WhiteHat SAST Vulnerability Classes

WhiteHat Vulnerability Classes	Description
Access.Administration.Interface	Application Misconfiguration: Exposed Axis Administration Servlet
Access.Analysis.Enabled	Binary Protection: Missing PT_DENY_ATTACH
Access.Bypass.Data	Insufficient Authorization: Autobinding
Access.Bypass.Method	Insufficient Authorization: Bypass Method
Access.Device.Id	Information Leakage: Unique Device ID
Access.Directory.Listing	Directory Indexing
Access.Directory.Traversal	Path Traversal
Access.Environment.Permission	Application Misconfiguration: Excessive Permissions
Access.Environment.Permission.Excessive	Application Misconfiguration: Excessive Permissions
Access.Html.Cors.Bypass	Code Quality: CORS Bypass
Access.Html.Cors.Permissive	Insufficient Authorization: CORS Policy
Access.Native.Unsafe	Unsafe Code Usage
Access.Native.Win32	Application Code Execution: PHP Win32 Usage
Access.Role.Manipulation	Insufficient Authorization: Role Manipulation
Access.Strategy.None	Missing Access Strategy
Access.Verb.Tampering	Insufficient Authorization: HTTP Verb Tampering
Accountability.Logging.Insufficient	Insufficient Logging & Monitoring
Accountability.Logging.SensitiveData	Information Leakage: Logging
App.Cache.Leak	Information Leakage: NSURL Cache
Authentication.Impersonation.Ui.Redressing	UI Redressing: Clickjacking/Tapjacking
Authentication.Password.ClearText	Disclosure: Cleartext Password
Authentication.Password.Cleartext	Disclosure: Cleartext Password
Authentication.Password.Disclosure	Information Leakage: Password
Authentication.Password.HardCoded	Disclosure: Hardcoded Password
Authentication.Strategy.BasicAuthentication	Insufficient Authentication: Basic Authentication Usage
Availability.Regex.Dos	Denial of Service: Regex
Availability.Stream.ReadFile	Denial of Service: ReadFile
Availability.Stream.ReadLine	Denial of Service: ReadLine
CodeQuality.AutoCorrect.Information.Disclosure	Information Leakage: Keyboard Caching
CodeQuality.Conditional.Assignment	Code Quality: Conditional Assignment
CodeQuality.Conditional.Comparison	Code Quality: Conditional Comparison
CodeQuality.CopyPaste.Information.Disclosure	Information Leakage: Copy Paste
CodeQuality.Deprecated.Api	Code Quality: Depricated API
CodeQuality.IpAddress.HardCoded	Code Quality: Hardcoded IP Address
CodeQuality.Memory.Overflow	Code Quality: Memory Overflow
CodeQuality.Project.Setting	Application Misconfiguration: GDPR Cookie Policy Missing
CodeQuality.Screenshot.Information.Disclosure	Information Leakage: Application Snapshots (Backgrounding)
Compliance.GDPR.CookiePolicy.Missing	Application Misconfiguration: GDPR Cookie Policy Missing
Cryptography.Algorithm.Asymmetric	Cryptography algorithm asymmetric
Cryptography.Algorithm.Custom	Cryptography: Custom Algorithm
Cryptography.Algorithm.KeySize	Cryptography algorithm keysize
Cryptography.Algorithm.Symmetric	Cryptography algorithm symmetric
Cryptography.Certificate.Expiration	Cryptography: Improper Certificate Expiration
Cryptography.Certificate.Validation	Cryptography: Improper Certificate Validation
Cryptography.Cipher.Insecure	Cryptography: Insecure Cipher
Cryptography.Cipher.Mode.Insecure	Cryptography: Insecure Cipher Mode
Cryptography.Cipher.Padding.Insecure	Cryptography: Insecure Cipher Padding
Cryptography.Cipher.Transformation.Insecure	Cryptography: Cipher Transformation Insecure
Cryptography.Digest.Insecure	Cryptography: Insecure Digest
Cryptography.Hash.Unsalted	Cryptography: Unsalted Hash
