OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
A category in the Common Weakness Enumeration published by The MITRE Corporation.
Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.
Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top Ten 2021.
Debugging messages help attackers learn about the system and plan a form of attack.
The ASP.NET application does not use, or incorrectly uses, the model validation framework.
Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attac...
The application stores sensitive information in cleartext in a cookie.
Environmental variables may contain sensitive information about a remote server.
One or more system settings or configuration elements can be externally controlled by a user.
The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursiv...
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product...
If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.
In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system.
The software does not return custom error pages to the user, possibly exposing sensitive information.
Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms ...
The software stores a password in a configuration file that might be accessible to actors who do not know the password.
The software uses a cross-domain policy file that includes domains that should not be trusted.
The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.
The software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
The program uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or sec...
This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during un...
Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2017.
Deprecated or Obsolete
Weaknesses in this category are typically introduced during the configuration of the software.
CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2021.