Konuyu Oyla:
  • Toplam: 1 Oy - Ortalama: 5
  • 1
  • 2
  • 3
  • 4
  • 5
   
Konu: Araştırma Kavramları Mitre Web Güvenlik Sözlüğü
#KingSkrupellos
*
avatar
Tabutçu
Durum: Çevrimdışı
Seviye Puanı: 6
Yaşam Puanı: 2 / 135
Deneyim: 41 / 100
Rep Sayısı: 3276
Mesaj Sayısı: 57
Üyelik Tarihi: 21.08.2013
     
Yorum: #1
Araştırma Kavramları Mitre Web Güvenlik Sözlüğü
17.03.2020 00:00
1000 - Research Concepts Web Dictionary

www.cyberizm.org

Cyberizm Digital Security Army
1000 - Research Concepts
-PillarImproper Access Control - (284)
Exposed Chip Debug Interface With Insufficient Access Control - (1191)
Insufficient Granularity of Access Control - (1220)
*VariantInsufficient Granularity of Address Regions Protected by Register Locks - (1222)
Improper Restriction of Write-Once Bit Fields - (1224)
Improper Implementation of Lock Protection Registers - (1231)
Inclusion of Undocumented Features or Chicken Bits - (1242)
CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations - (1252)
-ClassImproper Privilege Management - (269)
Execution with Unnecessary Privileges - (250)
Incorrect Privilege Assignment - (266)
*VariantUse of Web Link to Untrusted Target with window.opener Access - (1022)
*Variant.NET Misconfiguration: Use of Impersonation - (520)
*VariantASP.NET Misconfiguration: Use of Identity Impersonation - (556)
*VariantJ2EE Misconfiguration: Weak Access Permissions for EJB Methods - (9)
Privilege Defined With Unsafe Actions - (267)
*VariantUnsafe ActiveX Control Marked Safe For Scripting - (623)
Privilege Chaining - (268)
Privilege Context Switching Error - (270)
-ClassPrivilege Dropping / Lowering Errors - (271)
Least Privilege Violation - (272)
Improper Check for Dropped Privileges - (273)
Improper Handling of Insufficient Privileges - (274)
Incorrect Use of Privileged APIs - (648)
-ClassImproper Ownership Management - (282)
Unverified Ownership - (283)
Incorrect Ownership Assignment - (708)
-ClassImproper Authorization - (285)
Exposure of Sensitive Information Through Metadata - (1230)
*VariantExposure of Sensitive Information Through Data Queries - (202)
Improper Authorization of Index Containing Sensitive Information - (612)
Improper Authorization on Physical Debug and Test Interfaces - (1244)
Files or Directories Accessible to External Parties - (552)
-VariantStorage of File with Sensitive Data Under Web Root - (219)
*VariantUnparsed Raw Web Content Delivery - (433)
*VariantStorage of File With Sensitive Data Under FTP Root - (220)
*VariantExposure of Version-Control Repository to an Unauthorized Control Sphere - (527)
*VariantExposure of Core Dump File to an Unauthorized Control Sphere - (528)
*VariantExposure of Access Control List Files to an Unauthorized Control Sphere - (529)
*VariantExposure of Backup File to an Unauthorized Control Sphere - (530)
*VariantUse of Persistent Cookies Containing Sensitive Information - (539)
*VariantCommand Shell in Externally Accessible Directory - (553)
-ClassIncorrect Permission Assignment for Critical Resource - (732)
*VariantSensitive Cookie Without 'HttpOnly' Flag - (1004)
Incorrect Default Permissions - (276)
*VariantInsecure Inherited Permissions - (277)
*VariantInsecure Preserved Inherited Permissions - (278)
*VariantIncorrect Execution-Assigned Permissions - (279)
Improper Preservation of Permissions - (281)
-ClassMissing Authorization - (862)
Direct Request ('Forced Browsing') - (425)
-ClassNot Using Complete Mediation - (638)
-ClassImproper Protection of Alternate Path - (424)
Direct Request ('Forced Browsing') - (425)
Improper Authorization in Handler for Custom URL Scheme - (939)
-ClassIncorrect Authorization - (863)
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization - (551)
Authorization Bypass Through User-Controlled Key - (639)
*VariantAuthorization Bypass Through User-Controlled SQL Primary Key - (566)
*VariantUse of Non-Canonical URL Paths for Authorization Decisions - (647)
Guessable CAPTCHA - (804)
*VariantImproper Export of Android Application Components - (926)
*VariantUse of Implicit Intent for Sensitive Communication - (927)
-ClassIncorrect User Management - (286)
Placement of User into Incorrect Group - (842)
-ClassImproper Authentication - (287)
Weak Encoding for Password - (261)
Not Using Password Aging - (262)
Password Aging with Long Expiration - (263)
Authentication Bypass Using an Alternate Path or Channel - (288)
Direct Request ('Forced Browsing') - (425)
*VariantAuthentication Bypass by Alternate Name - (289)
Authentication Bypass by Spoofing - (290)
