Threat Classes and related CWE numbers

Tables showing Threat Classes of issues tested for by ASoC, and their related CWE numbers.

Table 1. Dynamic Analysis
Threat Class CWE
Abuse of Functionality 10, 117, 16, 20, 200, 22, 284, 288, 434, 441, 456, 472, 489, 494, 497, 522, 601, 610, 618, 74, 77, 78, 79, 829, 98
Brute Force 204, 307, 340
Buffer Overflow 119, 120, 189, 825
Content Spoofing 327, 345, 359, 74, 79
Credential/Session Prediction 330
Cross-Site Request Forgery 352, 456
Cross-Site Scripting 22, 352, 456, 59, 73, 79, 89, 94
Denial of Service 119, 20, 310, 825
Directory Indexing 20, 200, 22, 548
Format String 134
HTTP Request Splitting 444
HTTP Response Splitting 113
Information Leakage 118, 200, 22, 264, 287, 299, 311, 352, 359, 472, 522, 523, 525, 538, 540, 550, 598, 602, 614, 615, 653, 693
Insecure Indexing 612
Insufficient Authentication 264, 287, 566, 862, 863
Insufficient Authorization 264, 285, 565
Insufficient Session Expiration 539, 613
Insufficient Transport Layer Protection 296, 297, 298, 523
Integer Overflows 550
LDAP Injection 90
Mail Command Injection 77
Null Byte Injection 626
OS Commanding 20, 264, 470, 73, 77, 78
Path Traversal 22, 94
Predictable Resource Location 306, 531
Remote File Inclusion 73, 829, 94, 98, 99
Server Misconfiguration 16, 327
Session Fixation 304, 384
SOAP Array Abuse 120
SQL Injection 209, 22, 79, 89, 94
SSI Injection 78, 97
URL Redirector Abuse 601
XML Attribute Blowup 400
XML Entity Expansion 400
XML External Entities 200, 611
XML Injection 91
XPath Injection 91
Table 2. Static Analysis
Threat Class CWE
Abuse of Functionality 117, 242, 345, 367, 388, 398, 407, 447, 489, 517, 520, 543, 544, 586, 74, 98
Application Misconfiguration 16, 778
Brute Force 310, 312, 325, 327, 331
Buffer Overflow 120, 129, 131, 242
Content Spoofing 113, 425
Credential/Session Prediction 565
Cross-Site Scripting 352, 79
Denial of Service 382, 400, 404, 730
Format String 134
HTTP Request Splitting 113
Improper Filesystem Permissions 264
Improper Input Handling 112, 130, 15, 185, 20, 390, 425, 434, 538, 569, 602, 624, 74, 79, 95
Improper Output Handling 109, 116, 925
Information Leakage 20, 201, 209, 250, 311, 300
Insufficient Authentication 255, 266, 287, 521, 522
Insufficient Authorization 267, 288
Insufficient Process Validation 20
Insufficient Session Expiration 613
Insufficient Transport Layer Protection 295
Integer Overflows 190
LDAP Injection 90
Mail Command Injection 74, 79
Malicious Content Tests 470, 489, 506, 507, 511
OS Commanding 77, 78
Path Traversal 73
SQL Injection 89
URL Redirector Abuse 601
XML Injection 74, 91
XPath Injection 643
Table 3. Mobile Analysis (Deprecated)
Threat Class CWE
M1: Weak Server Side Controls 926, 927
M2: Insecure Data Storage 275, 310, 359, 451, 522
M3: Insufficient Transport Layer Protection 295, 296, 297, 300, 327, 490, 601, 754, 79, 829
M4: Unintended Data Leakage 592, 829
M5: Poor Authorization and Authentication 259, 321, 327, 338, 798
M7: Client Side Injection 112, 120, 134, 20, 275, 427, 451, 470, 490, 506, 682, 74, 754, 77, 790, 829, 88, 89, 927
M8: Security Decisions Via Untrusted Inputs 927
M9: Improper Session Handling 489, 693
M10: Lack of Binary Protections 489, 693, 829