Types of Weaknesses
These are the list of weakness types on HackerOne that you can choose from when submitting a report:
| External ID | Weakness Type | Description |
|---|---|---|
| CWE-770 | Allocation of Resources Without Limits or Throttling | The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on how many resources can be allocated, in violation of the intended security policy for that actor. |
| CWE-129 | Array Index Underflow | The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. |
| CWE-288 | Authentication Bypass Using an Alternate Path or Channel | A product requires authentication, but the product has an alternate path or channel that does not require authentication. |
| CWE-307 | Brute Force | The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks. |
| CWE-126 | Buffer Over-read | The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer. |
| CWE-124 | Buffer Underflow | The software writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer. |
| CWE-127 | Buffer Under-read | The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer. |
| CWE-840 | Business Logic Errors | Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. |
| CWE-120 | Classic Buffer Overflow | The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. |
| CWE-312 | Cleartext Storage of Sensitive Information | The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
| CWE-319 | Cleartext Transmission of Sensitive Information | The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
| CWE-602 | Client-Side Enforcement of Server-Side Security | The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. |
| CWE-94 | Code Injection | The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-77 | Command Injection - Generic | The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. |
| CWE-93 | CRLF Injection | The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
| CWE-352 | Cross-Site Request Forgery (CSRF) | The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. |
| CWE-79 | Cross-site Scripting (XSS) - DOM | In DOM-based XSS, the client performs the injection of XSS into the page; in the other types, the server performs the injection. DOM-based XSS generally involves server-controlled, trusted script that is sent to the client, such as Javascript that performs sanity checks on a form before the user submits it. If the server-supplied script processes user-supplied data and then injects it back into the web page (such as with dynamic HTML), then DOM-based XSS is possible. |
| CWE-79 | Cross-site Scripting (XSS) - Generic | The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-79 | Cross-site Scripting (XSS) - Reflected | The server reads data directly from the HTTP request and reflects it back in the HTTP response. Reflected XSS exploits occur when an attacker causes a victim to supply dangerous content to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to the victim. URLs constructed in this manner constitute the core of many phishing schemes, whereby an attacker convinces a victim to visit a URL that refers to a vulnerable site. After the site reflects the attacker's content back to the victim, the content is executed by the victim's browser. |
| CWE-79 | Cross-site Scripting (XSS) - Stored | The application stores dangerous data in a database, message forum, visitor log, or other trusted data store. At a later time, the dangerous data is subsequently read back into the application and included in dynamic content. From an attacker's perspective, the optimal place to inject malicious content is in an area that is displayed to either many users or particularly interesting users. Interesting users typically have elevated privileges in the application or interact with sensitive data that is valuable to the attacker. If one of these users executes malicious content, the attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user. For example, the attacker might inject XSS into a log message, which might not be handled properly when an administrator views the logs. |
| CWE-310 | Cryptographic Issues - Generic | Weaknesses in this category are related to the use of cryptography. |
| CWE-400 | Denial of Service | The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended. |
| CWE-502 | Deserialization of Untrusted Data | The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. |
| CWE-415 | Double Free | The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations. |
| CWE-506 | Embedded Malicious Code | The application contains code that appears to be malicious in nature. |
| CWE-749 | Exposed Dangerous Method or Function | The software provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted. |
| CWE-642 | External Control of Critical State Data | The software stores security-critical state information about its users, or the software itself, in a location that is accessible to unauthorized actors. |
| CWE-610 | Externally Controlled Reference to a Resource in Another Sphere | The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. |
| CWE-75 | Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) | The software does not adequately filter user-controlled input for special elements with control implications. |
| CWE-538 | File and Directory Information Exposure | The product stores sensitive information in files or directories that are accessible to actors outside of the intended control sphere. |
| CWE-425 | Forced Browsing | The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. |
| CWE-122 | Heap Overflow | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-444 | HTTP Request Smuggling | When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being aware of it. |
| CWE-113 | HTTP Response Splitting | The software receives data from an upstream component, but does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. |
| CWE-284 | Improper Access Control - Generic | The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-287 | Improper Authentication - Generic | When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. |
| CWE-285 | Improper Authorization | The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-295 | Improper Certificate Validation | The software does not validate, or incorrectly validates, a certificate. |
