---
type: "mapping-set"
title: "CWE weaknesses → #1 Abuse of Functions"
description: "165 CWE weaknesses entries mapped to TLCTC #1 Abuse of Functions."
resource: "tlctc:mapping:cwe:cluster-1"
tags:
  - "mapping"
  - "cwe"
  - "cluster-1"
---
# CWE weaknesses → #1 Abuse of Functions

> Source: MITRE CWE → TLCTC mapping (`mappings/mitre-cwe/`). AI-generated, human-reviewed; experimental.

Mapped entries: **165**. Cluster: [#1 Abuse of Functions](/clusters/cluster-1.md).

| CWE | Name | TLCTC | Verdict | Rationale |
|---|---|---|---|---|
| CWE-7 | J2EE Misconfiguration: Missing Custom Error Page | #1 | Allowed | Abuse of the legitimate error reporting function (#1) to gather reconnaissance data (Data Risk Event). |
| CWE-8 | J2EE Misconfiguration: Entity Bean Declared Remote | #1 | Allowed | Exposing internal logic as remote interfaces allows attackers to abuse these functions (#1) beyond their intended local scope. |
| CWE-9 | J2EE Misconfiguration: Weak Access Permissions for EJB Methods | #1 | Allowed | Overly permissive configuration allows attackers to abuse legitimate business logic functions (#1) without proper authorization. |
| CWE-11 | ASP.NET Misconfiguration: Creating Debug Binary | #1 | Allowed | Abuse of the legitimate debug functionality (#1) to glean system information. |
| CWE-12 | ASP.NET Misconfiguration: Missing Custom Error Page | #1 | Allowed | Abuse of default error handling (#1) to disclose stack traces and configuration details. |
| CWE-15 | External Control of System or Configuration Setting | #1 | Allowed | The attacker manipulates inputs to abuse the system's configuration functionality (#1), altering behavior within designed (but unsafe) parameters. |
| CWE-73 | External Control of File Name or Path | #1 | Allowed | Abuse of legitimate file-handling functions by supplying unexpected input logic (#1) (unless implementation flaw #2/#3). |
| CWE-88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') | #1 | Allowed | The attacker manipulates arguments to abuse the logic of the called command (#1) without necessarily executing arbitrary new code (though it often leads to #7). |
| CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') | #1 | Allowed | Abuse of logic (#1) by manipulating IDs to access unintended resources (IDOR/Logic abuse). |
| CWE-114 | Process Control | #1 → #7 | Discouraged | Abuse of library loading/process execution (#1) to execute malicious code (#7). |
| CWE-178 | Improper Handling of Case Sensitivity | #1 | Allowed | Case-sensitivity handling mismatch between security check and downstream consumer (e.g., 'ADMIN' vs. 'admin') lets an attacker bypass the check via casing variation. Decision tree Q9 -> #1. |
| CWE-187 | Partial String Comparison | #1 | Allowed | Authentication/authorization check that compares only a prefix or partial string lets an attacker submit a value matching the prefix. Decision tree Q9 -> #1 (abuse of the comparison function's logic). |
| CWE-202 | Exposure of Sensitive Information Through Data Queries | #1 | Allowed | Aggregated/inferential queries reveal sensitive data the user is not authorized to view directly. Decision tree Q9 -> #1 (abuse of the query function via inference). |
| CWE-209 | Generation of Error Message Containing Sensitive Information | #1 | Allowed | Error messages emitted to the user contain sensitive internal details (stack traces, paths, query fragments). Decision tree Q9 -> #1 (the error-emission function discloses more than intended). |
| CWE-210 | Self-generated Error Message Containing Sensitive Information | #1 | Allowed | Self-generated error messages (logs, debug output rendered to user) include sensitive context. Decision tree Q9 -> #1 (abuse of the error-emission function). |
| CWE-211 | Externally-Generated Error Message Containing Sensitive Information | #1 | Allowed | Externally-generated error messages (from libraries, frameworks) propagate sensitive info to the user. Decision tree Q9 -> #1 (abuse of the error-emission function). |
| CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies | #1 | Allowed | Privacy/exposure policy is incompatible across system boundaries (e.g., internal logs surfaced via error pages, user data in URL query strings). Decision tree Q9 -> #1 (abuse of the policy-enforcement function). |
| CWE-215 | Insertion of Sensitive Information Into Debugging Code | #1 | Allowed | Debug code left active in production exposes internal state to users. Decision tree Q9 -> #1 (abuse of the debug-output function in a context where it should not be reachable). |
| CWE-219 | Storage of File with Sensitive Data Under Web Root | #1 | Allowed | Sensitive files (config, backups, logs) placed under the document root are directly fetchable via HTTP. Decision tree Q9 -> #1 (abuse of the web server's file-serving function). |
