OWASP Top Ten 2021 Category A04:2021 - Insecure Design

The product stores sensitive information in cleartext in a file, or on disk.

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

The product stores sensitive information in cleartext in memory.

The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.

The wrong "handler" is assigned to process an object.

The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sens...

The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.

The product allows user input to control or influence paths or file names that are used in filesystem operations.

The product generates an error message that includes sensitive information about its environment, users, or associated data.

The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.

The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in ...

The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount.

The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may...

The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusio...

The product does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library.

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but i...

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability.

The product does not encrypt sensitive or critical information before storage or transmission.

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are as...

Storing a password in plaintext may result in a system compromise.

The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attacke...

The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the ...

The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses ...

The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypte...

The product mixes trusted and untrusted data in the same data structure or structured message.

The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This mig...

The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel.

The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.

The Android application uses an implicit intent for transmitting sensitive data to other applications.

The web application uses persistent cookies, but the cookies contain sensitive information.

The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is oft...

The product violates well-established principles for secure design.

Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in busine...

CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2021.