WhiteHat SAST Vulnerability Classes

WhiteHat Vulnerability Classes Description

Access.Administration.Interface

Application Misconfiguration: Exposed Axis Administration Servlet

Access.Analysis.Enabled

Binary Protection: Missing PT_DENY_ATTACH

Access.Bypass.Data

Insufficient Authorization: Autobinding

Access.Bypass.Method

Insufficient Authorization: Bypass Method

Access.Device.Id

Information Leakage: Unique Device ID

Access.Directory.Listing

Directory Indexing

Access.Directory.Traversal

Path Traversal

Access.Environment.Permission

Application Misconfiguration: Excessive Permissions

Access.Environment.Permission.Excessive

Application Misconfiguration: Excessive Permissions

Access.Html.Cors.Bypass

Code Quality: CORS Bypass

Access.Html.Cors.Permissive

Insufficient Authorization: CORS Policy

Access.Native.Unsafe

Unsafe Code Usage

Access.Native.Win32

Application Code Execution: PHP Win32 Usage

Access.Role.Manipulation

Insufficient Authorization: Role Manipulation

Access.Strategy.None

Missing Access Strategy

Access.Verb.Tampering

Insufficient Authorization: HTTP Verb Tampering

Accountability.Logging.Insufficient

Insufficient Logging & Monitoring

Accountability.Logging.SensitiveData

Information Leakage: Logging

App.Cache.Leak

Information Leakage: NSURL Cache

Authentication.Impersonation.Ui.Redressing

UI Redressing: Clickjacking/Tapjacking

Authentication.Password.ClearText

Disclosure: Cleartext Password

Authentication.Password.Cleartext

Disclosure: Cleartext Password

Authentication.Password.Disclosure

Information Leakage: Password

Authentication.Password.HardCoded

Disclosure: Hardcoded Password

Authentication.Strategy.BasicAuthentication

Insufficient Authentication: Basic Authentication Usage

Availability.Regex.Dos

Denial of Service: Regex

Availability.Stream.ReadFile

Denial of Service: ReadFile

Availability.Stream.ReadLine

Denial of Service: ReadLine

CodeQuality.AutoCorrect.Information.Disclosure

Information Leakage: Keyboard Caching

CodeQuality.Conditional.Assignment

Code Quality: Conditional Assignment

CodeQuality.Conditional.Comparison

Code Quality: Conditional Comparison

CodeQuality.CopyPaste.Information.Disclosure

Information Leakage: Copy Paste

CodeQuality.Deprecated.Api

Code Quality: Depricated API

CodeQuality.IpAddress.HardCoded

Code Quality: Hardcoded IP Address

CodeQuality.Memory.Overflow

Code Quality: Memory Overflow

CodeQuality.Project.Setting

Application Misconfiguration: GDPR Cookie Policy Missing

CodeQuality.Screenshot.Information.Disclosure

Information Leakage: Application Snapshots (Backgrounding)