| CWE-220 | Storage of File With Sensitive Data Under FTP Root | #1 | Allowed | Sensitive files placed under the FTP root are directly fetchable. Decision tree Q9 -> #1 (abuse of the FTP file-serving function). |
| CWE-224 | Obscured Security-relevant Information by Alternate Name | #1 | Allowed | Alternate names for security-relevant identifiers (case variation, encoding, aliases) bypass logging or access checks that match only the canonical form. Decision tree Q9 -> #1. |
| CWE-250 | Execution with Unnecessary Privileges | #1 | Allowed | Configuration flaw allowing abuse of functions with high privilege (#1). |
| CWE-266 | Incorrect Privilege Assignment | #1 | Allowed | Privilege assignment grants users access to functions outside their intended role, abusable through the over-granted function. Decision tree Q9 -> #1. |
| CWE-267 | Privilege Defined With Unsafe Actions | #1 | Allowed | Privilege definition includes unsafe actions (overly broad capabilities). Holders of the privilege can abuse the unsafe action to escalate. Decision tree Q9 -> #1. |
| CWE-268 | Privilege Chaining | #1 | Allowed | Chained privilege grants let a holder of low privilege escalate by composing legitimately-granted capabilities. Decision tree Q9 -> #1. |
| CWE-269 | Improper Privilege Management | #1 | Discouraged | Parent class for privilege-escalation logic flaws. Specific cases classify at child CWEs (CWE-250, 266-273, 648). Decision tree Q9 -> #1. |
| CWE-270 | Privilege Context Switching Error | #1 | Allowed | Privilege context-switching error (e.g., setuid/seteuid mishandling) leaves elevated context active when it should be dropped. Decision tree Q9 -> #1. |
| CWE-271 | Privilege Dropping / Lowering Errors | #1 | Allowed | Failure to drop privileges leaves later operations running with excess rights, abusable through the elevated function (#1). Decision tree Q9. |
| CWE-272 | Least Privilege Violation | #1 | Allowed | Code runs with more privileges than required; any defect in that code is exploitable at the elevated privilege. Decision tree Q9 -> #1 (abuse of the over-privileged function). |
| CWE-273 | Improper Check for Dropped Privileges | #1 | Allowed | Failure to verify privilege drop succeeded leaves elevated context active despite the attempt. Decision tree Q9 -> #1. |
| CWE-276 | Incorrect Default Permissions | #1 | Allowed | Default permissions on created resources allow access by unintended principals. Decision tree Q9 -> #1 (abuse of the over-permissioned resource). |
| CWE-277 | Insecure Inherited Permissions | #1 | Allowed | Inherited permissions are too broad, exposing resources to unintended principals. Decision tree Q9 -> #1. |
| CWE-278 | Insecure Preserved Inherited Permissions | #1 | Allowed | Permissions inherited from a less-trusted parent are preserved when they should be reset. Decision tree Q9 -> #1. |
| CWE-279 | Incorrect Execution-Assigned Permissions | #1 | Allowed | Execution-assigned permissions (setuid/setgid) are wrong, granting unintended capabilities. Decision tree Q9 -> #1. |
| CWE-281 | Improper Preservation of Permissions | #1 | Allowed | Permissions are not preserved across operations (file copy/move dropping ACLs), letting access widen. Decision tree Q9 -> #1. |
| CWE-282 | Improper Ownership Management | #1 | Allowed | Improper file/object ownership management lets an attacker abuse the ownership-dependent function (e.g., sudo bypass, file overwrite). Decision tree Q9 -> #1. |
| CWE-283 | Unverified Ownership | #1 | Allowed | Resource ownership not verified before privileged action lets an attacker invoke the action on resources they do not own. Decision tree Q9 -> #1. |
| CWE-284 | Improper Access Control | #1 | Discouraged | Parent class for access control flaws. Abuse of functions due to missing/weak checks (#1). |
| CWE-285 | Improper Authorization | #1 | Discouraged | Parent class for authorization flaws. Specific cases classify at child CWEs (CWE-862 missing-authz, CWE-863 incorrect-authz). Decision tree Q9 -> #1. |
| CWE-286 | Incorrect User Management | #1 | Allowed | Incorrect user-management logic (orphaned accounts, role drift) lets the wrong user invoke privileged functions. Decision tree Q9 -> #1. |
| CWE-287 | Improper Authentication | #1 | Discouraged | Parent class for authentication weaknesses. Per ruling-1, authentication-LOGIC bypass (skipping or fooling the check) is #1; credential-handling weaknesses (storage, generation, transmission) classify to #4 separately. Specific cases classify at child CWEs. |
| CWE-288 | Authentication Bypass Using an Alternate Path or Channel | #1 | Allowed | Authentication can be bypassed via an alternate path/channel that does not invoke the check. Decision tree Q9 -> #1. |
| CWE-289 | Authentication Bypass by Alternate Name | #1 | Allowed | Authentication can be bypassed by submitting an alternate name that resolves to the same identity but is not properly checked. Decision tree Q9 -> #1. |
