Skip to main content
Skip table of contents

OWASP TOP 10 CWE Coverage

Note: The legacy Mend SAST Application was deprecated on April 1st, 2025. For assistance with migrating to the Mend AppSec Platform, please contact your customer success manager or the success team at success@mend.io.

Overview

The Open Web Application Security Project (OWASP Top 10) is a standard awareness document for developers and web application security. It represents a broad consensus on web applications' most critical security risks.

This article organizes Common Weakness Enumerations (CWEs) relevant to OWASP Top 10 (2017 and 2021).

Each row in the tables below outlines a specific compliance standard, categorized by the following columns:

  1. Compliance Standard: The specific category of the standard to which the CWE is mapped.

  2. Languages: Supported programming languages.

  3. CWE-ID: The relevant CWE for this standard, along with a short description.

OWASP TOP 10 2017 CWE List

Compliance Standard

Languages

CWE-ID

A1: Injection

  • ABAP

  • ASP Classic/Visual Basic/VBScript

  • Apex

  • C#

  • C# Gen 2

  • C/C++ (Beta)

  • Cobol

  • ColdFusion

  • Go

  • Groovy

  • Java

  • Java Gen 2

  • JavaScript / Node.js

  • JavaScript / TypeScript Gen 2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • PLSQL

  • Python

  • Python Gen 2

  • R

  • Ruby

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

  • CWE-94: Improper Control of Generation of Code ('Code Injection')

  • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

  • CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

  • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

  • CWE-943: Improper Neutralization of Special Elements in Data Query Logic

  • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

A2: Broken Authentication

  • Java Gen 2

  • JavaScript / TypeScript Gen 2

  • PHP

  • CWE-346: Origin Validation Error

  • CWE-347: Improper Verification of Cryptographic Signature

  • CWE-384: Session Fixation

A3: Sensitive Data Exposure

  • ASP Classic/Visual Basic/VBScript

  • Android Java

  • Apex

  • C#

  • C# Gen 2

  • Go

  • Groovy

  • Java

  • Java Gen 2

  • JavaScript / Node.js

  • JavaScript / TypeScript Gen 2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Python Gen 2

  • R

  • Ruby

  • Swift

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • iOS Objective-C

  • CWE-297: Improper Validation of Certificate with Host Mismatch

  • CWE-321: Use of Hard-coded Cryptographic Key

  • CWE-325: Missing Cryptographic Step

  • CWE-326: Inadequate Encryption Strength

  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm

  • CWE-328: Use of Weak Hash

  • CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

  • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  • CWE-780: Use of RSA Algorithm without OAEP

  • CWE-798: Use of Hard-coded Credentials

  • CWE-916: Use of Password Hash With Insufficient Computational Effort

  • CWE-918: Server-Side Request Forgery (SSRF)

  • CWE-1204: Generation of Weak Initialization Vector (IV)

A4: XML External Entities (XXE)

  • C#

  • C# Gen 2

  • Groovy

  • Java

  • Java Gen 2

  • JavaScript / Node.js

  • JavaScript / TypeScript Gen 2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python Gen 2

  • R

  • VB.Net

  • CWE-611: Improper Restriction of XML External Entity Reference

  • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

A5: Broken Access Control

  • ABAP

  • ASP Classic/Visual Basic/VBScript

  • C#

  • C# Gen 2

  • C/C++ (Beta)

  • ColdFusion

  • Go

  • Groovy

  • Java

  • Java Gen 2

  • JavaScript / Node.js

  • JavaScript / TypeScript Gen 2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • PLSQL

  • Python

  • Python Gen 2

  • R

  • Ruby

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

A6: Security Misconfiguration

  • Android Java

  • C# Gen 2

  • Java

  • Java Gen 2

  • JavaScript / TypeScript Gen 2

  • Swift

  • Xamarin (C#)

  • iOS Objective-C

  • CWE-319: Cleartext Transmission of Sensitive Information

  • CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

A7: Cross-Site Scripting (XSS)

  • JavaScript / Node.js

  • JavaScript / TypeScript Gen 2

  • TypeScript

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A8: Insecure Deserialization

  • C#

  • C# Gen 2

  • Groovy

  • Java

  • Java Gen 2

  • JavaScript / TypeScript Gen 2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Python Gen 2

  • VB.Net

  • Xamarin (C#)

  • CWE-502: Deserialization of Untrusted Data

A10: Insufficient Logging & Monitoring

  • Java Gen 2

  • CWE-532: Insertion of Sensitive Information into Log File

OWSAP TOP 10 2021 CWE List

Compliance-Standard

Languages

CWE-ID

A1: Broken Access Control

  • ABAP

  • ASP Classic/Visual Basic/VBScript

  • Android Java

  • C#

  • C# Gen 2

  • C/C++ (Beta)

  • ColdFusion

  • Go

  • Groovy

  • Java

  • Java Gen 2

  • JavaScript / Node.js

  • JavaScript / TypeScript Gen 2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • PLSQL

  • Python

  • Python Gen 2

  • R

  • Ruby

  • Swift

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • iOS Objective-C

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-59: Improper Link Resolution Before File Access ('Link Following')

