certificate Validation X  
296 Improper Following of a Certificate's Chain of Trust X X
297 Improper Validation of Certificate with Host Mismatch X X
298 Improper Validation of Certificate Expiration   X
299 Improper Check for Certificate Revocation   X
300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')    
301 Reflection Attack in an Authentication Protocol    
302 Authentication Bypass by Assumed-Immutable Data    
303 Incorrect Implementation of Authentication Algorithm    
305 Authentication Bypass by Primary Weakness    
306 Missing Authentication for Critical Function    
307 Improper Restriction of Excessive Authentication Attempts    
308 Use of Single-factor Authentication    
309 Use of Password System for Primary Authentication    
311 Missing Encryption of Sensitive Data X  
312 Cleartext Storage of Sensitive Information X  
313 Cleartext Storage in a File or on Disk X  
314 Cleartext Storage in the Registry    
315 Cleartext Storage of Sensitive Information in a Cookie    
316 Cleartext Storage of Sensitive Information in Memory X  
317 Cleartext Storage of Sensitive Information in GUI    
318 Cleartext Storage of Sensitive Information in Executable    
319 Cleartext Transmission of Sensitive Information    
320 Key Management Errors    
321 Use of Hard-coded Cryptographic Key X X
322 Key Exchange without Entity Authentication    
325 Missing Required Cryptographic Step    
326 Inadequate Encryption Strength X X
327 Use of a Broken or Risky Cryptographic Algorithm X X
328 Reversible One-Way Hash    
350 Reliance on Reverse DNS Resolution for a Security-Critical Action X  
359 Exposure of Private Information ('Privacy Violation') X  
370 Missing Check for Certificate Revocation after Initial Check    
384 Session Fixation X X
419 Unprotected Primary Channel    
420 Unprotected Alternate Channel    
421 Race Condition During Access to Alternate Channel X  
422 Unprotected Windows Messaging Channel ('Shatter')    
425 Direct Request ('Forced Browsing')    
433 Unparsed Raw Web Content Delivery    
462 Duplicate Key in Associative List (Alist)    
502 Deserialization of Untrusted Data X  
520 .NET Misconfiguration: Use of Impersonation    
521 Weak Password Requirements    
522 Insufficiently Protected Credentials X X
523 Unprotected Transport of Credentials    
535 Information Exposure Through Shell Error Message    
536 Information Exposure Through Servlet Runtime Error Message    
537 Information Exposure Through Java Runtime Error Message    
548 Information Exposure Through Directory Listing   X
549 Missing Password Field Masking    
550 Information Exposure Through Server Error Message    
551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization    
555 J2EE Misconfiguration: Plaintext Password in Configuration File    
556 ASP.NET Misconfiguration: Use of Identity Impersonation    
564 SQL Injection: Hibernate X  
566 Authorization Bypass Through User-Controlled SQL Primary Key X  
599 Missing Validation of OpenSSL Certificate    
611 Improper Restriction of XML External Entity Reference ('XXE') X  
613 Insufficient Session Expiration    
614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute X X
620 Unverified Password Change    
621 Variable Extraction Error    
623 Unsafe ActiveX Control Marked Safe For Scripting    
624 Executable Regular Expression Error    
627 Dynamic Variable Evaluation    
639 Authorization Bypass Through User-Controlled Key X  
640 Weak Password Recovery Mechanism for Forgotten Password    
641 Improper Restriction of Names for Files and Other Resources    
643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')    
645 Overly Restrictive Account Lockout Mechanism    
647 Use of Non-Canonical URL Paths for Authorization Decisions    
648 Incorrect Use of Privileged APIs    
652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')    
689 Permission Race Condition During Resource Copy    
692 Incomplete Blacklist to Cross-Site Scripting    
694 Use of Multiple Resources with Duplicate Identifier    
708 Incorrect Ownership Assignment X  
732 Incorrect Permission Assignment for Critical Resource X  
759 Use of a One-Way Hash without a Salt    
760 Use of a One-Way Hash with a Predictable Salt X  
776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')    
778 Insufficient Logging    
780 Use of RSA Algorithm without OAEP X  
798 Use of Hard-coded Credentials X  
804 Guessable CAPTCHA    
836 Use of Password Hash Instead of Password for Authentication    
842 Placement of User into Incorrect Group    
862 Missing Authorization    
863 Incorrect Authorization    
914 Improper Control of Dynamically-Identified Variables    
916 Use of Password Hash With Insufficient Computational Effort X  
917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')    
923 Improper Restriction of Communication Channel to Intended Endpoints    
925 Improper Verification of Intent by Broadcast Receiver    
926 Improper Export of Android Application Components    
927 Use of Implicit Intent for Sensitive Communication    
939 Improper Authorization in Handler for Custom URL Scheme    
940 Improper Verification of Source of a Communication Channel    
941 Incorrectly Specified Destination in a Communication Channel    
942 Overly Permissive Cross-domain Whitelist   X
943 Improper Neutralization of Special Elements in Data Query Logic X  
1004 Sensitive Cookie Without 'HttpOnly' Flag    
1022 Use of Web Link to Untrusted Target with window.opener Access    

