CAPEC Related Weakness
Privilege Abuse
CWE-434Unrestricted Upload of File with Dangerous Type
CWE-602Client-Side Enforcement of Server-Side Security
CWE-732Incorrect Permission Assignment for Critical Resource
Manipulating hidden fields to change the normal flow of transactions (eShoplifting)
CWE-602Client-Side Enforcement of Server-Side Security
Create Malicious Client
CWE-602Client-Side Enforcement of Server-Side Security
Removing Important Functionality from the Client
CWE-602Client-Side Enforcement of Server-Side Security
Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements
CWE-602Client-Side Enforcement of Server-Side Security
Exploitation of Session Variables, Resource IDs and other Trusted Credentials
CWE-6J2EE Misconfiguration: Insufficient Session-ID Length
CWE-290Authentication Bypass by Spoofing
CWE-302Authentication Bypass by Assumed-Immutable Data
CWE-346Origin Validation Error
CWE-384
CWE-539Information Exposure Through Persistent Cookies
CWE-602Client-Side Enforcement of Server-Side Security
CWE-642External Control of Critical State Data
CWE-664Improper Control of a Resource Through its Lifetime
Accessing/Intercepting/Modifying HTTP Cookies
CWE-20Improper Input Validation
CWE-113Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
CWE-302Authentication Bypass by Assumed-Immutable Data
CWE-311Missing Encryption of Sensitive Data
CWE-315Cleartext Storage of Sensitive Information in a Cookie
CWE-384
CWE-472External Control of Assumed-Immutable Web Parameter
CWE-539Information Exposure Through Persistent Cookies
CWE-565Reliance on Cookies without Validation and Integrity Checking
CWE-602Client-Side Enforcement of Server-Side Security
CWE-642External Control of Critical State Data
CWE-724
Harvesting Usernames or UserIDs via Application API Event Monitoring
CWE-311Missing Encryption of Sensitive Data
CWE-319Cleartext Transmission of Sensitive Information
CWE-419Unprotected Primary Channel
CWE-602Client-Side Enforcement of Server-Side Security
Application API Message Manipulation via Man-in-the-Middle
CWE-311Missing Encryption of Sensitive Data
CWE-345Insufficient Verification of Data Authenticity
CWE-346Origin Validation Error
CWE-471Modification of Assumed-Immutable Data (MAID)
CWE-602Client-Side Enforcement of Server-Side Security
Transaction or Event Tampering via Application API Manipulation
CWE-311Missing Encryption of Sensitive Data
CWE-345Insufficient Verification of Data Authenticity
CWE-346Origin Validation Error
CWE-471Modification of Assumed-Immutable Data (MAID)
CWE-602Client-Side Enforcement of Server-Side Security
Application API Navigation Remapping
CWE-311Missing Encryption of Sensitive Data
CWE-345Insufficient Verification of Data Authenticity
CWE-346Origin Validation Error
CWE-471Modification of Assumed-Immutable Data (MAID)
CWE-602Client-Side Enforcement of Server-Side Security
Navigation Remapping To Propagate Malicious Content
CWE-311Missing Encryption of Sensitive Data
CWE-345Insufficient Verification of Data Authenticity
CWE-346Origin Validation Error
CWE-471Modification of Assumed-Immutable Data (MAID)
CWE-602Client-Side Enforcement of Server-Side Security
Application API Button Hijacking
CWE-311Missing Encryption of Sensitive Data
CWE-345Insufficient Verification of Data Authenticity
CWE-346Origin Validation Error
CWE-471Modification of Assumed-Immutable Data (MAID)
CWE-602Client-Side Enforcement of Server-Side Security
Content Spoofing Via Application API Manipulation
CWE-311Missing Encryption of Sensitive Data
CWE-345Insufficient Verification of Data Authenticity
CWE-346Origin Validation Error
CWE-602Client-Side Enforcement of Server-Side Security
Simple Script Injection
CWE-20Improper Input Validation
CWE-71Apple '.DS_Store'
CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-86Improper Neutralization of Invalid Characters in Identifiers in Web Pages
CWE-96Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
CWE-113Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
CWE-116Improper Encoding or Escaping of Output
CWE-184Incomplete Blacklist
CWE-348Use of Less Trusted Source
CWE-350Reliance on Reverse DNS Resolution for a Security-Critical Action
CWE-602Client-Side Enforcement of Server-Side Security
CWE-692
CWE-697Insufficient Comparison
CWE-713
Back to Top