*VariantReliance on IP Address for Authentication - (291)
*VariantUsing Referer Field for Authentication - (293)
*VariantReliance on Reverse DNS Resolution for a Security-Critical Action - (350)
Authentication Bypass by Capture-replay - (294)
Improper Certificate Validation - (295)
Improper Following of a Certificate's Chain of Trust - (296)
*VariantImproper Validation of Certificate with Host Mismatch - (297)
*VariantImproper Validation of Certificate Expiration - (298)
Improper Check for Certificate Revocation - (299)
*VariantMissing Check for Certificate Revocation after Initial Check - (370)
*VariantMissing Validation of OpenSSL Certificate - (599)
*VariantReflection Attack in an Authentication Protocol - (301)
*VariantAuthentication Bypass by Assumed-Immutable Data - (302)
Incorrect Implementation of Authentication Algorithm - (303)
Missing Critical Step in Authentication - (304)
Authentication Bypass by Primary Weakness - (305)
Missing Authentication for Critical Function - (306)
Improper Restriction of Excessive Authentication Attempts - (307)
Use of Single-factor Authentication - (308)
Use of Password System for Primary Authentication - (309)
Weak Password Requirements - (521)
*VariantEmpty Password in Configuration File - (258)
-ClassInsufficiently Protected Credentials - (522)
Unprotected Storage of Credentials - (256)
Storing Passwords in a Recoverable Format - (257)
Password in Configuration File - (260)
*VariantASP.NET Misconfiguration: Password in Configuration File - (13)
*VariantEmpty Password in Configuration File - (258)
Unprotected Transport of Credentials - (523)
Missing Password Field Masking - (549)
*VariantJ2EE Misconfiguration: Plaintext Password in Configuration File - (555)
*VariantAuthentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created - (593)
Use of Client-Side Authentication - (603)
Unverified Password Change - (620)
Weak Password Recovery Mechanism for Forgotten Password - (640)
Overly Restrictive Account Lockout Mechanism - (645)
Use of Hard-coded Credentials - (798)
*VariantUse of Hard-coded Password - (259)
*VariantUse of Hard-coded Cryptographic Key - (321)
Guessable CAPTCHA - (804)
Use of Password Hash Instead of Password for Authentication - (836)
Origin Validation Error - (346)
-ClassImproper Restriction of Communication Channel to Intended Endpoints - (923)
*VariantReliance on IP Address for Authentication - (291)
*VariantImproper Validation of Certificate with Host Mismatch - (297)
*ClassChannel Accessible by Non-Endpoint - (300)
Key Exchange without Entity Authentication - (322)
*VariantReliance on Reverse DNS Resolution for a Security-Critical Action - (350)
Unprotected Primary Channel - (419)
Unprotected Alternate Channel - (420)
Race Condition During Access to Alternate Channel - (421)
*VariantUnprotected Windows Messaging Channel ('Shatter') - (422)
*VariantImproper Verification of Intent by Broadcast Receiver - (925)
Improper Verification of Source of a Communication Channel - (940)
Incorrectly Specified Destination in a Communication Channel - (941)
*VariantOverly Permissive Cross-domain Whitelist - (942)
-PillarImproper Interaction Between Multiple Correctly-Behaving Entities - (435)
-ClassInsecure Automated Optimizations - (1038)
Processor Optimization Removal or Modification of Security-critical Code - (1037)
Compiler Optimization Removal or Modification of Security-critical Code - (733)
*VariantCompiler Removal of Code to Clear Buffers - (14)
Reliance on Data/Memory Layout - (188)
Use of Incorrect Byte Ordering - (198)
-ClassInterpretation Conflict - (436)
Misinterpretation of Input - (115)
Incomplete Model of Endpoint Features - (437)
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') - (444)
*VariantNull Byte Interaction Error (Poison Null Byte) - (626)
*VariantTrusting HTTP Permission Methods on the Server Side - (650)
*VariantImproper Neutralization of Invalid Characters in Identifiers in Web Pages - (86)
Behavioral Change in New Version or Environment - (439)
-PillarImproper Control of a Resource Through its Lifetime - (664)
-ClassIncorrect Access of Indexable Resource ('Range Error') - (118)
-ClassImproper Restriction of Operations within the Bounds of a Memory Buffer - (119)
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - (120)
*VariantUse of Path Manipulation Function without Maximum-sized Buffer - (785)
Out-of-bounds Read - (125)
*VariantBuffer Over-read - (126)
*VariantBuffer Under-read - (127)
Return of Pointer Value Outside of Expected Range - (466)