OWASP Mobile

This table lists all the CWEs that may cause an application to fail a policy that includes an OWASP Mobile policy rule.

CWE ID CWE Name Android Support iOS Support
15 External Control of System or Configuration Setting X  
73 External Control of File Name or Path X X
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') X  
114 Process Control X  
201 Information Exposure Through Sent Data X  
209 Information Exposure Through an Error Message X  
215 Information Exposure Through Debug Information X  
242 Use of Inherently Dangerous Function X X
256 Unprotected Storage of Credentials X  
259 Use of Hard-coded Password X  
296 Improper Following of a Certificate's Chain of Trust    
297 Improper Validation of Certificate with Host Mismatch X X
311 Missing Encryption of Sensitive Data X  
312 Cleartext Storage of Sensitive Information   X
313 Cleartext Storage in a File or on Disk X  
316 Cleartext Storage of Sensitive Information in Memory X  
321 Use of Hard-coded Cryptographic Key X  
326 Inadequate Encryption Strength X X
327 Use of a Broken or Risky Cryptographic Algorithm X  
329 Not Using a Random IV with CBC Mode X  
331 Insufficient Entropy X X
347 Improper Verification of Cryptographic Signature X  
354 Improper Validation of Integrity Check Value X  
377 Insecure Temporary File X  
378 Creation of Temporary File With Insecure Permissions X  
391 Unchecked Error Condition X X
470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') X  
489 Leftover Debug Code X  
497 Exposure of System Data to an Unauthorized Control Sphere X  
501 Trust Boundary Violation X  
506 Embedded Malicious Code X  
511 Logic/Time Bomb X  
514 Covert Channel X  
522 Insufficiently Protected Credentials    
732 Incorrect Permission Assignment for Critical Resource X  
798 Use of Hard-coded Credentials X  

SANS

This table lists all the CWEs that may cause the application to fail a policy that includes a SANS Top 25 policy rule.

CWE ID CWE Name Static Support Dynamic Support
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') X X
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') X X
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') X X
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') X X
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') X  
131 Incorrect Calculation of Buffer Size X  
134 Use of Externally-Controlled Format String X  
190 Integer Overflow or Wraparound X  
250 Execution with Unnecessary Privileges    
306 Missing Authentication for Critical Function    
307 Improper Restriction of Excessive Authentication Attempts    
311 Missing Encryption of Sensitive Data X X
327 Use of a Broken or Risky Cryptographic Algorithm X X
352 Cross-Site Request Forgery (CSRF) X X
434 Unrestricted Upload of File with Dangerous Type   X
494 Download of Code Without Integrity Check X  
601 URL Redirection to Untrusted Site ('Open Redirect') X X
676 Use of Potentially Dangerous Function X  
732 Incorrect Permission Assignment for Critical Resource X  
759 Use of a One-Way Hash without a Salt    
798 Use of Hard-coded Credentials X X
807 Reliance on Untrusted Inputs in a Security Decision    
829 Inclusion of Functionality from Untrusted Control Sphere X X
862 Missing Authorization    
863 Incorrect Authorization    

CERT

This table lists all the CWEs that may cause the application to fail a policy that includes a CERT policy rule.

