MITRE CWE

Common Weakness Enumeration

The MITRE Corporation is a not-for-profit organization that manages federally funded research and development centers in the U.S. The Common Weakness Enumeration, short CWE, is a formal list of software weakness types targeted to developers and security practitioners. It serves as a common language to classify and categorize vulnerabilities, attacks, and faults in architecture, design, and code. Each weakness type is associated with a CWE ID which can have multiple relations to other IDs, such as being a child or a parent of another ID. Note that many CWE IDs are reserved for language specific or technology specific issues and thus not all IDs apply to the PHP programming language.

RIPS supports over 80 common security weaknesses listed in the CWE database that can be detected by static analysis software and are related to PHP, helps you quickly locate them in your application, and provides detailed information for remediation.

Selected supported CWE IDs

CWE IDNameRIPS
15External Control of System or Configuration Setting
22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
81Improper Neutralization of Script in an Error Message Web Page
82Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
83Improper Neutralization of Script in Attributes in a Web Page
84Improper Neutralization of Encoded URI Schemes in a Web Page
86Improper Neutralization of Invalid Characters in Identifiers in Web Pages
89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
90Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
91XML Injection (aka Blind XPath Injection)
93Improper Neutralization of CRLF Sequences ('CRLF Injection')
94Improper Control of Generation of Code ('Code Injection')
95Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
97Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
99Improper Control of Resource Identifiers ('Resource Injection')
113Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
114Process Control
120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
121Stack-based Buffer Overflow
122Heap-based Buffer Overflow
124Buffer Underwrite ('Buffer Underflow')
131Incorrect Calculation of Buffer Size
134Use of Externally-Controlled Format String
135Incorrect Calculation of Multi-Byte String Length
185Incorrect Regular Expression
187Partial Comparison
190Integer Overflow or Wraparound
200Information Exposure
242Use of Inherently Dangerous Function
250Execution with Unnecessary Privileges
256Plaintext Storage of a Password
259Use of Hard-coded Password
295Improper Certificate Validation
297Improper Validation of Certificate with Host Mismatch
306Missing Authentication for Critical Function
321Use of Hard-coded Cryptographic Key
327Use of a Broken or Risky Cryptographic Algorithm
328Reversible One-Way Hash
329Not Using a Random IV with CBC Mode
331Insufficient Entropy
346Origin Validation Error
384Session Fixation
415Double Free
416Use After Free
434Unrestricted Upload of File with Dangerous Type
454External Initialization of Trusted Variables or Data Stores
456Missing Initialization of a Variable
470Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
473PHP External Variable Modification
476NULL Pointer Dereference
477Use of Obsolete Functions
494Download of Code Without Integrity Check
502Deserialization of Untrusted Data
506Embedded Malicious Code
598Information Exposure Through Query Strings in GET Request
601URL Redirection to Untrusted Site ('Open Redirect')
613Insufficient Session Expiration
614Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
624Executable Regular Expression Error
625Permissive Regular Expression
627Dynamic Variable Evaluation
643Improper Neutralization of Data within XPath Expressions ('XPath Injection')
652Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
676Use of Potentially Dangerous Function
693Protection Mechanism Failure
732Incorrect Permission Assignment for Critical Resource
759Use of a One-Way Hash without a Salt
798Use of Hard-coded Credentials
807Reliance on Untrusted Inputs in a Security Decision
829Inclusion of Functionality from Untrusted Control Sphere
843Access of Resource Using Incompatible Type ('Type Confusion')
862Missing Authorization
863Incorrect Authorization
900Weaknesses in the CWE/SANS Top 25 Most Dangerous Software Errors
915Improperly Controlled Modification of Dynamically-Determined Object Attributes
916Use of Password Hash With Insufficient Computational Effort
918Server-Side Request Forgery (SSRF)
928Weaknesses in OWASP Top Ten
1004Sensitive Cookie Without 'HttpOnly' Flag
More Standards

Stay current
about our latest features