OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration

Debugging messages help attackers learn about the system and plan a form of attack.

The ASP.NET application does not use, or incorrectly uses, the model validation framework.

Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attac...

The product stores sensitive information in cleartext in a cookie.

The product uses an environment variable to store unencrypted sensitive information.

One or more system settings or configuration elements can be externally controlled by a user.

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive...

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product ...

If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.

In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system.

The product does not return custom error pages to the user, possibly exposing sensitive information.

Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms ...

The product stores a password in a configuration file that might be accessible to actors who do not know the password.

The product uses a cross-domain policy file that includes domains that should not be trusted.

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or sec...

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during un...

Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2017.

Weaknesses in this category are typically introduced during the configuration of the software.

CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2021.