*ChainInteger Overflow to Buffer Overflow - (680)
Access of Memory Location Before Start of Buffer - (786)
Buffer Underwrite ('Buffer Underflow') - (124)
*VariantBuffer Under-read - (127)
Out-of-bounds Write - (787)
*VariantStackd Buffer Overflow - (121)
*VariantHeapd Buffer Overflow - (122)
Write-what-where Condition - (123)
Buffer Underwrite ('Buffer Underflow') - (124)
Access of Memory Location After End of Buffer - (788)
*VariantStackd Buffer Overflow - (121)
*VariantHeapd Buffer Overflow - (122)
*VariantBuffer Over-read - (126)
Buffer Access with Incorrect Length Value - (805)
*VariantBuffer Access Using Size of Source Buffer - (806)
Untrusted Pointer Dereference - (822)
Use of Out-of-range Pointer Offset - (823)
Access of Uninitialized Pointer - (824)
Expired Pointer Dereference - (825)
*VariantDouble Free - (415)
*VariantUse After Free - (416)
-ClassCreation of Emergent Resource - (1229)
-ClassCovert Channel - (514)
Covert Timing Channel - (385)
Covert Storage Channel - (515)
Improper Write Handling in Limited-write Non-Volatile Memories - (1246)
Improper Preservation of Consistency Between Independent Representations of Shared State - (1250)
Application-Level Admin Tool with Inconsistent View of Underlying Operating System - (1249)
Mirrored Regions with Different Values - (1251)
-ClassInformation Loss or Omission - (221)
Truncation of Security-relevant Information - (222)
Omission of Security-relevant Information - (223)
Insufficient Logging - (778)
Obscured Security-relevant Information by Alternate Name - (224)
Product UI does not Warn User of Unsafe Actions - (356)
Declaration of Catch for Generic Exception - (396)
Declaration of Throws for Generic Exception - (397)
-ClassUser Interface (UI) Misrepresentation of Critical Information - (451)
Insufficient Visual Distinction of Homoglyphs Presented to User - (1007)
Improper Restriction of Rendered UI Layers or Frames - (1021)
Incomplete Internal State Distinction - (372)
-ClassUncontrolled Resource Consumption - (400)
Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations - (1235)
Allocation of Resources Without Limits or Throttling - (770)
*VariantAllocation of File Descriptors or Handles Without Limits or Throttling - (774)
*VariantUncontrolled Memory Allocation - (789)
Missing Reference to Active Allocated Resource - (771)
*VariantMissing Reference to Active File Descriptor or Handle - (773)
Logging of Excessive Data - (779)
Improper Restriction of Power Consumption - (920)
-ClassImproper Resource Shutdown or Release - (404)
Not Using Password Aging - (262)
Password Aging with Long Expiration - (263)
Improper Check for Certificate Revocation - (299)
*VariantMissing Check for Certificate Revocation after Initial Check - (370)
Incomplete Cleanup - (459)
Sensitive Information Uncleared in Resource Before Release for Reuse - (226)
*VariantImproper Zeroization of Hardware Register - (1239)
*VariantImproper Clearing of Heap Memory Before Release ('Heap Inspection') - (244)
Improper Cleanup on Thrown Exception - (460)
*Variantfinalize() Method Without super.finalize() - (568)
Release of Invalid Pointer or Reference - (763)
*VariantFree of Pointer not at Start of Buffer - (761)
-VariantMismatched Memory Management Routines - (762)
*VariantFree of Memory not on the Heap - (590)
Missing Release of Resource after Effective Lifetime - (772)
Use of Object without Invoking Destructor Method - (1091)
*VariantMissing Release of Memory after Effective Lifetime - (401)
*VariantMissing Release of File Descriptor or Handle after Effective Lifetime - (775)
-ClassAsymmetric Resource Consumption (Amplification) - (405)
Excessive Platform Resource Consumption within a Loop - (1050)
Data Resource Access without Use of Connection Pooling - (1072)
Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses - (1073)
Invokable Control Element with Excessive File or Data Access Operations - (1084)
Large Data Table with Excessive Number of Indices - (1089)
Excessive Index Range Scan for a Data Resource - (1094)
-ClassInefficient CPU Computation - (1176)
*VariantStatic Member Data Element outside of a Singleton Class Element - (1042)
Creation of Immutable Text Using String Concatenation - (1046)
Excessive Data Query Operations in a Large Data Table - (1049)
Creation of Class Instance within a Static Code Block - (1063)
Excessive Execution of Sequential Searches of Data Resource - (1067)
*ClassInsufficient Control of Network Message Volume (Network Amplification) - (406)
*ClassInefficient Algorithmic Complexity - (407)