| CWE-703 | Improper Check or Handling of Exceptional Conditions | The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software. |
| CWE-926 | Improper Export of Android Application Components | The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains. |
| CWE-296 | Improper Following of a Certificate's Chain of Trust | The software does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate. |
| CWE-409 | Improper Handling of Highly Compressed Data (Data Amplification) | The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. |
| CWE-280 | Improper Handling of Insufficient Permissions or Privileges | The application does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the application in an invalid state. |
| CWE-177 | Improper Handling of URL Encoding (Hex Encoding) | The software does not properly handle when all or part of an input has been URL encoded. |
| CWE-20 | Improper Input Validation | The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program. |
| CWE-150 | Improper Neutralization of Escape, Meta, or Control Sequences | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component. |
| CWE-644 | Improper Neutralization of HTTP Headers for Scripting Syntax | The application does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash. |
| CWE-80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
| CWE-170 | Improper Null Termination | The software does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator. |
| CWE-269 | Improper Privilege Management | The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
| CWE-326 | Inadequate Encryption Strength | The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. |
| CWE-184 | Incomplete Blacklist | An application uses a "blacklist" of prohibited values, but the blacklist is incomplete. |
| CWE-863 | Incorrect Authorization | The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. |
| CWE-131 | Incorrect Calculation of Buffer Size | The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow. |
| CWE-697 | Incorrect Comparison | The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses. |
| CWE-200 | Information Disclosure | An information disclosure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information. |
| CWE-209 | Information Exposure Through an Error Message | The software generates an error message that includes sensitive information about its environment, users, or associated data. |
| CWE-215 | Information Exposure Through Debug Information | The application contains debugging code that can expose sensitive information to untrusted parties. |
| CWE-548 | Information Exposure Through Directory Listing | A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers. |
| CWE-203 | Information Exposure Through Discrepancy | The product behaves differently or sends different responses in a way that exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
| CWE-201 | Information Exposure Through Sent Data | The accidental exposure of sensitive information through sent data refers to the transmission of data which are either sensitive in and of itself or useful in the further exploitation of the system through standard data channels. |
| CWE-208 | Information Exposure Through Timing Discrepancy | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
| CWE-639 | Insecure Direct Object Reference (IDOR) | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| CWE-922 | Insecure Storage of Sensitive Information | The software stores sensitive information without properly limiting read or write access by unauthorized actors. |
| CWE-377 | Insecure Temporary File | Creating and using insecure temporary files can leave application and system data vulnerable to attack. |
| CWE-522 | Insufficiently Protected Credentials | This weakness occurs when the application transmits or stores authentication credentials and uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
| CWE-613 | Insufficient Session Expiration | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
| CWE-190 | Integer Overflow | The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. |
| CWE-191 | Integer Underflow | The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. |
| CWE-322 | Key Exchange without Entity Authentication | The software performs a key exchange with an actor without verifying the identity of that actor. |
| CWE-90 | LDAP Injection | The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component. |
| CWE-489 | Leftover Debug Code (Backdoor) | The application was deployed with active debugging code that can create unintended entry points. |
| capec-549 | Malware | An adversary installs and executes malicious code on the target system in an effort to achieve a negative technical impact. |
| CWE-300 | Man-in-the-Middle | The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint. |
| CWE-119 | Memory Corruption - Generic | The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. |
| CWE-311 | Missing Encryption of Sensitive Data | The software does not encrypt sensitive or critical information before storage or transmission. |
| CWE-325 | Missing Required Cryptographic Step | The software does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by that algorithm. |
| CWE-471 | Modification of Assumed-Immutable Data (MAID) | The software does not properly protect an assumed-immutable element from being modified by an attacker. |
| CWE-476 | NULL Pointer Dereference | A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. |
| CWE-193 | Off-by-one Error | A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. |
| CWE-601 | Open Redirect | A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. |
| CWE-78 | OS Command Injection | The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CWE-125 | Out-of-bounds Read | The software reads data past the end, or before the beginning, of the intended buffer. |
| CWE-260 | Password in Configuration File | The software stores a password in a configuration file that might be accessible to actors who do not know the password. |
| CWE-22 | Path Traversal | The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-35 | Path Traversal: '.../...//' | The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. |
| capec-98 | Phishing | Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or "fishing" for information. |
