Category NAME SECTION NAME

Authentication Password Security

Authentication Password Security
Authentication Password Security
Authentication Password Security
Authentication Password Security
Authentication Password Security
Authentication Password Security
Authentication Password Security
Authentication Password Security
Authentication Password Security
Authentication Password Security
Authentication Password Security
Authentication General Authenticator Security
Authentication General Authenticator Security
Authentication General Authenticator Security
Authentication Authenticator Lifecycle
Authentication Credential Recovery
Authentication Credential Recovery
Authentication Credential Recovery
Authentication Credential Recovery
Authentication Credential Recovery
Authentication Credential Recovery
Authentication Out of Band Verifier
Authentication Out of Band Verifier
Authentication Out of Band Verifier
Authentication Out of Band Verifier
Authentication One Time Verifier
Session Management Fundamental Session Management Security
Session Management Session Binding
Session Management Session Binding
Session Management Session Binding
Session Management Session Termination
Session Management Cookie-based Session Management
Session Management Cookie-based Session Management
Session Management Cookie-based Session Management
Session Management Cookie-based Session Management
Session Management Cookie-based Session Management
Session Management Defenses Against Session Management Exploits
Access Control General Access Control Design
 Access Control
Access Control
Access Control
Access Control
Access Control
Access Control
Access Control
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Validation, Sanitization and Encoding
Stored Cryptography
Error Handling and Logging
Error Handling and Logging
Error Handling and Logging
Data Protection
Data Protection
Data Protection
General Access Control Design
General Access Control Design
General Access Control Design
Operation Level Access Control
Operation Level Access Control
Other Access Control Considerations
Other Access Control Considerations
Input Validation
Input Validation
Input Validation
Input Validation
Input Validation
Sanitization and Sandboxing
Sanitization and Sandboxing
Sanitization and Sandboxing
Sanitization and Sandboxing
Sanitization and Sandboxing
Sanitization and Sandboxing
Sanitization and Sandboxing
Sanitization and Sandboxing
Output Encoding and Injection Prevention
Output Encoding and Injection Prevention
Output Encoding and Injection Prevention
Output Encoding and Injection Prevention
Output Encoding and Injection Prevention
Output Encoding and Injection Prevention
Output Encoding and Injection Prevention
Output Encoding and Injection Prevention
Output Encoding and Injection Prevention
Output Encoding and Injection Prevention
Deserialization Prevention
Deserialization Prevention
Deserialization Prevention
Deserialization Prevention
Algorithms
Log Content
Log Content
Error Handling
Client-side Data Protection
Client-side Data Protection
Client-side Data Protection
 Data Protection Sensitive Private Data
Data Protection Sensitive Private Data
Data Protection Sensitive Private Data
Data Protection Sensitive Private Data
Communication Client Communication Security
Communication Client Communication Security
Communication Client Communication Security
Malicious Code Application Integrity
Malicious Code Application Integrity
Malicious Code Application Integrity
Business Logic Business Logic Security
Business Logic Business Logic Security
Business Logic Business Logic Security
Business Logic Business Logic Security
Business Logic Business Logic Security
Files and Resources File Upload
Files and Resources File Execution
Files and Resources File Execution
Files and Resources File Execution
Files and Resources File Execution
Files and Resources File Execution
Files and Resources File Storage
Files and Resources File Storage
Files and Resources File Download
Files and Resources File Download
Files and Resources SSRF Protection
API and Web Service Generic Web Service Security
API and Web Service Generic Web Service Security
API and Web Service RESTful Web Service
API and Web Service RESTful Web Service
API and Web Service RESTful Web Service
API and Web Service SOAP Web Service
Configuration Dependency
Configuration Dependency
Configuration Dependency
Configuration Unintended Security Disclosure
Configuration Unintended Security Disclosure
Configuration HTTP Security Headers
Configuration HTTP Security Headers
Configuration HTTP Security Headers
Configuration HTTP Security Headers
Configuration HTTP Security Headers
Configuration HTTP Security Headers
Configuration HTTP Security Headers
Configuration HTTP Request Header Validation
Configuration HTTP Request Header Validation
Configuration HTTP Request Header Validation
Verify that user set passwords are at least 12 characters in length (after multiple spaces are combined). ([C6](https:
Verify that passwords of at least 64 characters are permitted, and that passwords of more than 128 characters are
Verify that password truncation is not performed. However, consecutive multiple spaces may be replaced by a sing
Verify that any printable Unicode character, including language neutral characters such as spaces and Emojis are pe
Verify users can change their password.
