# Java | No. & Rule Name | CWE(s) | OWASP Top 10/SANS 25 | | -------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- | | **(1) Use of Hardcoded Credentials** | (798) Use of Hard-coded Credentials | OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures | | | (259) Use of Hard-coded Password | SANS/CWE Top 25 | | | | | | **(2) Use of Password Hash With Insufficient Computational Effort** | (916) Use of Password Hash With Insufficient Computational Effort | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | | | | | | **(3) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute** | (614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | | | | | | **(4) Hardcoded Secret** | (547) Use of Hard-coded, Security-relevant Constants | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | | | | | | **(5) Command Injection** | (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | OWASP Top Ten 2021 Category A03:2021 - Injection | | | | SANS/CWE Top 25 | | **(6) Cross-site Scripting (XSS)** | (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | OWASP Top Ten 2021 Category A03:2021 - Injection | | | | SANS/CWE Top 25 | | **(7) Server-Side Request Forgery (SSRF)** | (918) Server-Side Request Forgery (SSRF) | OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF) | | | | SANS/CWE Top 25 | | **(8) Open Redirect** | (601) URL Redirection to Untrusted Site ('Open Redirect') | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | | | | | | **(9) Regular expression injection** | (400) Uncontrolled Resource Consumption | | | | (730) | | | | | | | **(10) SQL Injection** | (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | OWASP Top Ten 2021 Category A03:2021 - Injection | | | | SANS/CWE Top 25 | | **(11) XML External Entity (XXE) Injection** | (611) Improper Restriction of XML External Entity Reference | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | | | | SANS/CWE Top 25 | | **(12) Inadequate Encryption Strength** | (326) Inadequate Encryption Strength | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | | | | | | **(13) Use of Insufficiently Random Values** | (330) Use of Insufficiently Random Values | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | | | | | | **(14) Sensitive Cookie Without 'HttpOnly' Flag** | (1004) Sensitive Cookie Without 'HttpOnly' Flag | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | | | | | | **(15) Deserialization of Untrusted Data** | (502) Deserialization of Untrusted Data | OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures | | | | SANS/CWE Top 25 | | **(16) Code Injection** | (94) Improper Control of Generation of Code ('Code Injection') | OWASP Top Ten 2021 Category A03:2021 - Injection | | | | | | **(17) Information Exposure** | (200) Exposure of Sensitive Information to an Unauthorized Actor | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | | | | SANS/CWE Top 25 | | **(18) Cleartext Storage of Sensitive Information in a Cookie** | (315) Cleartext Storage of Sensitive Information in a Cookie | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | | | | | | **(19) LDAP Injection** | (90) Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') | OWASP Top Ten 2021 Category A03:2021 - Injection | | | | | | **(20) Path Traversal** | (23) Relative Path Traversal | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | | | | | | **(21) XPath Injection** | (643) Improper Neutralization of Data within XPath Expressions ('XPath Injection') | OWASP Top Ten 2021 Category A03:2021 - Injection | | | | | | **(22) Improper Certificate Validation** | (295) Improper Certificate Validation | OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures | | | | | | **(23) Improper Authentication** | (287) Improper Authentication | OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures | | | | SANS/CWE Top 25 | | **(24) Use of a Broken or Risky Cryptographic Algorithm** | (327) Use of a Broken or Risky Cryptographic Algorithm | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | | | | | | **(25) Use of Potentially Dangerous Function** | (676) Use of Potentially Dangerous Function | | | | | | | **(26) Use of Hardcoded, Security-relevant Constants** | (547) Use of Hard-coded, Security-relevant Constants | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | | | | | | **(27) JWT Signature Verification Bypass** | (347) Improper Verification of Cryptographic Signature | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | | | | | | **(28) Cleartext Transmission of Sensitive Information** | (319) Cleartext Transmission of Sensitive Information | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | | | | | | **(29) Improper Validation of Certificate with Host Mismatch** | (297) Improper Validation of Certificate with Host Mismatch | OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures | | | | | | **(30) Insufficient Session Expiration** | (613) Insufficient Session Expiration | OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures | | | | | | **(31) Origin Validation Error** | (942) Permissive Cross-domain Policy with Untrusted Domains | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | | | (346) Origin Validation Error | OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures | | | | | | **(32) Cross-Site Request Forgery (CSRF)** | (352) Cross-Site Request Forgery (CSRF) | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | | | | SANS/CWE Top 25 | | **(33) Disabled Neutralization of CRLF Sequences in HTTP Headers** | (113) Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') | OWASP Top Ten 2021 Category A03:2021 - Injection | | | | | | **(34) JavaScript Enabled** | (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | OWASP Top Ten 2021 Category A03:2021 - Injection | | | | SANS/CWE Top 25 | | **(35) File Access Enabled** | (200) Exposure of Sensitive Information to an Unauthorized Actor | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | | | | SANS/CWE Top 25 | | **(36) Android Fragment Injection** | (470) Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') | OWASP Top Ten 2021 Category A03:2021 - Injection | | | | | | **(37) Spring Cross-Site Request Forgery (CSRF)** | (352) Cross-Site Request Forgery (CSRF) | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | | | | SANS/CWE Top 25 | | **(38) Struts Development Mode Enabled** | (489) Active Debug Code | | | | | | | **(39) Android Debug Mode Enabled** | (489) Active Debug Code | | | | | | | **(40) Process Control** | (114) Process Control | | | | | | | **(41) Use of Externally-Controlled Format String** | (134) Use of Externally-Controlled Format String | | | | | | | **(42) External Control of System or Configuration Setting** | (15) External Control of System or Configuration Setting | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | | | | | | **(43) Server Information Exposure** | (209) Generation of Error Message Containing Sensitive Information | OWASP Top Ten 2021 Category A04:2021 - Insecure Design | | | | | | **(44) Improper Neutralization of CRLF Sequences in HTTP Headers** | (113) Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') | OWASP Top Ten 2021 Category A03:2021 - Injection | | | | | | **(45) Trust Boundary Violation** | (501) Trust Boundary Violation | OWASP Top Ten 2021 Category A04:2021 - Insecure Design | | | | | | **(46) Android Intent Forwarding** | (940) Improper Verification of Source of a Communication Channel | OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures | | | | | | **(47) Unauthorized File Access** | (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | OWASP Top Ten 2021 Category A03:2021 - Injection | | | | SANS/CWE Top 25 | | **(48) Code Execution via Third Party Package Context** | (94) Improper Control of Generation of Code ('Code Injection') | OWASP Top Ten 2021 Category A03:2021 - Injection | | | | | | **(49) Android Uri Permission Manipulation** | (266) Incorrect Privilege Assignment | OWASP Top Ten 2021 Category A04:2021 - Insecure Design | | | | | | **(50) Java Naming and Directory Interface (JNDI) Injection** | (74) Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | OWASP Top Ten 2021 Category A03:2021 - Injection | | | | | | **(51) Code Execution via Third Party Package Installation** | (940) Improper Verification of Source of a Communication Channel | OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures | | | | |