 | |
|
Access control enforced by presentation layer Overview
Enforcing access control in the presentation layer means
that the developer does not show...
Allowing password aging Overview Allowing password aging to
occur unchecked can result in the possibility of diminished
password integrity. ...
Authentication bypass by alternate name Resource has
multiple names and not all names are enforcing
authentication when being accessed. ...
Comprehensive list of Threats to Authentication Procedures
and Data Background There is a bewildering array of tricks,
techniques, and...
Empty String Password Abstract Using an empty string as a
password is insecure. Description It is never appropriate to
use an empty string...
Not allowing password aging Overview If no mechanism is in
place for managing password aging, users will have no
incentive to update passwords in...
Reflection attack in an auth protocol Overview Simple
authentication protocols are subject to reflection attacks
if a malicious user can use the...
Using password systems Overview The use of password systems
as the primary means of authentication may be subject to
several flaws or...
Using single-factor authentication Overview The use of
single-factor authentication can lead to unnecessary risk of
compromise when compared with...
Hardcoded Password Abstract Hardcoded passwords may
compromise system security in a way that cannot be easily
remedied. Description It is...
Password Management: Weak Cryptography Abstract Obscuring a
password with a trivial encoding does not protect the
password. Description ...
Using referer field for authentication or authorization
Overview The referrer field (actually spelled 'referer') in
HTTP requests can be easily...
Unsafe Mobile Code: Public finalize() Method Abstract The
program violates secure coding principles for mobile code by
declaring a...
Unsafe Mobile Code: Inner Class Abstract The program
violates secure coding principles for mobile code by making
use of an inner class. ...
Allowing External Setting Manipulation Description The
application allows attackers to control its setting. This
enables attackers to manipulate...
Early Amplification Description Allows a legitimate but
expensive operation before the entity has proven that the
operation should be allowed. ...
File Access Race Condition: TOCTOU Abstract The window of
time between when a file property is checked and when the
file is used can be exploited...
Insufficient privileges ORA-01031: insufficient privileges
...
J2EE Misconfiguration: Weak Access Permissions Abstract
Permission to invoke EJB methods should not be granted to
the ANYONE role. ...
Least Privilege Violation Abstract The elevated privilege
level required to perform operations such as chroot() should
be dropped immediately...
Often Misused: Privilege Management Abstract Failure to
adhere to the principle of least privilege amplifies the
risk posed by other...
Unsafe Mobile Code: Access Violation bstract The program
violates secure coding principles for mobile code by
returning a private array variable...
Unsafe Mobile Code: Dangerous Array Declaration Abstract The
program violates secure coding principles for mobile code by
declaring an array...
Unsafe Mobile Code: Dangerous Public Field Abstract The
program violates secure coding principles for mobile code by
declaring a member variable...
Password Plaintext Storage Abstract Storing a password in
plaintext may result in a system compromise. Description
Password management...
|
