# Go | No. & Rule Name | CWE(s) | OWASP Top 10/SANS 25 | | --------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- | | **(1) Use of Hardcoded Credentials** | (798) Use of Hard-coded Credentials | OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures | | | (259) Use of Hard-coded Password | SANS/CWE Top 25 | | | | | | **(2) Use of Password Hash With Insufficient Computational Effort** | (916) Use of Password Hash With Insufficient Computational Effort | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | | | | | | **(3) Hardcoded Secret** | (547) Use of Hard-coded, Security-relevant Constants | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | | | | | | **(4) Command Injection** | (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | OWASP Top Ten 2021 Category A03:2021 - Injection | | | | SANS/CWE Top 25 | | **(5) Cross-site Scripting (XSS)** | (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | OWASP Top Ten 2021 Category A03:2021 - Injection | | | | SANS/CWE Top 25 | | **(6) Server-Side Request Forgery (SSRF)** | (918) Server-Side Request Forgery (SSRF) | OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF) | | | | SANS/CWE Top 25 | | **(7) Open Redirect** | (601) URL Redirection to Untrusted Site ('Open Redirect') | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | | | | | | **(8) SQL Injection** | (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | OWASP Top Ten 2021 Category A03:2021 - Injection | | | | SANS/CWE Top 25 | | **(9) Inadequate Encryption Strength** | (326) Inadequate Encryption Strength | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | | | | | | **(10) Use of Insufficiently Random Values** | (330) Use of Insufficiently Random Values | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | | | | | | **(11) Sensitive Cookie Without 'HttpOnly' Flag** | (1004) Sensitive Cookie Without 'HttpOnly' Flag | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | | | | | | **(12) Path Traversal** | (23) Relative Path Traversal | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | | | | | | **(13) XPath Injection** | (643) Improper Neutralization of Data within XPath Expressions ('XPath Injection') | OWASP Top Ten 2021 Category A03:2021 - Injection | | | | | | **(14) Improper Certificate Validation** | (295) Improper Certificate Validation | OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures | | | | | | **(15) Insecure TLS Configuration** | (327) Use of a Broken or Risky Cryptographic Algorithm | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | | | | | | **(16) Clear Text Logging** | (200) Exposure of Sensitive Information to an Unauthorized Actor | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | | | (312) Cleartext Storage of Sensitive Information | OWASP Top Ten 2021 Category A04:2021 - Insecure Design | | | | SANS/CWE Top 25 | | **(17) Generation of Error Message Containing Sensitive Information** | (209) Generation of Error Message Containing Sensitive Information | OWASP Top Ten 2021 Category A04:2021 - Insecure Design | | | | |