OWASP Top Ten 2021 Category A04:2021 - Insecure Design
A category in the Common Weakness Enumeration published by The MITRE Corporation.
Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.
Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top Ten 2021.
The application stores sensitive information in cleartext in a file, or on disk.
The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
The application stores sensitive information in cleartext in memory.
The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
The wrong "handler" is assigned to process an object.
The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sens...
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.
The software stores security-critical state information about its users, or the software itself, in a location that is accessible to unauthorized actors.
The software allows user input to control or influence paths or file names that are used in filesystem operations.
The software generates an error message that includes sensitive information about its environment, users, or associated data.
The software does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.
The software supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in...
The software does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount.
The application does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This...
The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusio...
The application does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library.
When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, the...
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
The application stores a non-serializable object as an HttpSession attribute, which can hurt reliability.
The software does not encrypt sensitive or critical information before storage or transmission.
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are as...
Storing a password in plaintext may result in a system compromise.
The software allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attack...
The software uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the...
The application uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypas...
The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypte...
The product mixes trusted and untrusted data in the same data structure or structured message.
The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This mig...
The software uses a primary channel for administration or restricted functionality, but it does not properly protect the channel.
The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.
The Android application uses an implicit intent for transmitting sensitive data to other applications.
The web application uses persistent cookies, but the cookies contain sensitive information.
The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.
The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is oft...
The product violates well-established principles for secure design.
Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in busine...
CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2021.