| CWE-290 | Authentication Bypass by Spoofing | #1 | Allowed | Authentication can be bypassed by spoofing identity attributes (forged tokens, replayed credentials, manipulated identity headers). Decision tree Q9 -> #1. |
| CWE-291 | Reliance on IP Address for Authentication | #1 | Allowed | Authentication based on source IP can be defeated by spoofing or proxying. Decision tree Q9 -> #1. |
| CWE-293 | Using Referer Field for Authentication | #1 | Allowed | Authentication based on Referer header can be defeated by setting/forging the header. Decision tree Q9 -> #1. |
| CWE-294 | Authentication Bypass by Capture-replay | #1 | Allowed | Replay attacks exploit a weakness in the authentication protocol design (#1) that fails to prevent reuse of captured authentication data. The protocol's functional logic allows replayed messages to be accepted as valid. This is abuse of the protocol's designed behavior, not exploitation of a network position. Note: If credentials are replayed to impersonate identity, the sequence is #1 â†’ #4. |
| CWE-301 | Reflection Attack in an Authentication Protocol | #1 | Allowed | Reflection attacks exploit weaknesses in authentication protocol design (#1) where challenges can be reflected back to the challenger. The protocol's functional logic itself is vulnerable to manipulation. This is abuse of the protocol's designed behavior through parameter manipulation. |
| CWE-302 | Authentication Bypass by Assumed-Immutable Data | #1 | Allowed | Authentication relies on data the attacker can modify (cookie flags, hidden form fields, client-side state). Decision tree Q9 -> #1. |
| CWE-303 | Incorrect Implementation of Authentication Algorithm | #1 | Allowed | Authentication algorithm is implemented incorrectly (skipping a step, comparing wrong values, accepting weak inputs). Decision tree Q9 -> #1. |
| CWE-304 | Missing Critical Step in Authentication | #1 | Allowed | Authentication flow is missing a critical step (no signature verification, no timing check), letting an attacker bypass it. Decision tree Q9 -> #1. |
| CWE-306 | Missing Authentication for Critical Function | #1 | Allowed | The attacker abuses a function (#1) that was intended to be restricted but wasn't. |
| CWE-330 | Use of Insufficiently Random Values | #1 \| #4 | Discouraged | Abuse of PRNG functions (#1). If used for session/auth, leads to Identity Theft (#4). |
| CWE-344 | Use of Invariant Value in Dynamically Changing Context | #1 | Allowed | An invariant value is reused in a context where it should change between uses (nonces, tokens, IDs), letting an attacker exploit the predictability. Decision tree Q9 -> #1. |
| CWE-345 | Insufficient Verification of Data Authenticity | #1 | Discouraged | Parent class for data-authenticity verification flaws. Specific cases classify at child CWEs. Decision tree Q9 -> #1. |
| CWE-346 | Origin Validation Error | #1 | Allowed | Failure to validate the origin of a request (Origin/Referer/postMessage source) lets an attacker invoke functions on behalf of an unintended caller. Decision tree Q9 -> #1. |
| CWE-348 | Use of Less Trusted Source | #1 | Allowed | A security decision relies on a less-trusted source (HTTP header, client-supplied attribute) when a more-authoritative source is available. Decision tree Q9 -> #1. |
| CWE-349 | Acceptance of Extraneous Untrusted Data With Trusted Data | #1 | Allowed | Untrusted data is accepted alongside trusted data and treated as authoritative (e.g., signed-payload-with-extra-unsigned-fields). Decision tree Q9 -> #1. |
| CWE-350 | Reliance on Reverse DNS Resolution for a Security-Critical Action | #1 | Allowed | Reverse DNS lookup is used as an authoritative identity check despite being attacker-influenceable. Decision tree Q9 -> #1. |
| CWE-352 | Cross-Site Request Forgery (CSRF) | #1 | Allowed | CSRF forces the victim's browser to invoke a legitimate function (#1) on the server using the victim's session. |
| CWE-360 | Trust of System Event Data | #1 | Allowed | System event data is trusted as authoritative without verifying its origin or integrity. Decision tree Q9 -> #1. |
| CWE-378 | Creation of Temporary File With Insecure Permissions | #1 | Allowed | Temporary file is created with permissions wider than necessary, exposing its content or letting an attacker substitute it. Decision tree Q9 -> #1. |
| CWE-379 | Creation of Temporary File in Directory with Insecure Permissions | #1 | Allowed | Temporary file is created in a directory whose permissions allow attackers to substitute or read the file. Decision tree Q9 -> #1. |
| CWE-419 | Unprotected Primary Channel | #1 | Allowed | The product's primary administrative channel is unprotected, letting any caller invoke admin functions. Decision tree Q9 -> #1. |
