Overview
The Open Web Application Security Project (OWASP Top 10) is a standard awareness document for developers and web application security. It represents a broad consensus on web applications' most critical security risks.
This article organizes Common Weakness Enumerations (CWEs) relevant to OWASP Top 10 (2017 and 2021).
Each row in the tables below outlines a specific compliance standard, categorized by the following columns:
Compliance Standard: The specific category of the standard to which the CWE is mapped.
Languages: Supported programming languages.
CWE-ID: The relevant CWE for this standard, along with a short description.
OWASP TOP 10 2017 CWE List
Compliance Standard | Languages | CWE-ID |
---|
A1: Injection | | CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection') CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') CWE-943: Improper Neutralization of Special Elements in Data Query Logic CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine
|
A2: Broken Authentication | | CWE-346: Origin Validation Error CWE-347: Improper Verification of Cryptographic Signature CWE-384: Session Fixation
|
A3: Sensitive Data Exposure | | CWE-297: Improper Validation of Certificate with Host Mismatch CWE-321: Use of Hard-coded Cryptographic Key CWE-325: Missing Cryptographic Step CWE-326: Inadequate Encryption Strength CWE-327: Use of a Broken or Risky Cryptographic Algorithm CWE-328: Use of Weak Hash CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) CWE-780: Use of RSA Algorithm without OAEP CWE-798: Use of Hard-coded Credentials CWE-916: Use of Password Hash With Insufficient Computational Effort CWE-918: Server-Side Request Forgery (SSRF) CWE-1204: Generation of Weak Initialization Vector (IV)
|
A4: XML External Entities (XXE) | | |
A5: Broken Access Control | | |
A6: Security Misconfiguration | | |
A7: Cross-Site Scripting (XSS) | | |
A8: Insecure Deserialization | | |
A10: Insufficient Logging & Monitoring | | |
OWSAP TOP 10 2021 CWE List
Compliance-Standard | Languages | CWE-ID |
---|
A1: Broken Access Control | | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-377: Insecure Temporary File CWE-497: Exposure of System Data to an Unauthorized Control Sphere CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
|
A2: Cryptographic Failures | | CWE-319: Cleartext Transmission of Sensitive Information CWE-321: Use of Hard-coded Cryptographic Key CWE-322: Key Exchange without Entity Authentication CWE-325: Missing Cryptographic Step CWE-326: Inadequate Encryption Strength CWE-327: Use of a Broken or Risky Cryptographic Algorithm CWE-328: Use of Weak Hash CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) CWE-347: Improper Verification of Cryptographic Signature CWE-780: Use of RSA Algorithm without OAEP CWE-916: Use of Password Hash With Insufficient Computational Effort CWE-1204: Generation of Weak Initialization Vector (IV)
|
A3: Injection | | CWE-15: External Control of System or Configuration Setting CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection') CWE-917: Improper Neutralization of Special Elements Used in an Expression Language Statement ('Expression Language Injection') CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine
|
A4: Insecure Design | | CWE-73: External Control of File Name or Path CWE-209: Information Exposure Through an Error Message CWE-312: Cleartext Storage of Sensitive Information CWE-434: Unrestricted Upload of File with Dangerous Type CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') CWE-472: External Control of Assumed-Immutable Web Parameter CWE-501: Trust Boundary Violation CWE-598: Use of GET Request Method With Sensitive Query Strings
|
A5: Security Misconfiguration | | CWE-16: Configuration CWE-611: Improper Restriction of XML External Entity Reference CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag
|
A7: Identification and Authentication Failures | | CWE-295: Improper Certificate Validation CWE-297: Improper Validation of Certificate with Host Mismatch CWE-346: Origin Validation Error CWE-384: Session Fixation CWE-798: Use of Hard-coded Credentials
|
A8: Software and Data Integrity Failures | | |
A9: Security Logging and Monitoring Failures | | |
A10: Server-Side Request Forgery (SSRF) | | |