Cryptography.Iv.HardCoded	Cryptography: Hardcoded IV
Cryptography.Key.Cleartext	Cryptography: Cleartext Key
Cryptography.Key.HardCoded	Cryptography: Hardcoded Key
Cryptography.KeyLength.Insufficient	Cryptography keylength insufficient
Cryptography.Mac.Insecure	Cryptography: Insecure MAC
Cryptography.Persist.Ccn.Unencrypted	Insecure Data Storage: Unencrypted CCN
Cryptography.Persist.Cvv.Unencrypted	Insecure Data Storage: Unencrypted CVV
Cryptography.Persist.Password.Unhashed	Insecure Data Storage: Clear Text Password
Cryptography.Persist.Ssn.Unencrypted	Insecure Data Storage: Unencrypted SSN
Cryptography.Persist.Sso.Unencrypted	Insecure Data Storage: Unencrypted SSO Token
Cryptography.Prng.Insecure	Cryptography: Improper Pseudo-Random Number Generator Usage
Cryptography.Protocol.Insecure	Insufficient Transport Layer Protection
Cryptography.Provider.Undefined	Cryptography: Provider Undefined
Cryptography.Salt.HardCoded	Cryptography: Hardcoded Salt
Cryptography.Seed.HardCoded	Cryptography: Hardcoded Seed
Cryptography.Transit.Tls	Insufficient Transport Layer Protection
Dynamic.Compilation.Components	Dynamic compilation components
Error.Debug.Enabled	Application Misconfiguration: Debug
Error.Handler.Global	Application Misconfiguration: Global Error Handling Disabled
Error.Information.Disclosure	Information Leakage
Injection.Apple.Plist	Injection: Apple plist
Injection.Database.Hql	Injection: Hibernate Query Language
Injection.Database.Nosql.Mongodb	Injection: NoSQL Database
Injection.Database.Sql	SQL Injection
Injection.Database.SQLite	SQL Injection
Injection.Directory.Ldap	LDAP Injection
Injection.Environment.Reflection	Injection: Environment Reflection
Injection.Environment.Variable	Injection: Environment Variable
Injection.General	Injection: Unknown Interpreter
Injection.Net.File.Inclusion	Remote File Inclusion
Injection.Net.Ftp.Command	Injection: FTP Command
Injection.Net.Ftp.Url	Injection: FTP URL
Injection.Net.Http.Body	Cross Site Scripting
Injection.Net.Http.Header	Injection: HTTP Header
Injection.Net.Http.Header.Request	Injection: HTTP Request Splitting
Injection.Net.Http.Header.Response	Injection: HTTP Response Splitting
Injection.Net.Http.Request	Server Side Request Forgery
Injection.Net.Http.Session	Trust Boundary Violation: Session
Injection.Net.Http.Url	URL Redirector Abuse
Injection.Net.Mail	Mail Command Injection
Injection.Net.Sms	Injection: SMS
Injection.Net.Socket	Injection: Socket
Injection.Net.WebService.Body	Injection: Web Service
Injection.Os.Shell	OS Command Injection
Injection.Script.Eval	Injection: Code Execution
Injection.Xml.Entity.External	XML External Entity Injection
Injection.Xml.XPath	Injection: XPath
Insecure.Key.Derivation	Cryptography: Insecure Key Derivation
Insufficient.Session.Invalidation	Insufficient Session Expiration
MaliciousCode.Compilation.Source	Malicious Code: Compilation Source
MaliciousCode.Injection.ByteCode	Malicious Code: Injection Bytecode
MaliciousCode.Malware.Url	Malicious Code: Malware URL
Mobile.Access.IPC.InsecureActivity	Interprocess Communication: Insecure Activity
Mobile.BinaryProtection.InsufficientCodeObfuscation	Binary Protection: Insufficient Code Obfuscation
Mobile.BinaryProtection.JailbreakRoot.Detection	Binary Protection: Insufficient Jailbreak / Root Detection
Mobile.Injection.Database.SQL	SQL Injection - Client-Side
Mobile.iOS.NSCoding	Insecure NSCoding
Mobile.Platform.Configuration.DebugAttribute	Application Misconfiguration: Debug
Mobile.SensitiveData.Cache	Information Leakage: Application Cache
