| Manipulating Hidden Fields |
|
CWE-602
|
Client-Side Enforcement of Server-Side Security
|
|
| Create Malicious Client |
|
CWE-602
|
Client-Side Enforcement of Server-Side Security
|
|
| Removing Important Client Functionality |
|
CWE-602
|
Client-Side Enforcement of Server-Side Security
|
|
| Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements |
|
CWE-602
|
Client-Side Enforcement of Server-Side Security
|
|
| Exploitation of Trusted Identifiers |
|
CWE-6
|
J2EE Misconfiguration: Insufficient Session-ID Length
|
|
CWE-290
|
Authentication Bypass by Spoofing
|
|
CWE-302
|
Authentication Bypass by Assumed-Immutable Data
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-384
|
Session Fixation
|
|
CWE-539
|
Use of Persistent Cookies Containing Sensitive Information
|
|
CWE-602
|
Client-Side Enforcement of Server-Side Security
|
|
CWE-642
|
External Control of Critical State Data
|
|
CWE-664
|
Improper Control of a Resource Through its Lifetime
|
|
| Accessing/Intercepting/Modifying HTTP Cookies |
|
CWE-20
|
Improper Input Validation
|
|
CWE-113
|
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
|
|
CWE-302
|
Authentication Bypass by Assumed-Immutable Data
|
|
CWE-311
|
Missing Encryption of Sensitive Data
|
|
CWE-315
|
Cleartext Storage of Sensitive Information in a Cookie
|
|
CWE-384
|
Session Fixation
|
|
CWE-472
|
External Control of Assumed-Immutable Web Parameter
|
|
CWE-539
|
Use of Persistent Cookies Containing Sensitive Information
|
|
CWE-565
|
Reliance on Cookies without Validation and Integrity Checking
|
|
CWE-602
|
Client-Side Enforcement of Server-Side Security
|
|
CWE-642
|
External Control of Critical State Data
|
|
| Harvesting Information via API Event Monitoring |
|
CWE-311
|
Missing Encryption of Sensitive Data
|
|
CWE-319
|
Cleartext Transmission of Sensitive Information
|
|
CWE-419
|
Unprotected Primary Channel
|
|
CWE-602
|
Client-Side Enforcement of Server-Side Security
|
|
| Application API Message Manipulation via Man-in-the-Middle |
|
CWE-311
|
Missing Encryption of Sensitive Data
|
|
CWE-345
|
Insufficient Verification of Data Authenticity
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-471
|
Modification of Assumed-Immutable Data (MAID)
|
|
CWE-602
|
Client-Side Enforcement of Server-Side Security
|
|
| Transaction or Event Tampering via Application API Manipulation |
|
CWE-311
|
Missing Encryption of Sensitive Data
|
|
CWE-345
|
Insufficient Verification of Data Authenticity
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-471
|
Modification of Assumed-Immutable Data (MAID)
|
|
CWE-602
|
Client-Side Enforcement of Server-Side Security
|
|
| Application API Navigation Remapping |
|
CWE-311
|
Missing Encryption of Sensitive Data
|
|
CWE-345
|
Insufficient Verification of Data Authenticity
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-471
|
Modification of Assumed-Immutable Data (MAID)
|
|
CWE-602
|
Client-Side Enforcement of Server-Side Security
|
|
| Navigation Remapping To Propagate Malicious Content |
|
CWE-311
|
Missing Encryption of Sensitive Data
|
|
CWE-345
|
Insufficient Verification of Data Authenticity
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-471
|
Modification of Assumed-Immutable Data (MAID)
|
|
CWE-602
|
Client-Side Enforcement of Server-Side Security
|
|
| Application API Button Hijacking |
|
CWE-311
|
Missing Encryption of Sensitive Data
|
|
CWE-345
|
Insufficient Verification of Data Authenticity
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-471
|
Modification of Assumed-Immutable Data (MAID)
|
|
CWE-602
|
Client-Side Enforcement of Server-Side Security
|
|