Verify that password change functionality requires the user's current and new password.
Verify that passwords submitted during account registration, login, and password change are checked against a set
Verify that a password strength meter is provided to help users set a stronger password.
Verify that there are no password composition rules limiting the type of characters permitted. There should be no r
Verify that there are no periodic credential rotation or password history requirements.
Verify that "paste" functionality, browser password helpers, and external password managers are permitted.
Verify that the user can choose to either temporarily view the entire masked password, or temporarily view the las
Verify that anti-automation controls are effective at mitigating breached credential testing, brute force, and accoun
Verify that the use of weak authenticators (such as SMS and email) is limited to secondary verification and transacti
Verify that secure notifications are sent to users after updates to authentication details, such as credential resets, e
Verify system generated initial passwords or activation codes SHOULD be securely randomly generated, SHOULD be
Verify that a system generated initial activation or recovery secret is not sent in clear text to the user. ([C6](https://
Verify password hints or knowledge-based authentication (so-called "secret questions") are not present.
Verify password credential recovery does not reveal the current password in any way. ([C6](https://owasp.org/www
Verify shared or default accounts are not present (e.g. "root", "admin", or "sa").
Verify that if an authentication factor is changed or replaced, that the user is notified of this event.
Verify forgotten password, and other recovery paths use a secure recovery mechanism, such as time-based OTP (TO
Verify that clear text out of band (NIST "restricted") authenticators, such as SMS or PSTN, are not offered by defaul
Verify that the out of band verifier expires out of band authentication requests, codes, or tokens after 10 minutes.
Verify that the out of band verifier authentication requests, codes, or tokens are only usable once, and only for the
Verify that the out of band authenticator and verifier communicates over a secure independent channel.
Verify th
Verify the application never reveals session tokens in URL parameters.
Verify the application generates a new session token on user authentication. ([C6](https://owasp.org/www-project
Verify that session tokens possess at least 64 bits of entropy. ([C6](https://owasp.org/www-project-proactive-contr
Verify the application only stores session tokens in the browser using secure methods such as appropriately secure
Verify that logout and expiration invalidate the session token, such that the back button or a downstream relying p
Verify that cookie-based session tokens have the 'Secure' attribute set. ([C6](https://owasp.org/www-project-proac
Verify that cookie-based session tokens have the 'HttpOnly' attribute set. ([C6](https://owasp.org/www-project-pro
Verify that cookie-based session tokens utilize the 'SameSite' attribute to limit exposure to cross-site request forge
Verify that cookie-based session tokens use the "__Host-" prefix so cookies are only sent to the host that initially se
Verify that if the application is published under a domain name with other applications that set or use session cook
Verify the application ensures a full, valid login session or requires re-authentication or secondary verification befo
Verify that the application enforces access control rules on a trusted service layer, especially if client-side access co
Verify that all user and data attributes and policy information used by access controls cannot be manipulated by en
Verify that the principle of least privilege exists - users should only be able to access functions, data files, URLs, con
Verify that access controls fail securely including when an exception occurs. ([C10](https://owasp.org/www-project
Verify that sensitive data and APIs are protected against Insecure Direct Object Reference (IDOR) attacks targeting c
Verify that the application or framework enforces a strong anti-CSRF mechanism to protect authenticated function
Verify administrative interfaces use appropriate multi-factor authentication to prevent unauthorized use.
Verify that directory browsing is disabled unless deliberately desired. Additionally, applications should not allow dis
Verify that the application has defenses against HTTP parameter pollution attacks, particularly if the application fra
Verify that frameworks protect against mass parameter assignment attacks, or that the application has countermea
Verify that all input (HTML form fields, REST requests, URL parameters, HTTP headers, cookies, batch files, RSS feed
Verify that structured data is strongly typed and validated against a defined schema including allowed characters, le
Verify that URL redirects and forwards only allow destinations which appear on an allow list, or show a warning wh
Verify that all untrusted HTML input from WYSIWYG editors or similar is properly sanitized with an HTML sanitizer l
Verify that unstructured data is sanitized to enforce safety measures such as allowed characters and length.