| CWE-420 | Unprotected Alternate Channel | #1 | Allowed | An alternate channel (debug port, secondary protocol) is unprotected, letting attackers invoke functions that the primary channel would have authenticated. Decision tree Q9 -> #1. |
| CWE-422 | Unprotected Windows Messaging Channel ('Shatter') | #1 | Allowed | Abuse of intended messaging functionality (#1) to escalate privilege. |
| CWE-424 | Improper Protection of Alternate Path | #1 | Allowed | An alternate path/channel exists that bypasses the intended authorization function. Decision tree Q9 -> #1. |
| CWE-425 | Direct Request ('Forced Browsing') | #1 | Allowed | Direct request to a URL/endpoint bypasses UI-only access controls; the server must enforce, not merely the UI. Decision tree Q9 -> #1. |
| CWE-427 | Uncontrolled Search Path Element | #1 → #7 | Allowed | Uncontrolled search path element — attacker plants a malicious DLL/shared-library on a writable path, the OS loader loads it via search-order resolution. Decision tree Q9 -> #1 (loader function abused); per R-EXEC the loaded code executes -> append → #7. |
| CWE-428 | Unquoted Search Path or Element | #1 → #7 | Allowed | Unquoted Windows search path — spaces in the path cause Windows to try multiple binary candidates in sequence; attacker plants an executable matching one of the earlier candidates. Decision tree Q9 -> #1 (loader function abused); per R-EXEC the loaded executable runs -> append → #7. |
| CWE-430 | Deployment of Wrong Handler | #1 | Allowed | The wrong handler/MIME type processes the request, exposing source code or invoking an unintended function. Decision tree Q9 -> #1. |
| CWE-433 | Unparsed Raw Web Content Delivery | #1 | Allowed | Source files are served raw instead of executed, exposing logic and embedded secrets. Decision tree Q9 -> #1. |
| CWE-434 | Unrestricted Upload of File with Dangerous Type | #1 → #7 | Allowed | Abuse of the upload function (#1) to introduce foreign code/malware (#7). |
| CWE-441 | Unintended Proxy or Intermediary ('Confused Deputy') | #1 | Allowed | Abusing the deputy's legitimate functionality (#1) to perform unauthorized actions. |
| CWE-449 | The UI Performs the Wrong Action | #1 | Allowed | UI control performs an action the user did not intend (mislabeled button, wrong default). Decision tree Q9 -> #1 (the UI function executes the wrong logic relative to user intent). |
| CWE-450 | Multiple Interpretations of UI Input | #1 | Allowed | UI input is interpreted differently in different contexts (Unicode normalization, locale), creating a security-relevant ambiguity. Decision tree Q9 -> #1. |
| CWE-471 | Modification of Assumed-Immutable Data (MAID) | #1 | Allowed | Data the application assumes is immutable can be modified by the attacker (cookies, hidden fields, client-side state), invalidating later trust decisions. Decision tree Q9 -> #1. |
| CWE-472 | External Control of Assumed-Immutable Web Parameter | #1 | Allowed | Web parameters the application assumes immutable (e.g., signed token used as a backup) can be tampered with by the attacker. Decision tree Q9 -> #1. |
| CWE-478 | Missing Default Case in Multiple Condition Expression | #1 | Allowed | Switch/case missing default case lets unexpected input fall through, leaving the function in an undefined state. Decision tree Q9 -> #1 (logic gap in the function's control flow). |
| CWE-488 | Exposure of Data Element to Wrong Session | #1 | Allowed | Data is stored in a session/scope visible to the wrong user (e.g., cached in a shared session). Decision tree Q9 -> #1. |
| CWE-489 | Active Debug Code | #1 | Allowed | Active debug code in production exposes internal functions and data. Decision tree Q9 -> #1 (the debug function is reachable when it should not be). |
| CWE-491 | Public cloneable() Method Without Final ('Object Hijack') | #1 | Allowed | Public cloneable() method without final lets an attacker subclass and override clone() to bypass invariants ('object hijacking'). Decision tree Q9 -> #1. |
| CWE-493 | Critical Public Variable Without Final Modifier | #1 | Allowed | Critical public variable without final modifier can be reassigned by other code, including subclasses, breaking invariants. Decision tree Q9 -> #1. |
| CWE-500 | Public Static Final Field References Mutable Object | #1 | Allowed | Public static final field references a mutable object; the field reference is final but the underlying state can still be modified. Decision tree Q9 -> #1. |
| CWE-520 | .NET Misconfiguration: Use of Impersonation | #1 | Allowed | ASP.NET impersonation misconfiguration runs code under a different identity than intended. Decision tree Q9 -> #1. |
| CWE-527 | Exposure of Version-Control Repository to an Unauthorized Control Sphere | #1 | Allowed | Version-control directories (.git, .svn) under the web root expose source code and history. Decision tree Q9 -> #1 (abuse of the file-serving function). |
