Overview
This reference provides detailed information about each impact category, including which CWEs (Common Weakness Enumeration) map to each impact. Use this to understand what types of vulnerabilities fall under each impact category. For a high-level overview of impacts, see Impacts.Impact details
Execute Commands
Execute Commands
Execute arbitrary code or commands.Associated CWEs:
| CWE | Description |
|---|---|
| CWE-78 | OS Command Injection |
| CWE-94 | Code Injection |
| CWE-95 | Eval Injection |
| CWE-98 | PHP Remote File Inclusion |
| CWE-190 | Integer Overflow or Wraparound |
| CWE-470 | Unsafe Reflection |
| CWE-489 | Active Debug Code |
| CWE-502 | Deserialization of Untrusted Data |
| CWE-611 | XML External Entity Reference |
| CWE-913 | Improper Control of Dynamically-Managed Code Resources |
| CWE-917 | Expression Language Injection |
Takeover Accounts
Takeover Accounts
Authenticate as another user or hijack sessions.Associated CWEs:
| CWE | Description |
|---|---|
| CWE-352 | Cross-Site Request Forgery (CSRF) |
| CWE-598 | GET Request Method With Sensitive Query Strings |
| CWE-613 | Insufficient Session Expiration |
| CWE-1004 | Sensitive Cookie Without ‘HttpOnly’ Flag |
Gain Access
Gain Access
Bypass authorization or escalate privileges.Associated CWEs:
| CWE | Description |
|---|---|
| CWE-20 | Improper Input Validation |
| CWE-90 | LDAP Injection |
| CWE-287 | Improper Authentication |
| CWE-352 | Cross-Site Request Forgery (CSRF) |
| CWE-601 | Open Redirect |
| CWE-918 | Server-Side Request Forgery (SSRF) |
Obtain Secrets
Obtain Secrets
Extract credentials or keys for reuse.Associated CWEs:
| CWE | Description |
|---|---|
| CWE-321 | Use of Hard-coded Cryptographic Key |
| CWE-798 | Use of Hard-coded Credentials |
Access Data
Access Data
Read or manipulate structured data.Associated CWEs:
| CWE | Description |
|---|---|
| CWE-15 | External Control of System or Configuration Setting |
| CWE-22 | Path Traversal |
| CWE-89 | SQL Injection |
| CWE-90 | LDAP Injection |
| CWE-643 | XPath Injection |
| CWE-918 | Server-Side Request Forgery (SSRF) |
Access Files
Access Files
Read or modify files or paths.Associated CWEs:
| CWE | Description |
|---|---|
| CWE-20 | Improper Input Validation |
| CWE-22 | Path Traversal |
| CWE-73 | External Control of File Name or Path |
| CWE-548 | Exposure of Information Through Directory Listing |
| CWE-552 | Files or Directories Accessible to External Parties |
| CWE-611 | XML External Entity Reference (XXE) |
| CWE-918 | Server-Side Request Forgery (SSRF) |
Intercept Traffic
Intercept Traffic
Observe or alter data in transit.Associated CWEs:
| CWE | Description |
|---|---|
| CWE-295 | Improper Certificate Validation |
| CWE-319 | Cleartext Transmission of Sensitive Information |
| CWE-322 | Key Exchange without Entity Authentication |
| CWE-326 | Inadequate Encryption Strength |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
| CWE-614 | Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute |
| CWE-780 | Use of RSA Algorithm without OAEP |
Insufficient Data Protection
Insufficient Data Protection
Sensitive data at rest is not adequately protected.Associated CWEs:
| CWE | Description |
|---|---|
| CWE-310 | Cryptographic Issues |
| CWE-326 | Inadequate Encryption Strength |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
| CWE-328 | Use of Weak Hash |
| CWE-329 | Generation of Predictable IV with CBC Mode |
| CWE-780 | Use of RSA Algorithm without OAEP |
| CWE-916 | Use of Password Hash With Insufficient Computational Effort |
| CWE-1004 | Sensitive Cookie Without ‘HttpOnly’ Flag |
| CWE-1240 | Use of a Cryptographic Primitive with a Risky Implementation |
Bypass Cryptographic Controls
Bypass Cryptographic Controls
Predict or undermine cryptographic controls.Associated CWEs:
| CWE | Description |
|---|---|
| CWE-330 | Use of Insufficiently Random Values |
| CWE-338 | Use of Cryptographically Weak PRNG |
| CWE-347 | Improper Verification of Cryptographic Signature |
Facilitate Client-side Attacks
Facilitate Client-side Attacks
Target end users.Associated CWEs:
| CWE | Description |
|---|---|
| CWE-79 | Cross-site Scripting (XSS) |
| CWE-116 | Improper Encoding or Escaping of Output |
| CWE-346 | Origin Validation Error |
| CWE-352 | Cross-Site Request Forgery (CSRF) |
| CWE-554 | ASP.NET Misconfiguration: Not Using Input Validation Framework |
| CWE-601 | Open Redirect |
| CWE-693 | Protection Mechanism Failure |
| CWE-918 | Server-Side Request Forgery (SSRF) |
| CWE-942 | Permissive Cross-domain Policy with Untrusted Domains |
| CWE-1004 | Sensitive Cookie Without ‘HttpOnly’ Flag |
| CWE-1275 | Sensitive Cookie with Improper SameSite Attribute |
Access Application State
Access Application State
Learn internal state or configuration.Associated CWEs:
| CWE | Description |
|---|---|
| CWE-11 | ASP.NET Misconfiguration: Creating Debug Binary |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
| CWE-209 | Generation of Error Message Containing Sensitive Information |
| CWE-489 | Active Debug Code |
| CWE-915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| CWE-1323 | Improper Management of Sensitive Trace Data |
Evade Detection
Evade Detection
Avoid logging or monitoring.Associated CWEs:
| CWE | Description |
|---|---|
| CWE-93 | CRLF Injection |
Degrade Performance
Degrade Performance
Exhaust resources or reduce availability.Associated CWEs:
| CWE | Description |
|---|---|
| CWE-409 | Improper Handling of Highly Compressed Data (Data Amplification) |
| CWE-1333 | Inefficient Regular Expression Complexity (ReDoS) |
Related docs
- Impacts: overview of impact categories
- Code Security Rules: security rule coverage by language