  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-377: Insecure Temporary File

  • CWE-497: Exposure of System Data to an Unauthorized Control Sphere

  • CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

A2: Cryptographic Failures

  • ASP Classic/Visual Basic/VBScript

  • Android Java

  • C#

  • C# Gen 2

  • Go

  • Groovy

  • Java

  • Java Gen 2

  • JavaScript / Node.js

  • JavaScript / TypeScript Gen 2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Python Gen 2

  • Ruby

  • Swift

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • iOS Objective-C

  • CWE-319: Cleartext Transmission of Sensitive Information

  • CWE-321: Use of Hard-coded Cryptographic Key

  • CWE-322: Key Exchange without Entity Authentication

  • CWE-325: Missing Cryptographic Step

  • CWE-326: Inadequate Encryption Strength

  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm

  • CWE-328: Use of Weak Hash

  • CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

  • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  • CWE-347: Improper Verification of Cryptographic Signature

  • CWE-780: Use of RSA Algorithm without OAEP

  • CWE-916: Use of Password Hash With Insufficient Computational Effort

  • CWE-1204: Generation of Weak Initialization Vector (IV)

A3: Injection

  • ABAP

  • ASP Classic/Visual Basic/VBScript

  • Apex

  • C#

  • C# Gen 2

  • C/C++ (Beta)

  • Cobol

  • ColdFusion

  • Go

  • Groovy

  • Java

  • Java Gen 2

  • JavaScript / Node.js

  • JavaScript / TypeScript Gen 2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • PLSQL

  • Python

  • Python Gen 2

  • R

  • Ruby

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • CWE-15: External Control of System or Configuration Setting

  • CWE-20: Improper Input Validation

  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

  • CWE-94: Improper Control of Generation of Code ('Code Injection')

  • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

  • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

  • CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

  • CWE-917: Improper Neutralization of Special Elements Used in an Expression Language Statement ('Expression Language Injection')

  • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

A4: Insecure Design

  • ASP Classic/Visual Basic/VBScript

  • Android Java

  • Apex

  • C#

  • C# Gen 2

  • Go

  • Groovy

  • Java

  • Java Gen 2

  • JavaScript / TypeScript Gen 2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • PLSQL

  • Python

  • R

  • Ruby

  • Swift

  • VB.Net

  • Xamarin (C#)

  • iOS Objective-C

  • CWE-73: External Control of File Name or Path

  • CWE-209: Information Exposure Through an Error Message

  • CWE-256: Plaintext Storage of a Password

  • CWE-312: Cleartext Storage of Sensitive Information

  • CWE-434: Unrestricted Upload of File with Dangerous Type

  • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

  • CWE-472: External Control of Assumed-Immutable Web Parameter

  • CWE-501: Trust Boundary Violation

  • CWE-598: Use of GET Request Method With Sensitive Query Strings

A5: Security Misconfiguration

  • Android Java

  • C#

  • C# Gen 2

  • Groovy

  • Java

  • Java Gen 2

  • JavaScript / Node.js

  • JavaScript / TypeScript Gen 2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python Gen 2

  • R

  • Ruby

  • VB.Net

  • Xamarin (C#)

  • CWE-16: Configuration

  • CWE-611: Improper Restriction of XML External Entity Reference

  • CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

  • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

  • CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

A7: Identification and Authentication Failures

  • Android Java

  • Apex

  • C#

  • C# Gen 2

  • Go

  • Groovy

  • Java

  • Java Gen 2

  • JavaScript / Node.js

  • JavaScript / TypeScript Gen 2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Python Gen 2

  • R

  • Ruby

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • CWE-295: Improper Certificate Validation

  • CWE-297: Improper Validation of Certificate with Host Mismatch

  • CWE-346: Origin Validation Error

  • CWE-384: Session Fixation

  • CWE-798: Use of Hard-coded Credentials

A8: Software and Data Integrity Failures

  • C#

  • C# Gen 2

  • Groovy

  • Java

  • Java Gen 2

  • JavaScript / TypeScript Gen 2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Python Gen 2

  • Ruby

  • VB.Net

  • Xamarin (C#)

  • CWE-502: Deserialization of Untrusted Data

  • CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

A9: Security Logging and Monitoring Failures

  • ASP Classic/Visual Basic/VBScript

  • C#

  • C# Gen 2

  • Go

  • Groovy

  • Java

  • Java Gen 2

  • JavaScript / Node.js

  • JavaScript / TypeScript Gen 2

  • Kotlin

  • Kotlin Mobile

  • Python Gen 2

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • CWE-117: Improper Output Neutralization for Logs

  • CWE-532: Insertion of Sensitive Information into Log File

A10: Server-Side Request Forgery (SSRF)

  • ASP Classic/Visual Basic/VBScript

  • Apex

  • C#

  • C# Gen 2

  • Go

  • Groovy

  • Java

  • Java Gen 2

  • JavaScript / Node.js

  • JavaScript / TypeScript Gen 2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python Gen 2

  • VB.Net

  • CWE-918: Server-Side Request Forgery (SSRF)

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close