| CWE-529 | Exposure of Access Control List Files to an Unauthorized Control Sphere | #1 | Allowed | Access-control list files (.htaccess, web.config) are themselves fetchable, revealing the access policy. Decision tree Q9 -> #1. |
| CWE-530 | Exposure of Backup File to an Unauthorized Control Sphere | #1 | Allowed | Backup files (config.bak, .swp) under the web root are fetchable, exposing the backed-up content. Decision tree Q9 -> #1. |
| CWE-548 | Exposure of Information Through Directory Listing | #1 | Allowed | Web server directory listing is enabled, revealing files and structure. Decision tree Q9 -> #1 (abuse of the listing feature). |
| CWE-551 | Incorrect Behavior Order: Authorization Before Parsing and Canonicalization | #1 | Allowed | Authorization runs before parsing/canonicalization, letting an attacker craft input that authorizes pre-canonicalization but executes a different operation post-canonicalization. Decision tree Q9 -> #1. |
| CWE-552 | Files or Directories Accessible to External Parties | #1 | Allowed | Files or directories accessible to external parties (network share, world-readable mount, public S3 bucket). Decision tree Q9 -> #1 (abuse of the storage function's access policy). |
| CWE-556 | ASP.NET Misconfiguration: Use of Identity Impersonation | #1 | Allowed | ASP.NET Identity Impersonation misconfiguration runs the request under an unintended identity. Decision tree Q9 -> #1. |
| CWE-565 | Reliance on Cookies without Validation and Integrity Checking | #1 | Allowed | Cookies are trusted as integrity-protected when they are not (no signature/HMAC). Decision tree Q9 -> #1 (parameter tampering via the cookie). |
| CWE-566 | Authorization Bypass Through User-Controlled SQL Primary Key | #1 | Allowed | User-controlled parameter (often a primary-key ID) is used directly in an SQL WHERE clause for authorization, letting an attacker reach other users' rows. Decision tree Q9 -> #1 (IDOR via the query function). |
| CWE-582 | Array Declared Public, Final, and Static | #1 | Allowed | Public final static array — the reference is final but the array contents are mutable, so other code can rewrite the entries. Decision tree Q9 -> #1. |
| CWE-583 | finalize() Method Declared Public | #1 | Allowed | finalize() declared public lets external code call it directly, double-running cleanup or invoking it at unexpected times. Decision tree Q9 -> #1. |
| CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | #1 | Allowed | Open-redirect: the redirect function accepts an untrusted destination, abusable for phishing chains and OAuth-token theft. Decision tree Q9 -> #1. |
| CWE-602 | Client-Side Enforcement of Server-Side Security | #1 | Allowed | Server-side security relies on client-side enforcement (JS validation, hidden flag) which the attacker bypasses by submitting directly. Decision tree Q9 -> #1. |
| CWE-603 | Use of Client-Side Authentication | #1 | Allowed | Authentication is performed only on the client (e.g., JS check) and not enforced server-side; trivially bypassable. Decision tree Q9 -> #1. |
| CWE-606 | Unchecked Input for Loop Condition | #1 | Allowed | Attacker-controlled input determines loop iteration count. This is parameter tampering that abuses the loop's functional logic (#1), not capacity exhaustion. The loop condition is functional logic being manipulated via unexpected input values, not a finite resource being overwhelmed by volume. |
| CWE-607 | Public Static Final Field References Mutable Object | #1 | Allowed | Public static final field references a mutable object; the field is constant but its target's state can be mutated. Decision tree Q9 -> #1. |
| CWE-608 | Struts: Non-private Field in ActionForm Class | #1 | Allowed | Struts ActionForm with non-private fields exposes business state to direct manipulation. Decision tree Q9 -> #1. |
| CWE-610 | Externally Controlled Reference to a Resource in Another Sphere | #1 | Discouraged | Externally-controlled reference to a resource in another sphere (parent class for IDOR, SSRF, path traversal logic). Specific cases classify at child CWEs. Decision tree Q9 -> #1. |
| CWE-612 | Improper Authorization of Index Containing Sensitive Information | #1 | Allowed | Index of sensitive items (search index, cache) returns entries the user is not authorized to view. Decision tree Q9 -> #1. |
| CWE-614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | #1 | Allowed | The Secure attribute is a legitimate configuration parameter that was incorrectly set. This is a configuration/functional scope issue (#1) where the cookie security setting is misconfigured, allowing the cookie to be sent over unencrypted connections. The attacker abuses the insecure configuration. |