CWE ID CWE Name Static Support Dynamic Support
14 Compiler Removal of Code to Clear Buffers    
20 Improper Input Validation    
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') X X
37 Path Traversal: '/absolute/pathname/here'    
38 Path Traversal: '\absolute\pathname\here'    
39 Path Traversal: 'C:dirname'    
41 Improper Resolution of Path Equivalence    
59 Improper Link Resolution Before File Access ('Link Following')    
62 UNIX Hard Link    
64 Windows Shortcut Following (.LNK)    
65 Windows Hard Link    
67 Improper Handling of Windows Device Names    
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') X X
88 Argument Injection or Modification X  
111 Direct Use of Unsafe JNI X  
116 Improper Encoding or Escaping of Output    
117 Improper Output Neutralization for Logs X  
119 Improper Restriction of Operations within the Bounds of a Memory Buffer    
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')    
121 Stack-based Buffer Overflow X  
122 Heap-based Buffer Overflow    
123 Write-what-where Condition X  
125 Out-of-bounds Read X  
128 Wrap-around Error    
129 Improper Validation of Array Index X  
131 Incorrect Calculation of Buffer Size    
134 Use of Externally-Controlled Format String X  
135 Incorrect Calculation of Multi-Byte String Length X  
144 Improper Neutralization of Line Delimiters    
150 Improper Neutralization of Escape, Meta, or Control Sequences    
170 Improper Null Termination X  
171 Cleansing, Canonicalization, and Comparison Errors    
176 Improper Handling of Unicode Encoding    
180 Incorrect Behavior Order: Validate Before Canonicalize    
182 Collapse of Data into Unsafe Value    
190 Integer Overflow or Wraparound X  
191 Integer Underflow (Wrap or Wraparound) X  
192 Integer Coercion Error X  
193 Off-by-one Error X  
194 Unexpected Sign Extension    
195 Signed to Unsigned Conversion Error X  
197 Numeric Truncation Error X  
198 Use of Incorrect Byte Ordering    
209 Information Exposure Through an Error Message X X
226 Sensitive Information Uncleared Before Release    
227 7PK - API Abuse    
230 Improper Handling of Missing Values    
232 Improper Handling of Undefined Values    
241 Improper Handling of Unexpected Data Type    
242 Use of Inherently Dangerous Function X  
244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')    
248 Uncaught Exception X  
250 Execution with Unnecessary Privileges    
252 Unchecked Return Value X  
253 Incorrect Check of Function Return Value    
259 Use of Hard-coded Password X X
266 Incorrect Privilege Assignment    
272 Least Privilege Violation X  
273 Improper Check for Dropped Privileges    
276 Incorrect Default Permissions    
279 Incorrect Execution-Assigned Permissions    
289 Authentication Bypass by Alternate Name    
300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')    
302 Authentication Bypass by Assumed-Immutable Data    
311 Missing Encryption of Sensitive Data X  
319 Cleartext Transmission of Sensitive Information    
327 Use of a Broken or Risky Cryptographic Algorithm    
330 Use of Insufficiently Random Values X  
331 Insufficient Entropy X  
332 Insufficient Entropy in PRNG    
333 Improper Handling of Insufficient Entropy in TRNG    
336 Same Seed in Pseudo-Random Number Generator (PRNG)    
337 Predictable Seed in Pseudo-Random Number Generator (PRNG)    
338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) X  
347 Improper Verification of Cryptographic Signature X  
349 Acceptance of Extraneous Untrusted Data With Trusted Data    
359 Exposure of Private Information ('Privacy Violation') X  
362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')    
363 Race Condition Enabling Link Following    
366 Race Condition within a Thread X  
367 Time-of-check Time-of-use (TOCTOU) Race Condition X  
369 Divide By Zero    
374 Passing Mutable Objects to an Untrusted Method    
375 Returning a Mutable Object to an Untrusted Caller    
377 Insecure Temporary File X  
379 Creation of Temporary File in Directory with Incorrect Permissions    
382 J2EE Bad Practices: Use of System.exit() X  
390 Detection of Error Condition Without Action    
391 Unchecked Error Condition X  
392 Missing Report of Error Condition    
395 Use of NullPointerException Catch to Detect NULL Pointer Dereference    
397 Declaration of Throws for Generic Exception    
400 Uncontrolled Resource Consumption    
401 Improper Release of Memory Before Removing Last Reference X  
403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')    
404 Improper Resource Shutdown or Release X  
405 Asymmetric Resource Consumption (Amplification)    
409 Improper Handling of Highly Compressed Data (Data Amplification)    
410 Insufficient Resource Pool    
412 Unrestricted Externally Accessible Lock    
413 Improper Resource Locking    
415 Double Free X  
416 Use After Free X  
426 Untrusted Search Path X  
