The OWASP Web Application Penetration Check List
This document is released under the GNU documentation license and is Copyrighted to the OWASP Foundation. You should read and
understand that license and copyright conditions.
BufferOverflow.Stack
Flaws which may allow an attacker to write data into the stack, causing the program to
crash or transfer control.
BufferOverflow.Format
Flaws which may allow an attacker to use format strings to overwrite locations in
memory, allowing data to be changed, program control to be altered, or the program to
crash.
Concurrency
Used for errors in multithreaded environments that allows data to be shared or corrupted.
Examples include variables that are shared between threads and cause time-of-check-
time-of-use (TOCTOU) problems, broken singleton patterns, and poor cache design.
ConfigurationManagement
Used to describe problems in the configuration of an application or application
environment.
ConfigurationManagement.Administration
Used for problems in the application's mechanisms that enable remote administration,
such as user management, credential management, database management, and other
configuration options.
ConfigurationManagement.Application
Used to describe problems in the application's configuration, such as mis-configured
security mechanisms, default programs, unused code, and unnecessarily enabled features.
ConfigurationManagement.Infrastrure
Used for problems with the configuration of the application's infrastructure, such as the
web and application servers, filters, and external security mechanisms.
Cryptography
Used for problems related to encryption, decryption, signing, and verification.
Cryptography.Algorithm
Used for cryptographic algorithm selection, implementation, and analysis problems.
Cryptography.KeyManagement
Used for issues with certificate storage, tokens, revocation, certificates, key stores,
issuing keys, and other key issues
DataProtection
Used for issues related to inappropriate disclosure of data.
DataProtection.Storage
Used for problems storing data securely, including storage of credentials, keys, and other
sensitive information. Mistakes related to cryptographic mechanisms include poor
sources of randomness, bad choice of algorithm, and poor implementation.
DataProtection.Transport
Used for problems related to secure transfer of information. Frequently, this will refer to
problems with SSL or TLS configuration, but could include other protocols with security
features.
ErrorHandling
Used for problems in handling errors, including printing stack traces to the screen, fail
open security mechanisms, allowing errors to affect the operation of the entire
application, and revealing too much information about a failure.