Skip to main content
Skip table of contents

OWASP TOP 10 CWE Coverage

Note: The legacy Mend SAST Application was deprecated on April 1st, 2025. For assistance with migrating to the Mend AppSec Platform, please contact your customer success manager or the success team at success@mend.io.

Overview

The Open Web Application Security Project (OWASP Top 10) is a standard awareness document for developers and web application security. It represents a broad consensus on web applications' most critical security risks.

This article organizes Common Weakness Enumerations (CWEs) relevant to OWASP Top 10 (2017 and 2021).

Each row in the tables below outlines a specific compliance standard, categorized by the following columns:

  1. Compliance Standard: The specific category of the standard to which the CWE is mapped.

  2. Languages: Supported programming languages.

  3. CWE-ID: The relevant CWE for this standard, along with a short description.

OWASP TOP 10 2017 CWE List

Compliance Standard

CWE-ID

A1: Injection

  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

  • CWE-94: Improper Control of Generation of Code ('Code Injection')

  • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

  • CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

  • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

  • CWE-943: Improper Neutralization of Special Elements in Data Query Logic

  • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

A2: Broken Authentication

  • CWE-346: Origin Validation Error

  • CWE-347: Improper Verification of Cryptographic Signature

  • CWE-384: Session Fixation

A3: Sensitive Data Exposure

  • CWE-297: Improper Validation of Certificate with Host Mismatch

  • CWE-321: Use of Hard-coded Cryptographic Key

  • CWE-325: Missing Cryptographic Step

  • CWE-326: Inadequate Encryption Strength

  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm

  • CWE-328: Use of Weak Hash

  • CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

  • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  • CWE-780: Use of RSA Algorithm without OAEP

  • CWE-798: Use of Hard-coded Credentials

  • CWE-916: Use of Password Hash With Insufficient Computational Effort

  • CWE-918: Server-Side Request Forgery (SSRF)

  • CWE-1204: Generation of Weak Initialization Vector (IV)

A4: XML External Entities (XXE)

  • CWE-611: Improper Restriction of XML External Entity Reference

  • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

A5: Broken Access Control

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

A6: Security Misconfiguration

  • CWE-319: Cleartext Transmission of Sensitive Information

  • CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

A7: Cross-Site Scripting (XSS)

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A8: Insecure Deserialization

  • CWE-502: Deserialization of Untrusted Data

A10: Insufficient Logging & Monitoring

  • CWE-532: Insertion of Sensitive Information into Log File

OWSAP TOP 10 2021 CWE List

Compliance-Standard

CWE-ID

A1: Broken Access Control

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-59: Improper Link Resolution Before File Access ('Link Following')

  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-377: Insecure Temporary File

  • CWE-497: Exposure of System Data to an Unauthorized Control Sphere

  • CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

A2: Cryptographic Failures

  • CWE-319: Cleartext Transmission of Sensitive Information

  • CWE-321: Use of Hard-coded Cryptographic Key

  • CWE-322: Key Exchange without Entity Authentication

  • CWE-325: Missing Cryptographic Step

  • CWE-326: Inadequate Encryption Strength

  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm

  • CWE-328: Use of Weak Hash

  • CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

  • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  • CWE-347: Improper Verification of Cryptographic Signature

  • CWE-780: Use of RSA Algorithm without OAEP

  • CWE-916: Use of Password Hash With Insufficient Computational Effort

  • CWE-1204: Generation of Weak Initialization Vector (IV)

A3: Injection

  • CWE-15: External Control of System or Configuration Setting

  • CWE-20: Improper Input Validation

  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

  • CWE-94: Improper Control of Generation of Code ('Code Injection')

  • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

  • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

  • CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

  • CWE-917: Improper Neutralization of Special Elements Used in an Expression Language Statement ('Expression Language Injection')

  • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

A4: Insecure Design

  • CWE-73: External Control of File Name or Path

  • CWE-209: Information Exposure Through an Error Message

  • CWE-256: Plaintext Storage of a Password

  • CWE-312: Cleartext Storage of Sensitive Information

  • CWE-434: Unrestricted Upload of File with Dangerous Type

  • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

  • CWE-472: External Control of Assumed-Immutable Web Parameter

  • CWE-501: Trust Boundary Violation

  • CWE-598: Use of GET Request Method With Sensitive Query Strings

A5: Security Misconfiguration

  • CWE-16: Configuration

  • CWE-611: Improper Restriction of XML External Entity Reference

  • CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

  • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

  • CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

A7: Identification and Authentication Failures

  • CWE-295: Improper Certificate Validation

  • CWE-297: Improper Validation of Certificate with Host Mismatch

  • CWE-346: Origin Validation Error

  • CWE-384: Session Fixation

  • CWE-798: Use of Hard-coded Credentials

A8: Software and Data Integrity Failures

  • CWE-502: Deserialization of Untrusted Data

  • CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

A9: Security Logging and Monitoring Failures

  • CWE-117: Improper Output Neutralization for Logs

  • CWE-532: Insertion of Sensitive Information into Log File

A10: Server-Side Request Forgery (SSRF)

  • CWE-918: Server-Side Request Forgery (SSRF)

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.