Compliance.GDPR.CookiePolicy.Missing

Application Misconfiguration: GDPR Cookie Policy Missing

Cryptography.Algorithm.Asymmetric

Cryptography algorithm asymmetric

Cryptography.Algorithm.Custom

Cryptography: Custom Algorithm

Cryptography.Algorithm.KeySize

Cryptography algorithm keysize

Cryptography.Algorithm.Symmetric

Cryptography algorithm symmetric

Cryptography.Certificate.Expiration

Cryptography: Improper Certificate Expiration

Cryptography.Certificate.Validation

Cryptography: Improper Certificate Validation

Cryptography.Cipher.Insecure

Cryptography: Insecure Cipher

Cryptography.Cipher.Mode.Insecure

Cryptography: Insecure Cipher Mode

Cryptography.Cipher.Padding.Insecure

Cryptography: Insecure Cipher Padding

Cryptography.Cipher.Transformation.Insecure

Cryptography: Cipher Transformation Insecure

Cryptography.Digest.Insecure

Cryptography: Insecure Digest

Cryptography.Hash.Unsalted

Cryptography: Unsalted Hash

Cryptography.Iv.HardCoded

Cryptography: Hardcoded IV

Cryptography.Key.Cleartext

Cryptography: Cleartext Key

Cryptography.Key.HardCoded

Cryptography: Hardcoded Key

Cryptography.KeyLength.Insufficient

Cryptography keylength insufficient

Cryptography.Mac.Insecure

Cryptography: Insecure MAC

Cryptography.Persist.Ccn.Unencrypted

Insecure Data Storage: Unencrypted CCN

Cryptography.Persist.Cvv.Unencrypted

Insecure Data Storage: Unencrypted CVV

Cryptography.Persist.Password.Unhashed

Insecure Data Storage: Clear Text Password

Cryptography.Persist.Ssn.Unencrypted

Insecure Data Storage: Unencrypted SSN

Cryptography.Persist.Sso.Unencrypted

Insecure Data Storage: Unencrypted SSO Token

Cryptography.Prng.Insecure

Cryptography: Improper Pseudo-Random Number Generator Usage

Cryptography.Protocol.Insecure

Insufficient Transport Layer Protection

Cryptography.Provider.Undefined

Cryptography: Provider Undefined

Cryptography.Salt.HardCoded

Cryptography: Hardcoded Salt

Cryptography.Seed.HardCoded

Cryptography: Hardcoded Seed

Cryptography.Transit.Tls

Insufficient Transport Layer Protection

Dynamic.Compilation.Components

Dynamic compilation components

Error.Debug.Enabled

Application Misconfiguration: Debug

Error.Handler.Global

Application Misconfiguration: Global Error Handling Disabled

Error.Information.Disclosure

Information Leakage

Injection.Apple.Plist

Injection: Apple plist

Injection.Database.Hql

Injection: Hibernate Query Language

Injection.Database.Nosql.Mongodb

Injection: NoSQL Database

Injection.Database.Sql

SQL Injection

Injection.Database.SQLite

SQL Injection

Injection.Directory.Ldap

LDAP Injection

Injection.Environment.Reflection

Injection: Environment Reflection

Injection.Environment.Variable

Injection: Environment Variable

Injection.General

Injection: Unknown Interpreter

Injection.Net.File.Inclusion

Remote File Inclusion

Injection.Net.Ftp.Command

Injection: FTP Command

Injection.Net.Ftp.Url

Injection: FTP URL

Injection.Net.Http.Body

Cross Site Scripting

Injection.Net.Http.Header

Injection: HTTP Header

Injection.Net.Http.Header.Request

Injection: HTTP Request Splitting

Injection.Net.Http.Header.Response

Injection: HTTP Response Splitting

Injection.Net.Http.Request

Server Side Request Forgery

Injection.Net.Http.Session

Trust Boundary Violation: Session

Injection.Net.Http.Url

URL Redirector Abuse

Injection.Net.Mail

Mail Command Injection

Injection.Net.Sms

Injection: SMS

Injection.Net.Socket

Injection: Socket

Injection.Net.WebService.Body

Injection: Web Service

Injection.Os.Shell

OS Command Injection

Injection.Script.Eval

Injection: Code Execution

Injection.Xml.Entity.External

XML External Entity Injection

Injection.Xml.XPath

Injection: XPath

Insecure.Key.Derivation

Cryptography: Insecure Key Derivation

Insufficient.Session.Invalidation

Insufficient Session Expiration

MaliciousCode.Compilation.Source

Malicious Code: Compilation Source

MaliciousCode.Injection.ByteCode

Malicious Code: Injection Bytecode

MaliciousCode.Malware.Url

Malicious Code: Malware URL

Mobile.Access.IPC.InsecureActivity

Interprocess Communication: Insecure Activity

Mobile.BinaryProtection.InsufficientCodeObfuscation

Binary Protection: Insufficient Code Obfuscation

Mobile.BinaryProtection.JailbreakRoot.Detection