| CWE-620 | Unverified Password Change | #1 | Allowed | Password change endpoint does not verify the current user's identity (no current-password check, no reauth). Decision tree Q9 -> #1 (abuse of the password-change function). |
| CWE-625 | Permissive Regular Expression | #1 | Allowed | Regex used as a security validator is too permissive, accepting inputs that should have been rejected. Decision tree Q9 -> #1 (abuse of the validation function via inputs the regex permits). |
| CWE-636 | Not Failing Securely ('Failing Open') | #1 | Allowed | On error, security checks default to permitting the action instead of denying. Decision tree Q9 -> #1 (abuse of the default-permit branch of the security function). |
| CWE-638 | Not Using Complete Mediation | #1 | Allowed | Authorization checks are not applied at every access path (incomplete mediation), letting an attacker reach resources via unchecked paths. Decision tree Q9 -> #1. |
| CWE-639 | Authorization Bypass Through User-Controlled Key | #1 | Allowed | Authorization decision uses a user-controlled key (record ID); the attacker substitutes another user's key (IDOR). Decision tree Q9 -> #1. |
| CWE-640 | Weak Password Recovery Mechanism for Forgotten Password | #1 | Allowed | Abuse of the password-recovery function (weak verification, predictable reset token, security-question guessing) to reset another user's password. Decision tree Q9 → #1. Per Axiom III, account takeover is the consequence; the cause is the recovery-flow logic flaw. |
| CWE-642 | External Control of Critical State Data | #1 | Allowed | Critical state data (auth status, role, price) is stored in attacker-modifiable locations (cookies, hidden fields, query strings). Decision tree Q9 -> #1 (parameter tampering). |
| CWE-645 | Overly Restrictive Account Lockout Mechanism | #1 | Allowed | Attacker abuses the legitimate account lockout function beyond its intended scope (#1) to deny access to legitimate users. The lockout mechanism works as designed; the attacker manipulates it for malicious purposes. This is functional scope abuse, not overwhelming finite capacity. |
| CWE-647 | Use of Non-Canonical URL Paths for Authorization Decisions | #1 | Allowed | Authorization decisions use the URL as-typed instead of canonicalized form, allowing bypass via path-equivalent variants (./, %2e%2e/, double slashes). Decision tree Q9 -> #1. |
| CWE-648 | Incorrect Use of Privileged APIs | #1 | Allowed | Privileged API used incorrectly (parameters not validated, called from the wrong context) lets an attacker invoke the privileged action. Decision tree Q9 -> #1. |
| CWE-649 | Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking | #1 | Allowed | Security relies on obfuscation/encoding instead of cryptographic verification; the obfuscation is reversible by the attacker. Decision tree Q9 -> #1. |
| CWE-650 | Trusting HTTP Permission Methods on the Server Side | #1 | Allowed | Server trusts HTTP method (GET vs. POST, PUT, DELETE) for security decisions even though the client controls the method. Decision tree Q9 -> #1. |
| CWE-653 | Improper Isolation or Compartmentalization | #1 | Allowed | Components are not sufficiently isolated, letting compromise of one component reach functions in another. Decision tree Q9 -> #1. |
| CWE-654 | Reliance on a Single Factor in a Security Decision | #1 | Allowed | Security decision depends on a single factor (single password, single token); compromise of that factor grants full access. Decision tree Q9 -> #1. |
| CWE-668 | Exposure of Resource to Wrong Sphere | #1 | Discouraged | Parent class for resource-exposure flaws (resource visible to wrong sphere). Specific cases classify at child CWEs (CWE-200, 219, 552). Decision tree Q9 -> #1. |
| CWE-669 | Incorrect Resource Transfer Between Spheres | #1 | Allowed | A resource intended for one sphere is incorrectly transferred into another, exposing functions to callers that should not reach them. Decision tree Q9 -> #1. |
| CWE-673 | External Influence of Sphere Definition | #1 | Allowed | Attacker-influenced sphere definition lets the attacker reposition trust boundaries to invoke functions across them. Decision tree Q9 -> #1. |
| CWE-694 | Use of Multiple Resources with Duplicate Identifier | #1 | Allowed | Multiple resources share the same identifier, letting an attacker substitute one for another in operations that resolve the identifier. Decision tree Q9 -> #1. |
| CWE-696 | Incorrect Behavior Order | #1 | Allowed | Behavior order mistakes (e.g., authorization-after-parsing, log-after-action). Decision tree Q9 -> #1 (the function executes in the wrong sequence relative to its security checks). |
| CWE-697 | Incorrect Comparison | #1 | Discouraged | Parent class for incorrect-comparison flaws (timing-attack, type-confusion comparison, partial match). Specific cases classify at child CWEs. Decision tree Q9 -> #1. |