Verify that the application sanitizes user input before passing to mail systems to protect against SMTP or IMAP inje
Verify that the application avoids the use of eval() or other dynamic code execution features. Where there is no alt
Verify that the application protects against template injection attacks by ensuring that any user input being include
Verify that the application protects against SSRF attacks, by validating or sanitizing untrusted data or HTTP file meta
Verify that the application sanitizes, disables, or sandboxes user-supplied Scalable Vector Graphics (SVG) scriptable
Verify that the application sanitizes, disables, or sandboxes user-supplied scriptable or expression template languag
Verify that output encoding is relevant for the interpreter and context required. For example, use encoders specific
Verify that output encoding preserves the user's chosen character set and locale, such that any Unicode character p
Verify that context-aware, preferably automated - or at worst, manual - output escaping protects against reflected,
Verify that data selection or database queries (e.g. SQL, HQL, ORM, NoSQL) use parameterized queries, ORMs, enti
Verify that where parameterized or safer mechanisms are not present, context-specific output encoding is used to
Verify that the application protects against JSON injection attacks, JSON eval attacks, and JavaScript expression eva
Verify that the application protects against LDAP injection vulnerabilities, or that specific security controls to preven
Verify that the application protects against OS command injection and that operating system calls use parameterize
Verify that the application protects against Local File Inclusion (LFI) or Remote File Inclusion (RFI) attacks.
Verify that the application protects against XPath injection or XML injection attacks. ([C4](https://owasp.org/www-
Verify that serialized objects use integrity checks or are encrypted to prevent hostile object creation or data tampe
Verify that the application correctly restricts XML parsers to only use the most restrictive configuration possible and
Verify that deserialization of untrusted data is avoided or is protected in both custom code and third-party libraries
Verify that when parsing JSON in browsers or JavaScript-based backends, JSON.parse is used to parse the JSON doc
Verify that all cryptographic modules fail securely, and errors are handled in a way that does not enable Padding Or
Verify that the application does not log credentials or payment details. Session tokens should only be stored in logs
Verify that the application does not log other sensitive data as defined under local privacy laws or relevant security
Verify that a generic message is shown when an unexpected or security sensitive error occurs, potentially with a un
Verify the application sets sufficient anti-caching headers so that sensitive data is not cached in modern browsers.
Verify that data stored in browser storage (such as localStorage, sessionStorage, IndexedDB, or cookies) does not c
Verify that authenticated data is cleared from client storage, such as the browser DOM, after the client or session is
Verify that sensitive data is sent to the server in the HTTP message body or headers, and that query string paramet
Verify that users have a method to remove or export their data on demand.
Verify that users are provided clear language regarding collection and use of supplied personal information and tha
Verify that all sensitive data created and processed by the application has been identified, and ensure that a policy
Verify that TLS is used for all client connectivity, and does not fall back to insecure or unencrypted communications
Verify using up to date TLS testing tools that only strong cipher suites are enabled, with the strongest cipher suites
Verify that only the latest recommended versions of the TLS protocol are enabled, such as TLS 1.2 and TLS 1.3. The
Verify that if the application has a client or server auto-update feature, updates should be obtained over secure cha
Verify that the application employs integrity protections, such as code signing or subresource integrity. The applica
Verify that the application has protection from subdomain takeovers if the application relies upon DNS entries or D
Verify that the application will only process business logic flows for the same user in sequential step order and with
Verify that the application will only process business logic flows with all steps being processed in realistic human tim
Verify the application has appropriate limits for specific business actions or transactions which are correctly enforce
Verify that the application has anti-automation controls to protect against excessive calls such as mass data exfiltra
Verify the application has business logic limits or validation to protect against likely business risks or threats, identifi
Verify that the application will not accept large files that could fill up storage or cause a denial of service.
Verify that user-submitted filename metadata is not used directly by system or framework filesystems and that a U
Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure, creation, updating o
Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure or execution of rem
Verify that the application protects against Reflective File Download (RFD) by validating or ignoring user-submitted
Verify that untrusted file metadata is not used directly with system API or libraries, to protect against OS command
Verify that files obtained from untrusted sources are stored outside the web root, with limited permissions.