456 Missing Initialization of a Variable    
459 Incomplete Cleanup    
460 Improper Cleanup on Thrown Exception    
462 Duplicate Key in Associative List (Alist)    
464 Addition of Data Structure Sentinel    
466 Return of Pointer Value Outside of Expected Range    
467 Use of sizeof() on a Pointer Type    
468 Incorrect Pointer Scaling    
469 Use of Pointer Subtraction to Determine Size    
470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') X  
476 NULL Pointer Dereference    
479 Signal Handler Use of a Non-reentrant Function X  
480 Use of Incorrect Operator    
481 Assigning instead of Comparing    
482 Comparing instead of Assigning    
486 Comparison of Classes by Name    
487 Reliance on Package-level Scope    
491 Public cloneable() Method Without Final ('Object Hijack')    
492 Use of Inner Class Containing Sensitive Data    
493 Critical Public Variable Without Final Modifier    
494 Download of Code Without Integrity Check    
497 Exposure of System Data to an Unauthorized Control Sphere X  
498 Cloneable Class Containing Sensitive Information    
499 Serializable Class Containing Sensitive Data    
500 Public Static Field Not Marked Final    
502 Deserialization of Untrusted Data X  
528 Exposure of Core Dump File to an Unauthorized Control Sphere    
532 Information Exposure Through Log Files    
543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context    
544 Missing Standardized Error Handling Mechanism    
547 Use of Hard-coded, Security-relevant Constants X  
552 Files or Directories Accessible to External Parties    
561 Dead Code    
562 Return of Stack Variable Address    
563 Assignment to Variable without Use    
567 Unsynchronized Access to Shared Data in a Multithreaded Context    
568 finalize() Method Without super.finalize()    
570 Expression is Always False    
571 Expression is Always True    
572 Call to Thread run() instead of start()    
573 Improper Following of Specification by Caller    
581 Object Model Violation: Just One of Equals and Hashcode Defined    
582 Array Declared Public, Final, and Static    
583 finalize() Method Declared Public    
584 Return Inside Finally Block    
586 Explicit Call to Finalize()    
587 Assignment of a Fixed Address to a Pointer    
589 Call to Non-ubiquitous API    
590 Free of Memory not on the Heap    
591 Sensitive Data Storage in Improperly Locked Memory    
595 Comparison of Object References Instead of Object Contents    
597 Use of Wrong Operator in String Comparison X  
600 Uncaught Exception in Servlet    
606 Unchecked Input for Loop Condition    
609 Double-Checked Locking    
617 Reachable Assertion    
625 Permissive Regular Expression    
628 Function Call with Incorrectly Specified Arguments X  
647 Use of Non-Canonical URL Paths for Authorization Decisions    
662 Improper Synchronization    
664 Improper Control of a Resource Through its Lifetime    
665 Improper Initialization X  
666 Operation on Resource in Wrong Phase of Lifetime    
667 Improper Locking    
672 Operation on a Resource after Expiration or Release    
675 Duplicate Operations on Resource X  
676 Use of Potentially Dangerous Function X  
680 Integer Overflow to Buffer Overflow    
681 Incorrect Conversion between Numeric Types    
682 Incorrect Calculation    
684 Incorrect Provision of Specified Functionality    
685 Function Call With Incorrect Number of Arguments    
686 Function Call With Incorrect Argument Type    
687 Function Call With Incorrectly Specified Argument Value    
690 Unchecked Return Value to NULL Pointer Dereference    
696 Incorrect Behavior Order    
697 Incorrect Comparison    
703 Improper Check or Handling of Exceptional Conditions    
704 Incorrect Type Conversion or Cast    
705 Incorrect Control Flow Scoping    
732 Incorrect Permission Assignment for Critical Resource X  
754 Improper Check for Unusual or Exceptional Conditions    
758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior    
762 Mismatched Memory Management Routines    
766 Critical Data Element Declared Public    
770 Allocation of Resources Without Limits or Throttling    
771 Missing Reference to Active Allocated Resource    
772 Missing Release of Resource after Effective Lifetime    
773 Missing Reference to Active File Descriptor or Handle    
775 Missing Release of File Descriptor or Handle after Effective Lifetime    
783 Operator Precedence Logic Error    
786 Access of Memory Location Before Start of Buffer    
789 Uncontrolled Memory Allocation    
798 Use of Hard-coded Credentials X  
805 Buffer Access with Incorrect Length Value    
807 Reliance on Untrusted Inputs in a Security Decision    
820 Missing Synchronization    
833 Deadlock    
838 Inappropriate Encoding for Output Context    
843 Access of Resource Using Incompatible Type ('Type Confusion')    
908 Use of Uninitialized Resource    
910 Use of Expired File Descriptor