| CWE-698 | Execution After Redirect (EAR) | #1 | Allowed | Code continues executing after issuing a redirect that should have terminated the request, letting subsequent statements run with the unredirected state. Decision tree Q9 -> #1. |
| CWE-708 | Incorrect Ownership Assignment | #1 | Allowed | Resource is created with the wrong owner, exposing it to unintended principals. Decision tree Q9 -> #1. |
| CWE-732 | Incorrect Permission Assignment for Critical Resource | #1 | Allowed | Critical resource (file, directory, IPC object) created with permissions allowing unintended principals — abuse of the resource's access function. Decision tree Q9 -> #1. |
| CWE-749 | Exposed Dangerous Method or Function | #1 | Allowed | Dangerous methods/functions are exposed without sufficient access control (debug API, admin RPC, unprotected JNI). Decision tree Q9 -> #1. |
| CWE-756 | Missing Custom Error Page | #1 | Allowed | Default error pages reveal stack traces and configuration. Decision tree Q9 -> #1 (abuse of the default error-handler function in a context where it should not surface internals). |
| CWE-766 | Critical Data Element Declared Public | #1 | Allowed | Critical data element (config, secret, security flag) declared public, mutable by any caller. Decision tree Q9 -> #1. |
| CWE-767 | Access to Critical Private Variable via Public Method | #1 | Allowed | Critical private variable accessible via a public method (getter/setter), bypassing intended encapsulation. Decision tree Q9 -> #1. |
| CWE-777 | Regular Expression without Anchors | #1 | Allowed | Regex without ^/$ anchors matches the pattern as a substring instead of the full input, letting attacker payloads slip past validation. Decision tree Q9 -> #1. |
| CWE-782 | Exposed IOCTL with Insufficient Access Control | #1 | Allowed | IOCTL exposed without sufficient access control lets unprivileged callers invoke driver/kernel functionality. Decision tree Q9 -> #1. |
| CWE-784 | Reliance on Cookies without Validation and Integrity Checking in a Security Decision | #1 | Allowed | Cookies trusted as integrity-protected without validation/HMAC, abusable via parameter tampering. Decision tree Q9 -> #1. |
| CWE-804 | Guessable CAPTCHA | #1 | Allowed | CAPTCHA's challenge space is small or solvable by automation, letting attackers bypass the human-verification function. Decision tree Q9 -> #1. |
| CWE-807 | Reliance on Untrusted Inputs in a Security Decision | #1 | Allowed | Security decisions depend on attacker-influenceable inputs (HTTP headers, cookies, client-asserted attributes). Decision tree Q9 -> #1. |
| CWE-836 | Use of Password Hash Instead of Password for Authentication | #1 | Allowed | Authentication accepts the password hash directly (pass-the-hash) rather than requiring a plaintext password to verify against the hash. Per ruling-1, this is auth-LOGIC abuse (the auth function accepts the wrong credential form) -> #1. |
| CWE-837 | Improper Enforcement of a Single, Unique Action | #1 | Allowed | An action that should be performed at most once (file upload, transaction, vote) can be replayed because the function does not enforce uniqueness. Decision tree Q9 -> #1. |
| CWE-841 | Improper Enforcement of Behavioral Workflow | #1 | Allowed | Business workflow steps (e.g., order -> pay -> ship) can be invoked out of sequence because the function does not enforce the workflow state machine. Decision tree Q9 -> #1. |
| CWE-842 | Placement of User into Incorrect Group | #1 | Allowed | Group/role assignment places user in the wrong group, granting unintended access. Decision tree Q9 -> #1. |
| CWE-862 | Missing Authorization | #1 | Allowed | A function performs a sensitive action without checking authorization at all. Decision tree Q9 -> #1. |
| CWE-863 | Incorrect Authorization | #1 | Allowed | An authorization check exists but evaluates incorrectly (wrong role compared, wrong resource referenced). Decision tree Q9 -> #1. |
| CWE-918 | Server-Side Request Forgery (SSRF) | #1 | Allowed | Server fetches a URL whose target is attacker-controlled, letting the attacker reach internal endpoints (cloud metadata, internal services) from the server's network position. Decision tree Q9 -> #1 (abuse of the fetch function). |
| CWE-921 | Storage of Sensitive Data in a Mechanism without Access Control | #1 | Allowed | Sensitive data stored in a mechanism that lacks access control (world-readable file, unprotected shared memory, public Android intent extra). Decision tree Q9 -> #1. |
| CWE-922 | Insecure Storage of Sensitive Information | #1 | Allowed | Sensitive data stored without proper access protection (file/dir/registry permissions, missing encryption-at-rest). Decision tree Q9 -> #1 (the storage function is configured to admit the wrong callers). |