Verify that files obtained from untrusted sources are scanned by antivirus scanners to prevent upload and serving o
Verify that the web tier is configured to serve only files with specific file extensions to prevent unintentional inform
Verify that direct requests to uploaded files will never be executed as HTML/JavaScript content.
Verify that the web or application server is configured with an allow list of resources or systems to which the serve
Verify that all application components use the same encodings and parsers to avoid parsing attacks that exploit diff
Verify API URLs do not expose sensitive information, such as the API key, session tokens etc.
Verify that enabled RESTful HTTP methods are a valid choice for the user or action, such as preventing normal users
Verify that JSON schema validation is in place and verified before accepting input.
Verify that RESTful web services that utilize cookies are protected from Cross-Site Request Forgery via the use of at
Verify that XSD schema validation takes place to ensure a properly formed XML document, followed by validation o
Verify that all components are up to date, preferably using a dependency checker during build or compile time. ([C
Verify that all unneeded features, documentation, sample applications and configurations are removed.
Verify that if application assets, such as JavaScript libraries, CSS or web fonts, are hosted externally on a Content De
Verify that web or application server and application framework debug modes are disabled in production to elimina
Verify that the HTTP headers or any part of the HTTP response do not expose detailed version information of system
Verify that every HTTP response contains a Content-Type header. Also specify a safe character set (e.g., UTF-8, ISO-
Verify that all API responses contain a Content-Disposition: attachment; filename="api.json" header (or other appro
Verify that a Content Security Policy (CSP) response header is in place that helps mitigate impact for XSS attacks like
Verify that all responses contain a X-Content-Type-Options: nosniff header.
Verify that a Strict-Transport-Security header is included on all responses and for all subdomains, such as Strict-Tra
Verify that a suitable Referrer-Policy header is included to avoid exposing sensitive information in the URL through
Verify that the content of a web application cannot be embedded in a third-party site by default and that embeddin
Verify that the application server only accepts the HTTP methods in use by the application/API, including pre-flight
Verify that the supplied Origin header is not used for authentication or access control decisions, as the Origin heade
Verify that the Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin header uses a strict allow list of t
CWE RSULT DESCRIPTION
521 Not Started
521 Not Started
521 Not Started
521 Not Started
620 Not Started
620 Not Started
521 Not Started
521 Not Started
521 Not Started
263 Not Started
521 Not Started
521 Not Started
307 Not Started
304 Not Started
620 Not Started
330 Not Started
640 Not Started
640 Not Started
640 Not Started
16 Not Started
304 Not Started
640 Not Started
287 Not Started
287 Not Started
287 Not Started
523 Not Started
613 Not Started
598 Not Started
384 Not Started
331 Not Started
539 Not Started
613 Not Started
614 Not Started
1004 Not Started
1275 Not Started
16 Not Started
16 Not Started
306 Not Started
602 Not Started
639 Not Started
285 Not Started
285 Not Started
639 Not Started
352 Not Started
419 Not Started
548 Not Started
235 Not Started
915 Not Started
20 Not Started
20 Not Started
601 Not Started
116 Not Started
138 Not Started
147 Not Started
95 Not Started
94 Not Started
918 Not Started
159 Not Started
94 Not Started
116 Not Started
176 Not Started
79 Not Started
89 Not Started
89 Not Started
830 Not Started
90 Not Started
78 Not Started
829 Not Started
643 Not Started
502 Not Started
611 Not Started
502 Not Started
95 Not Started
310 Not Started
532 Not Started
532 Not Started
210 Not Started
525 Not Started
922 Not Started
922 Not Started
 319 Not Started
212 Not Started
285 Not Started
200 Not Started
319 Not Started
326 Not Started
326 Not Started
16 Not Started
353 Not Started
350 Not Started
841 Not Started
799 Not Started
770 Not Started
770 Not Started
841 Not Started
400 Not Started
22 Not Started
73 Not Started
98 Not Started
641 Not Started
78 Not Started
552 Not Started
509 Not Started
552 Not Started
434 Not Started
918 Not Started
116 Not Started
598 Not Started
650 Not Started
20 Not Started
352 Not Started
20 Not Started
1026 Not Started
1002 Not Started
829 Not Started
497 Not Started
200 Not Started
173 Not Started
116 Not Started
1021 Not Started
116 Not Started
 523 Not Started
116 Not Started
1021 Not Started
749 Not Started
346 Not Started
346 Not Started