Mobile.SensitiveData.Plist.Storage	Insecure Data Storage: Plist
Non.Unique.Keys	Cryptography: Non-Unique Keys
Platform.Configuration.Android.BackupAllowed	Application Misconfiguration: Backup Allowed
Platform.Configuration.DotNet.AspNet.EnableHeaderChecking	Application Misconfiguration: Header Checking Disabled
Platform.Configuration.Php.CodeIgnite.CsrfProtectionDisabled	Application Misconfiguration: CSRF Protection Disabled
Platform.Configuration.Php.CodeIgnite.XssFilteringDisabled	Application Misconfiguration: XSS Filtering Disabled
Platform.Configuration.Php.Symfony.CsrfProtectionDisabled	Application Misconfiguration: CSRF Protection Disabled
Platform.Configuration.Php.Yii.CookieValidationDisabled	Application Misconfiguration: Cookie Validation Disabled
Platform.Configuration.Php.Yii.CsrfProtectionDisabled	Application Misconfiguration: CSRF Protection Disabled
Platform.Configuration.Xcode.ARC.Disabled	Application Misconfiguration: ARC Disabled
Platform.Configuration.Xcode.Position.Independent.Execution	Platform configuration xcode position independent execution
Platform.Configuration.Xcode.Symbols.Enabled	Application Misconfiguration: Debug
Platform.Deserialization.Unsafe	Unsafe Deserialization: Remote Code Execution
Platform.Library.Execution	Unvalidated Automatic Library Activation
Platform.Sanitization.Bypass	Platform sanitization bypass
Platform.UnpatchedLibrary	Unpatched Library
Rails.SessionStore.Insecure	Rails sessionstore insecure
SensitiveData.Ccn.Disclosure	Information Leakage: CCN
SensitiveData.Cvv.Disclosure	Information Leakage: CVV
SensitiveData.DeviceId.Disclosure	Information Leakage: Device ID
SensitiveData.InternalEnv.Disclosure	Information Leakage: Internal Environment
SensitiveData.Keychain.Storage	Insecure Data Storage: Keychain
SensitiveData.Location.Disclosure	Information Leakage: Location Disclosure
SensitiveData.Ssn.Disclosure	Information Leakage: SSN
SensitiveData.Sso.Disclosure	Information Leakage: SSO
SensitiveData.TransportLayer.Insecure	Insufficient Transport Layer Protection
Session.Flag.HttpOnly	Non-HttpOnly Session Cookie
Session.Flag.Secure	Unsecured Session Cookie
Session.Id.Disclosure	Information Leakage: Session ID
Session.Ssl.Unverified.Host	Insufficient Transport Layer Protection: Unverified SSL Host
Session.State.Disclosure	Information Leakage: Client Side Session State
Session.Timeout.Expiration	Insufficient Session Expiration
Session.Url.Rewriting	Information Leakage: Session ID
Stack.Smashing.Prot	Application Misconfiguration: Stack Smashing Protection Disabled
Technology.Apple.Xcode.Project.Settings	Application Misconfiguration: Xcode Settings
Validation.Mvc.Csrf.Missing	Validation mvc csrf missing
Validation.Url.Redirect	URL Redirector Abuse
WebService.AbuseOfFunc	Abuse of Functionality
WebService.Access.PRL	Predictable Resource Location
WebService.Crypto.TLS.HSTS	Insufficient Transport Layer Protection: HSTS
WebService.SensitiveData.BigIP.Disclosure	Information Leakage: BIG-IP
WebService.SensitiveData.GETRequest.Disclosure	Information Leakage: Sensitive Data Over GET
WebService.SensitiveData.Information.Leakage	Information Leakage: Sensitive Data
WebService.SensitiveData.IPAddress.Disclosure	Information Leakage: IP Address
WebService.SensitiveData.ServerVersion.Disclosure	Information Leakage: Server Version
WebServices.SensitiveData.Information.Disclosure	WebServices SensitiveData Information Disclosure
WebServices.SensitiveData.Information.Leakage	Information Leakage

