ASDR TOC Vulnerabilities


 * 1) Access control enforced by presentation layer
 * 2) Addition of data-structure sentinel
 * 3) Allowing password aging
 * 4) ASP.NET Misconfigurations
 * 5) Assigning instead of comparing
 * 6) Authentication Bypass via Assumed-Immutable Data
 * 7) Buffer Overflow
 * 8) Buffer underwrite
 * 9) Business logic vulnerability
 * 10) Capture-replay
 * 11) Catch NullPointerException
 * 12) Comparing classes by name
 * 13) Comparing instead of assigning
 * 14) Comprehensive list of Threats to Authentication Procedures and Data
 * 15) Covert timing channel
 * 16) CRLF Injection
 * 17) Cross Site Scripting Flaw
 * 18) Dangerous Function
 * 19) Deletion of data-structure sentinel
 * 20) Deserialization of untrusted data
 * 21) Directory Restriction Error
 * 22) Double Free
 * 23) Doubly freeing memory
 * 24) Duplicate key in associative list (alist)
 * 25) Empty Catch Block
 * 26) Empty String Password
 * 27) Failure of true random number generator
 * 28) Failure to account for default case in switch
 * 29) Failure to add integrity check value
 * 30) Failure to check for certificate revocation
 * 31) Failure to check integrity check value
 * 32) Failure to check whether privileges were dropped successfully
 * 33) Failure to deallocate data
 * 34) Failure to drop privileges when reasonable
 * 35) Failure to encrypt data
 * 36) Failure to follow chain of trust in certificate validation
 * 37) Failure to follow guideline/specification
 * 38) Failure to protect stored data from modification
 * 39) Failure to provide confidentiality for stored data
 * 40) Failure to validate certificate expiration
 * 41) Failure to validate host-specific certificate data
 * 42) File Access Race Condition: TOCTOU
 * 43) Format String
 * 44) Guessed or visible temporary file
 * 45) Hard-Coded Password
 * 46) Heap Inspection
 * 47) Heap overflow
 * 48) HTTP Parameter Pollution
 * 49) Ignored function return value
 * 50) Illegal Pointer Value
 * 51) Improper cleanup on thrown exception
 * 52) Improper Data Validation
 * 53) Improper error handling
 * 54) Improper string length checking
 * 55) Improper temp file opening
 * 56) Incorrect block delimitation
 * 57) Information Leakage
 * 58) Information leak through class cloning
 * 59) Information leak through serialization
 * 60) Injection problem
 * 61) Insecure Compiler Optimization
 * 62) Insecure Randomness
 * 63) Insecure Temporary File
 * 64) Insecure Third Party Domain Access
 * 65) Insecure Transport
 * 66) Insufficient Entropy
 * 67) Insufficient entropy in pseudo-random number generator
 * 68) Insufficient Session-ID Length
 * 69) Integer coercion error
 * 70) Integer overflow
 * 71) Invoking untrusted mobile code
 * 72) J2EE Misconfiguration: Unsafe Bean Declaration
 * 73) Key exchange without entity authentication
 * 74) Least Privilege Violation
 * 75) Leftover Debug Code
 * 76) Log Forging
 * 77) Log injection
 * 78) Member Field Race Condition
 * 79) Memory leak
 * 80) Miscalculated null termination
 * 81) Misinterpreted function return value
 * 82) Missing Error Handling
 * 83) Missing parameter
 * 84) Missing XML Validation
 * 85) Mutable object returned
 * 86) Non-cryptographic pseudo-random number generator
 * 87) Not allowing password aging
 * 88) Not using a random initialization vector with cipher block chaining mode
 * 89) Null Dereference
 * 90) Object Model Violation: Just One of equals and hashCode Defined
 * 91) Often Misused: Authentication
 * 92) Often Misused: Exception Handling
 * 93) Often Misused: File System
 * 94) Often Misused: Privilege Management
 * 95) Often Misused: String Management
 * 96) Omitted break statement
 * 97) Open forward
 * 98) Open redirect
 * 99) Overflow of static internal buffer
 * 100) Overly-Broad Catch Block
 * 101) Overly-Broad Throws Declaration
 * 102) Passing mutable objects to an untrusted method
 * 103) Password Management: Hardcoded Password
 * 104) Password Management: Weak Cryptography
 * 105) Password Plaintext Storage
 * 106) PHP File Inclusion
 * 107) Poor Logging Practice
 * 108) Portability Flaw
 * 109) Privacy Violation
 * 110) PRNG Seed Error
 * 111) Process Control
 * 112) Publicizing of private data when using inner classes
 * 113) Race Conditions
 * 114) Reflection attack in an auth protocol
 * 115) Reflection injection
 * 116) Relative path library search
 * 117) Reliance on data layout
 * 118) Relying on package-level scope
 * 119) Resource exhaustion
 * 120) Return Inside Finally Block
 * 121) Reusing a nonce, key pair in encryption
 * 122) Session_Fixation
 * 123) Sign extension error
 * 124) Signed to unsigned conversion error
 * 125) Stack overflow
 * 126) State synchronization error
 * 127) Storing passwords in a recoverable format
 * 128) String Termination Error
 * 129) Symbolic name not mapping to correct object
 * 130) Template:Vulnerability
 * 131) Truncation error
 * 132) Trust Boundary Violation
 * 133) Trust of system event data
 * 134) Trusting self-reported DNS name
 * 135) Trusting self-reported IP address
 * 136) Uncaught exception
 * 137) Unchecked array indexing
 * 138) Unchecked Return Value: Missing Check against Null
 * 139) Undefined Behavior
 * 140) Uninitialized Variable
 * 141) Unintentional pointer scaling
 * 142) Unreleased Resource
 * 143) Unrestricted File Upload
 * 144) Unsafe function call from a signal handler
 * 145) Unsafe JNI
 * 146) Unsafe Mobile Code
 * 147) Unsafe Reflection
 * 148) Unsigned to signed conversion error
 * 149) Use of hard-coded password
 * 150) Use of Obsolete Methods
 * 151) Use of sizeof on a pointer type
 * 152) Using a broken or risky cryptographic algorithm
 * 153) Using a key past its expiration date
 * 154) Using freed memory
 * 155) Using password systems
 * 156) Using referer field for authentication or authorization
 * 157) Using single-factor authentication
 * 158) Using the wrong operator
 * 159) Validation performed in client
 * 160) Wrap-around error
 * 161) Write-what-where condition