| CWE-256 | Plaintext Storage of a Password | Storing a password in plaintext may result in a system compromise. |
| CWE-359 | Privacy Violation | The software does not properly prevent private data (such as credit card numbers) from being accessed by actors who either (1) are not explicitly authorized to access the data or (2) do not have the implicit consent of the people to which the data is related. |
| capec-233 | Privilege Escalation | An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform. |
| CWE-23 | Relative Path Traversal | The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
| CWE-784 | Reliance on Cookies without Validation and Integrity Checking in a Security Decision | The application uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user. |
| CWE-350 | Reliance on Reverse DNS Resolution for a Security-Critical Action | The software performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname. |
| CWE-807 | Reliance on Untrusted Inputs in a Security Decision | The application uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. |
| CWE-98 | Remote File Inclusion | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
| CWE-509 | Replicating Malicious Code (Virus or Worm) | Replicating malicious code, including viruses and worms, will attempt to attack other systems once it has successfully compromised the target system or software. |
| CWE-99 | Resource Injection | The software receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. |
| CWE-323 | Reusing a Nonce, Key Pair in Encryption | Nonces should be used for the present occasion and only once. |
| CWE-328 | Reversible One-Way Hash | The product uses a hashing algorithm that produces a hash value that can be used to determine the original input, or to find an input that can produce the same hash, more efficiently than brute force techniques. |
| CWE-656 | Security Through Obscurity | The software uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism. |
| CWE-918 | Server-Side Request Forgery (SSRF) | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
| CWE-384 | Session Fixation | Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. |
| CWE-89 | SQL Injection | The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. |
| CWE-121 | Stack Overflow | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
| CWE-257 | Storing Passwords in a Recoverable Format | The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts. |
| CWE-367 | Time-of-check Time-of-use (TOCTOU) Race Condition | The software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state. |
| CWE-360 | Trust of System Event Data | Security based on event locations are insecure and can be spoofed. |
| CWE-843 | Type Confusion | The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. |
| capec-103 | UI Redressing (Clickjacking) | In a clickjacking attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system. |
| CWE-391 | Unchecked Error Condition | Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed. |
| CWE-674 | Uncontrolled Recursion | The product does not properly control the amount of recursion that takes place, which consumes excessive resources, such as allocated memory or the program stack. |
| CWE-523 | Unprotected Transport of Credentials | Login pages not using adequate measures to protect the user name and password while they are in transit from the client to the server. |
| CWE-426 | Untrusted Search Path | The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control. |
| CWE-620 | Unverified Password Change | When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. |
| CWE-416 | Use After Free | Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. |
| CWE-324 | Use of a Key Past its Expiration Date | The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key. |
| CWE-338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG is not cryptographically strong. |
| CWE-134 | Use of Externally-Controlled Format String | The software uses a function that accepts a format string as an argument, but the format string originates from an external source. |
| CWE-798 | Use of Hard-coded Credentials | The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. |
| CWE-321 | Use of Hard-coded Cryptographic Key | The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered. |
| CWE-259 | Use of Hard-coded Password | The software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. |
| CWE-242 | Use of Inherently Dangerous Function | The program calls a function that can never be guaranteed to work safely. |
| CWE-330 | Use of Insufficiently Random Values | The software may use insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
| CWE-451 | User Interface (UI) Misrepresentation of Critical Information | The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks. |
| CWE-657 | Violation of Secure Design Principles | The product violates well-established principles for secure design. |
| CWE-261 | Weak Cryptography for Passwords | Obscuring a password with a trivial encoding does not protect the password. |
| CWE-640 | Weak Password Recovery Mechanism for Forgotten Password | The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
| CWE-128 | Wrap-around Error | Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefined value. |
| CWE-123 | Write-what-where Condition | Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow. |
| CWE-776 | XML Entity Expansion | The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. |
| CWE-611 | XML External Entities (XXE) | The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
| CWE-91 | XML Injection | The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. |
| CAPEC-209 | XSS Using MIME Type Mismatch | An adversary creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected. The adversary tricks the victim into accessing a URL that responds with the script file. Some browsers will detect that the specified MIME type of the file does not match the actual type of its content and will automatically switch to using an interpreter for the real content type. If the browser does not invoke script filters before doing this, the adversary's script may run on the target unsanitized, possibly revealing the victim's cookies or executing arbitrary script in their browser. |