WhiteHat Vulnerability Classes

Description

Access.Administration.Interface

Application Misconfiguration: Exposed Axis Administration Servlet

Access.Analysis.Enabled

Binary Protection: Missing PT_DENY_ATTACH

Access.Bypass.Data

Insufficient Authorization: Autobinding

Access.Bypass.Method

Insufficient Authorization: Bypass Method

Access.Device.Id

Information Leakage: Unique Device ID

Access.Directory.Listing

Directory Indexing

Access.Directory.Traversal

Path Traversal

Access.Environment.Permission

Application Misconfiguration: Excessive Permissions

Access.Environment.Permission.Excessive

Application Misconfiguration: Excessive Permissions

Access.Html.Cors.Bypass

Code Quality: CORS Bypass

Access.Html.Cors.Permissive

Insufficient Authorization: CORS Policy

Access.Native.Unsafe

Unsafe Code Usage

Access.Native.Win32

Application Code Execution: PHP Win32 Usage

Access.Role.Manipulation

Insufficient Authorization: Role Manipulation

Access.Strategy.None

Missing Access Strategy

Access.Verb.Tampering

Insufficient Authorization: HTTP Verb Tampering

Accountability.Logging.Insufficient

Insufficient Logging & Monitoring

Accountability.Logging.SensitiveData

Information Leakage: Logging

App.Cache.Leak

Information Leakage: NSURL Cache

Authentication.Impersonation.Ui.Redressing

UI Redressing: Clickjacking/Tapjacking

Authentication.Password.ClearText

Disclosure: Cleartext Password

Authentication.Password.Cleartext

Disclosure: Cleartext Password

Authentication.Password.Disclosure

Information Leakage: Password

Authentication.Password.HardCoded

Disclosure: Hardcoded Password

Authentication.Strategy.BasicAuthentication

Insufficient Authentication: Basic Authentication Usage

Availability.Regex.Dos

Denial of Service: Regex

Availability.Stream.ReadFile

Denial of Service: ReadFile

Availability.Stream.ReadLine

Denial of Service: ReadLine

CodeQuality.AutoCorrect.Information.Disclosure

Information Leakage: Keyboard Caching

CodeQuality.Conditional.Assignment

Code Quality: Conditional Assignment

CodeQuality.Conditional.Comparison

Code Quality: Conditional Comparison

CodeQuality.CopyPaste.Information.Disclosure

Information Leakage: Copy Paste

CodeQuality.Deprecated.Api

Code Quality: Depricated API

CodeQuality.IpAddress.HardCoded

Code Quality: Hardcoded IP Address

CodeQuality.Memory.Overflow

Code Quality: Memory Overflow

CodeQuality.Project.Setting

Application Misconfiguration: GDPR Cookie Policy Missing

CodeQuality.Screenshot.Information.Disclosure

Information Leakage: Application Snapshots (Backgrounding)