| CWE-923 | Improper Restriction of Communication Channel to Intended Endpoints | #1 | Allowed | Failure to verify the intended endpoint of a communication channel lets an attacker substitute a controlled endpoint. Decision tree Q9 -> #1 (channel-spoofing via the connection-establishment function). |
| CWE-925 | Improper Verification of Intent by Broadcast Receiver | #1 | Allowed | Android broadcast receiver does not verify the intent's sender/action, letting any app invoke the receiver. Decision tree Q9 -> #1. |
| CWE-926 | Improper Export of Android Application Components | #1 | Allowed | Android component (Activity, Service, Receiver) is exported without proper permission protection, lettable any app invoke it. Decision tree Q9 -> #1. |
| CWE-927 | Use of Implicit Intent for Sensitive Communication | #1 | Allowed | Implicit Android intent for sensitive communication can be received by any matching app, including a malicious one. Decision tree Q9 -> #1. |
| CWE-939 | Improper Authorization in Handler for Custom URL Scheme | #1 | Allowed | Custom URL scheme handler does not authorize the caller, letting any web origin invoke its functions via the registered scheme. Decision tree Q9 -> #1. |
| CWE-941 | Incorrectly Specified Destination in a Communication Channel | #1 | Allowed | Communication is sent to an incorrectly-specified destination (wrong host, wrong port, wrong topic), letting attacker-controlled endpoints receive the data. Decision tree Q9 -> #1. |
| CWE-942 | Permissive Cross-domain Policy with Untrusted Domains | #1 | Allowed | Cross-domain policy (Flash crossdomain.xml, Silverlight clientaccesspolicy.xml) lists overly broad domains, letting untrusted origins access cross-origin resources. Decision tree Q9 -> #1. |
| CWE-1039 | Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism | #1 | Allowed | Adversarial-input attacks (data poisoning, evasion) abuse the model's intended inference function by crafting inputs the model processes correctly but the user's downstream logic interprets unsafely. Per Axiom IV (actor identity does not determine cluster), this is #1 regardless of whether the adversary is a user, attacker, or insider. |
| CWE-1051 | Initialization with Hard-Coded Network Resource Configuration Data | #1 | Allowed | Hard-coded network endpoint (server URL, registry hostname) creates a fixed function the attacker can spoof or redirect by controlling the named resource (DNS hijack, BGP attack). Decision tree Q9 -> #1. |
| CWE-1188 | Initialization of a Resource with an Insecure Default | #1 | Allowed | Resource initialized with an insecure default (public, weak permission, debug-on) that the deployer must remember to harden. Decision tree Q9 -> #1. |
| CWE-1220 | Insufficient Granularity of Access Control | #1 | Allowed | Access control granularity is too coarse (one privilege covers many actions), letting holders abuse capabilities they did not need. Decision tree Q9 -> #1. |
| CWE-1256 | Improper Restriction of Software Interfaces to Hardware Features | #1 \| #8 | Allowed | Software-exposed interfaces to hardware features (debug, JTAG, register access). Software-vector exploitation abuses the exposed function (#1); physical-vector exploitation requires hardware access (#8). Context determines which. |
| CWE-1269 | Product Released in Non-Release Configuration | #1 | Allowed | Product shipped in non-release configuration (debug enabled, test endpoints reachable, default credentials active). Decision tree Q9 -> #1. |
| CWE-1275 | Sensitive Cookie with Improper SameSite Attribute | #1 | Allowed | SameSite attribute not set to Lax/Strict on a sensitive cookie, leaving the cookie attached to cross-site requests and enabling CSRF (#1). |
| CWE-1293 | Missing Source Correlation of Multiple Independent Data | #1 | Allowed | Security decision relies on a single data source without correlating against independent sources; spoofing one source defeats the check. Decision tree Q9 -> #1. |
| CWE-1327 | Binding to an Unrestricted IP Address | #1 | Allowed | Service binds to 0.0.0.0 (all interfaces) instead of a restricted interface, exposing functions intended for local use to the network. Decision tree Q9 -> #1. |
| CWE-1385 | Missing Origin Validation in WebSockets | #1 | Allowed | WebSocket handler does not validate the Origin header, enabling Cross-Site WebSocket Hijacking. Decision tree Q9 -> #1. |
| CWE-1390 | Weak Authentication | #1 | Allowed | Authentication mechanism is weak by design (e.g., easily defeated challenge, missing replay protection). Per ruling-1, auth-LOGIC weakness -> #1. |
| CWE-1434 | Insecure Setting of Generative AI/ML Model Inference Parameters | #1 | Allowed | Insecure default values for GenAI inference parameters (temperature, top-p, max-tokens) abuse the legitimate inference function to amplify prompt-injection or unsafe output. Decision tree Q9 -> #1. |