Incorrect Behavior Order: Early Amplification - (408)
Improper Handling of Highly Compressed Data (Data Amplification) - (409)
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') - (776)
Insufficient Resource Pool - (410)
Modification of Assumed-Immutable Data (MAID) - (471)
*VariantReliance on IP Address for Authentication - (291)
External Control of Assumed-Immutable Web Parameter - (472)
*VariantPHP External Variable Modification - (473)
*VariantPublic Static Final Field References Mutable Object - (607)
Reliance on Package-level Scope - (487)
Exposure of Data Element to Wrong Session - (488)
*VariantPrivate Data Structure Returned From A Public Method - (495)
*VariantPublic Data Assigned to Private Array-Typed Field - (496)
*VariantCloneable Class Containing Sensitive Information - (498)
*VariantSerializable Class Containing Sensitive Data - (499)
Trust Boundary Violation - (501)
*Variantclone() Method Without super.clone() - (580)
-ClassExternally Controlled Reference to a Resource in Another Sphere - (610)
External Control of System or Configuration Setting - (15)
*CompositeSession Fixation - (384)
-ClassUnintended Proxy or Intermediary ('Confused Deputy') - (441)
Improper Restriction of Rendered UI Layers or Frames - (1021)
Server-Side Request Forgery (SSRF) - (918)
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') - (470)
URL Redirection to Untrusted Site ('Open Redirect') - (601)
Improper Restriction of XML External Entity Reference - (611)
External Control of File Name or Path - (73)
-ClassImproper Synchronization - (662)
Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element - (1058)
Use of a Non-reentrant Function in a Concurrent Context - (663)
*VariantSignal Handler Use of a Non-reentrant Function - (479)
*VariantUse of getlogin() in Multithreaded Application - (558)
-ClassImproper Locking - (667)
Improper Lock Behavior After Power State Transition - (1232)
Improper Hardware Lock Protection for Security Sensitive Controls - (1233)
Hardware Internal or Debug Modes Allow Override of Locks - (1234)
Unrestricted Externally Accessible Lock - (412)
Improper Resource Locking - (413)
*VariantSensitive Data Storage in Improperly Locked Memory - (591)
Missing Lock Check - (414)
Double-Checked Locking - (609)
Multiple Locks of a Critical Resource - (764)
Multiple Unlocks of a Critical Resource - (765)
Unlock of a Resource that is not Locked - (832)
Deadlock - (833)
Missing Synchronization - (820)
*VariantSingleton Class Instance Creation without Proper Locking or Synchronization - (1096)
*VariantUse of Singleton Pattern Without Synchronization in a Multithreaded Context - (543)
Unsynchronized Access to Shared Data in a Multithreaded Context - (567)
Incorrect Synchronization - (821)
Synchronous Access of Remote Resource without Timeout - (1088)
*VariantCall to Thread run() instead of start() - (572)
*VariantEJB Bad Practices: Use of Synchronization Primitives - (574)
-ClassImproper Initialization - (665)
Initialization with Hard-Coded Network Resource Configuration Data - (1051)
Excessive Use of Hard-Coded Literals in Initialization - (1052)
Insecure Default Initialization of Resource - (1188)
Incorrect Register Defaults or Module Parameters - (1221)
External Initialization of Trusted Variables or Data Stores - (454)
Non-exit on Failed Initialization - (455)
Allocation of Resources Without Limits or Throttling - (770)
Use of Uninitialized Resource - (908)
Missing Initialization of Resource - (909)
+ClassOperation on Resource in Wrong Phase of Lifetime - (666)
+ClassExposure of Resource to Wrong Sphere - (668)
+ClassIncorrect Resource Transfer Between Spheres - (669)
+ClassExternal Influence of Sphere Definition - (673)
+ClassIncorrect Type Conversion or Cast - (704)
+ClassUse of Incorrectly-Resolved Name or Reference - (706)
Exposed Dangerous Method or Function - (749)
Improper Update of Reference Count - (911)
+ClassImproper Control of Dynamically-Managed Code Resources - (913)
+ClassInsecure Storage of Sensitive Information - (922)
+PillarIncorrect Calculation - (682)
+PillarInsufficient Control Flow Management - (691)
+PillarProtection Mechanism Failure - (693)
+PillarIncorrect Comparison - (697)
+PillarImproper Check or Handling of Exceptional Conditions - (703)
+PillarImproper Neutralization - (707)
+PillarImproper Adherence to Coding Standards - (710)
Kaynak : cwe.mitre.org/data/definitions/1000.html
(Bu konu en son: 17.03.2020 Tarihinde, Saat: 00:01 düzenlenmiştir. Düzenleyen: KingSkrupellos.)
Alinti



1 Ziyaretçi