Compliance.GDPR.CookiePolicy.Missing

Application Misconfiguration: GDPR Cookie Policy Missing

Cryptography.Algorithm.Asymmetric

Cryptography algorithm asymmetric

Cryptography.Algorithm.Custom

Cryptography: Custom Algorithm

Cryptography.Algorithm.KeySize

Cryptography algorithm keysize

Cryptography.Algorithm.Symmetric

Cryptography algorithm symmetric

Cryptography.Certificate.Expiration

Cryptography: Improper Certificate Expiration

Cryptography.Certificate.Validation

Cryptography: Improper Certificate Validation

Cryptography.Cipher.Insecure

Cryptography: Insecure Cipher

Cryptography.Cipher.Mode.Insecure

Cryptography: Insecure Cipher Mode

Cryptography.Cipher.Padding.Insecure

Cryptography: Insecure Cipher Padding

Cryptography.Cipher.Transformation.Insecure

Cryptography: Cipher Transformation Insecure

Cryptography.Digest.Insecure

Cryptography: Insecure Digest

Cryptography.Hash.Unsalted

Cryptography: Unsalted Hash

Cryptography.Iv.HardCoded

Cryptography: Hardcoded IV

Cryptography.Key.Cleartext

Cryptography: Cleartext Key

Cryptography.Key.HardCoded

Cryptography: Hardcoded Key

Cryptography.KeyLength.Insufficient

Cryptography keylength insufficient

Cryptography.Mac.Insecure

Cryptography: Insecure MAC

Cryptography.Persist.Ccn.Unencrypted

Insecure Data Storage: Unencrypted CCN

Cryptography.Persist.Cvv.Unencrypted

Insecure Data Storage: Unencrypted CVV

Cryptography.Persist.Password.Unhashed

Insecure Data Storage: Clear Text Password

Cryptography.Persist.Ssn.Unencrypted

Insecure Data Storage: Unencrypted SSN

Cryptography.Persist.Sso.Unencrypted

Insecure Data Storage: Unencrypted SSO Token

Cryptography.Prng.Insecure

Cryptography: Improper Pseudo-Random Number Generator Usage

Cryptography.Protocol.Insecure

Insufficient Transport Layer Protection

Cryptography.Provider.Undefined

Cryptography: Provider Undefined

Cryptography.Salt.HardCoded

Cryptography: Hardcoded Salt

Cryptography.Seed.HardCoded

Cryptography: Hardcoded Seed

Cryptography.Transit.Tls

Insufficient Transport Layer Protection

Dynamic.Compilation.Components

Dynamic compilation components

Error.Debug.Enabled

Application Misconfiguration: Debug

Error.Handler.Global

Application Misconfiguration: Global Error Handling Disabled

Error.Information.Disclosure

Information Leakage

Injection.Apple.Plist

Injection: Apple plist

Injection.Database.Hql

Injection: Hibernate Query Language

Injection.Database.Nosql.Mongodb

Injection: NoSQL Database

Injection.Database.Sql

SQL Injection

Injection.Database.SQLite

SQL Injection

Injection.Directory.Ldap

LDAP Injection

Injection.Environment.Reflection

Injection: Environment Reflection

Injection.Environment.Variable

Injection: Environment Variable

Injection.General

Injection: Unknown Interpreter

Injection.Net.File.Inclusion

Remote File Inclusion

Injection.Net.Ftp.Command

Injection: FTP Command

Injection.Net.Ftp.Url

Injection: FTP URL

Injection.Net.Http.Body

Cross Site Scripting

Injection.Net.Http.Header

Injection: HTTP Header

Injection.Net.Http.Header.Request

Injection: HTTP Request Splitting

Injection.Net.Http.Header.Response

Injection: HTTP Response Splitting

Injection.Net.Http.Request

Server Side Request Forgery

Injection.Net.Http.Session

Trust Boundary Violation: Session

Injection.Net.Http.Url

URL Redirector Abuse

Injection.Net.Mail

Mail Command Injection

Injection.Net.Sms

Injection: SMS

Injection.Net.Socket

Injection: Socket

Injection.Net.WebService.Body

Injection: Web Service

Injection.Os.Shell

OS Command Injection

Injection.Script.Eval

Injection: Code Execution

Injection.Xml.Entity.External

XML External Entity Injection

Injection.Xml.XPath

Injection: XPath

Insecure.Key.Derivation

Cryptography: Insecure Key Derivation

Insufficient.Session.Invalidation

Insufficient Session Expiration

MaliciousCode.Compilation.Source

Malicious Code: Compilation Source

MaliciousCode.Injection.ByteCode

Malicious Code: Injection Bytecode

MaliciousCode.Malware.Url

Malicious Code: Malware URL

Mobile.Access.IPC.InsecureActivity

Interprocess Communication: Insecure Activity

Mobile.BinaryProtection.InsufficientCodeObfuscation

Binary Protection: Insufficient Code Obfuscation

Mobile.BinaryProtection.JailbreakRoot.Detection

Binary Protection: Insufficient Jailbreak / Root Detection

Mobile.Injection.Database.SQL

SQL Injection - Client-Side

Mobile.iOS.NSCoding

Insecure NSCoding

Mobile.Platform.Configuration.DebugAttribute