Binary Protection: Insufficient Jailbreak / Root Detection

Mobile.Injection.Database.SQL

SQL Injection - Client-Side

Mobile.iOS.NSCoding

Insecure NSCoding

Mobile.Platform.Configuration.DebugAttribute

Application Misconfiguration: Debug

Mobile.SensitiveData.Cache

Information Leakage: Application Cache

Mobile.SensitiveData.Plist.Storage

Insecure Data Storage: Plist

Non.Unique.Keys

Cryptography: Non-Unique Keys

Platform.Configuration.Android.BackupAllowed

Application Misconfiguration: Backup Allowed

Platform.Configuration.DotNet.AspNet.EnableHeaderChecking

Application Misconfiguration: Header Checking Disabled

Platform.Configuration.Php.CodeIgnite.CsrfProtectionDisabled

Application Misconfiguration: CSRF Protection Disabled

Platform.Configuration.Php.CodeIgnite.XssFilteringDisabled

Application Misconfiguration: XSS Filtering Disabled

Platform.Configuration.Php.Symfony.CsrfProtectionDisabled

Application Misconfiguration: CSRF Protection Disabled

Platform.Configuration.Php.Yii.CookieValidationDisabled

Application Misconfiguration: Cookie Validation Disabled

Platform.Configuration.Php.Yii.CsrfProtectionDisabled

Application Misconfiguration: CSRF Protection Disabled

Platform.Configuration.Xcode.ARC.Disabled

Application Misconfiguration: ARC Disabled

Platform.Configuration.Xcode.Position.Independent.Execution

Platform configuration xcode position independent execution

Platform.Configuration.Xcode.Symbols.Enabled

Application Misconfiguration: Debug

Platform.Deserialization.Unsafe

Unsafe Deserialization: Remote Code Execution

Platform.Library.Execution

Unvalidated Automatic Library Activation

Platform.Sanitization.Bypass

Platform sanitization bypass

Platform.UnpatchedLibrary

Unpatched Library

Rails.SessionStore.Insecure

Rails sessionstore insecure

SensitiveData.Ccn.Disclosure

Information Leakage: CCN

SensitiveData.Cvv.Disclosure

Information Leakage: CVV

SensitiveData.DeviceId.Disclosure

Information Leakage: Device ID

SensitiveData.InternalEnv.Disclosure

Information Leakage: Internal Environment

SensitiveData.Keychain.Storage

Insecure Data Storage: Keychain

SensitiveData.Location.Disclosure

Information Leakage: Location Disclosure

SensitiveData.Ssn.Disclosure

Information Leakage: SSN

SensitiveData.Sso.Disclosure

Information Leakage: SSO

SensitiveData.TransportLayer.Insecure

Insufficient Transport Layer Protection

Session.Flag.HttpOnly

Non-HttpOnly Session Cookie

Session.Flag.Secure

Unsecured Session Cookie

Session.Id.Disclosure

Information Leakage: Session ID

Session.Ssl.Unverified.Host

Insufficient Transport Layer Protection: Unverified SSL Host

Session.State.Disclosure

Information Leakage: Client Side Session State

Session.Timeout.Expiration

Insufficient Session Expiration

Session.Url.Rewriting

Information Leakage: Session ID

Stack.Smashing.Prot

Application Misconfiguration: Stack Smashing Protection Disabled

Technology.Apple.Xcode.Project.Settings

Application Misconfiguration: Xcode Settings

Validation.Mvc.Csrf.Missing

Validation mvc csrf missing

Validation.Url.Redirect

URL Redirector Abuse

WebService.AbuseOfFunc

Abuse of Functionality

WebService.Access.PRL

Predictable Resource Location

WebService.Crypto.TLS.HSTS

Insufficient Transport Layer Protection: HSTS

WebService.SensitiveData.BigIP.Disclosure

Information Leakage: BIG-IP

WebService.SensitiveData.GETRequest.Disclosure

Information Leakage: Sensitive Data Over GET

WebService.SensitiveData.Information.Leakage

Information Leakage: Sensitive Data

WebService.SensitiveData.IPAddress.Disclosure

Information Leakage: IP Address

WebService.SensitiveData.ServerVersion.Disclosure

Information Leakage: Server Version

WebServices.SensitiveData.Information.Disclosure

WebServices SensitiveData Information Disclosure

WebServices.SensitiveData.Information.Leakage

Information Leakage

Technical Vulnerabilites Covered by SAST - OWASP 2017 Top 10

Vulnerabilities

Description

A1

Injection

A2

Broken Authentication

A3

Sensitive Data Exposure

A4

XML External Entities (XXE)

A5

Broken Access Control

A6

Security Misconfiguration

A7

Cross-Site Scripting (XSS)

A8

Insecure Deserialization

A9

Using Components with Known Vulnerabilities

A10

Insufficient Logging & Monitoring