Application Misconfiguration: Debug

Mobile.SensitiveData.Cache

Information Leakage: Application Cache

Mobile.SensitiveData.Plist.Storage

Insecure Data Storage: Plist

Non.Unique.Keys

Cryptography: Non-Unique Keys

Platform.Configuration.Android.BackupAllowed

Application Misconfiguration: Backup Allowed

Platform.Configuration.DotNet.AspNet.EnableHeaderChecking

Application Misconfiguration: Header Checking Disabled

Platform.Configuration.Php.CodeIgnite.CsrfProtectionDisabled

Application Misconfiguration: CSRF Protection Disabled

Platform.Configuration.Php.CodeIgnite.XssFilteringDisabled

Application Misconfiguration: XSS Filtering Disabled

Platform.Configuration.Php.Symfony.CsrfProtectionDisabled

Application Misconfiguration: CSRF Protection Disabled

Platform.Configuration.Php.Yii.CookieValidationDisabled

Application Misconfiguration: Cookie Validation Disabled

Platform.Configuration.Php.Yii.CsrfProtectionDisabled

Application Misconfiguration: CSRF Protection Disabled

Platform.Configuration.Xcode.ARC.Disabled

Application Misconfiguration: ARC Disabled

Platform.Configuration.Xcode.Position.Independent.Execution

Platform configuration xcode position independent execution

Platform.Configuration.Xcode.Symbols.Enabled

Application Misconfiguration: Debug

Platform.Deserialization.Unsafe

Unsafe Deserialization: Remote Code Execution

Platform.Library.Execution

Unvalidated Automatic Library Activation

Platform.Sanitization.Bypass

Platform sanitization bypass

Platform.UnpatchedLibrary

Unpatched Library

Rails.SessionStore.Insecure

Rails sessionstore insecure

SensitiveData.Ccn.Disclosure

Information Leakage: CCN

SensitiveData.Cvv.Disclosure

Information Leakage: CVV

SensitiveData.DeviceId.Disclosure

Information Leakage: Device ID

SensitiveData.InternalEnv.Disclosure

Information Leakage: Internal Environment

SensitiveData.Keychain.Storage

Insecure Data Storage: Keychain

SensitiveData.Location.Disclosure

Information Leakage: Location Disclosure

SensitiveData.Ssn.Disclosure

Information Leakage: SSN

SensitiveData.Sso.Disclosure

Information Leakage: SSO

SensitiveData.TransportLayer.Insecure

Insufficient Transport Layer Protection

Session.Flag.HttpOnly

Non-HttpOnly Session Cookie

Session.Flag.Secure

Unsecured Session Cookie

Session.Id.Disclosure

Information Leakage: Session ID

Session.Ssl.Unverified.Host

Insufficient Transport Layer Protection: Unverified SSL Host

Session.State.Disclosure

Information Leakage: Client Side Session State

Session.Timeout.Expiration

Insufficient Session Expiration

Session.Url.Rewriting

Information Leakage: Session ID

Stack.Smashing.Prot

Application Misconfiguration: Stack Smashing Protection Disabled

Technology.Apple.Xcode.Project.Settings

Application Misconfiguration: Xcode Settings

Validation.Mvc.Csrf.Missing

Validation mvc csrf missing

Validation.Url.Redirect

URL Redirector Abuse

WebService.AbuseOfFunc

Abuse of Functionality

WebService.Access.PRL

Predictable Resource Location

WebService.Crypto.TLS.HSTS

Insufficient Transport Layer Protection: HSTS

WebService.SensitiveData.BigIP.Disclosure

Information Leakage: BIG-IP

WebService.SensitiveData.GETRequest.Disclosure

Information Leakage: Sensitive Data Over GET

WebService.SensitiveData.Information.Leakage

Information Leakage: Sensitive Data

WebService.SensitiveData.IPAddress.Disclosure

Information Leakage: IP Address

WebService.SensitiveData.ServerVersion.Disclosure

Information Leakage: Server Version

WebServices.SensitiveData.Information.Disclosure

WebServices SensitiveData Information Disclosure

WebServices.SensitiveData.Information.Leakage

Information Leakage

Technical Vulnerabilities Covered by SAST - OWASP 2021 Top 10
Vulnerabilities	Description
A01	Broken Access Control
A02	Cryptographic Failures
A03	Injection
A04	Insecure Design
A05	Security Misconfiguration
A06	Vulnerable and Outdated Components
A07	Identification and Authentication Failures
A08	Software and Data Integrity Failures
A09	Security Logging and Monitoring Failures
A10	Server-Side Request Forgery

Technical Vulnerabilities Covered by SAST - OWASP 2021 Top 10

Vulnerabilities

Description

A01

Broken Access Control

A02

Cryptographic Failures

A03

Injection

A04

Insecure Design

A05

Security Misconfiguration

A06

Vulnerable and Outdated Components

A07

Identification and Authentication Failures

A08

Software and Data Integrity Failures

A09

Security Logging and Monitoring Failures

A10

Server-Side Request Forgery