MITRE CWE

Common Weakness Enumeration

The MITRE Corporation is a not-for-profit organization that manages federally funded research and development centers in the U.S. The Common Weakness Enumeration, short CWE, is a formal list of software weakness types targeted to developers and security practitioners. It serves as a common language to classify and categorize vulnerabilities, attacks, and faults in architecture, design, and code. Each weakness type is associated with a CWE ID which can have multiple relations to other IDs, such as being a child or a parent of another ID. Note that many CWE IDs are reserved for language specific or technology specific issues and thus not all IDs apply to the PHP programming language.

RIPS supports over 80 common security weaknesses listed in the CWE database that can be detected by static analysis software and are related to PHP, helps you quickly locate them in your application, and provides detailed information for remediation.

Selected supported CWE IDs

CWE IDNameRIPS
15External Control of System or Configuration Setting
20Inproper Input Validation
22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
23Relative Path Traversal
73External Control of File Name or Path
78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
81Improper Neutralization of Script in an Error Message Web Page
82Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
83Improper Neutralization of Script in Attributes in a Web Page
84Improper Neutralization of Encoded URI Schemes in a Web Page
86Improper Neutralization of Invalid Characters in Identifiers in Web Pages
89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
90Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
91XML Injection (aka Blind XPath Injection)
93Improper Neutralization of CRLF Sequences ('CRLF Injection')
94Improper Control of Generation of Code ('Code Injection')
95Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
96Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
97Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
99Improper Control of Resource Identifiers ('Resource Injection')
113Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
114Process Control
117mproper Output Neutralization for Logs
120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
121Stack-based Buffer Overflow
122Heap-based Buffer Overflow
124Buffer Underwrite ('Buffer Underflow')
131Incorrect Calculation of Buffer Size
134Use of Externally-Controlled Format String
135Incorrect Calculation of Multi-Byte String Length
143Improper Neutralization of Record Delimiters
185Incorrect Regular Expression
187Partial Comparison
190Integer Overflow or Wraparound
200Information Exposure
201Information Exposure Through Sent Data
209Information Exposure Through an Error Message
214Information Exposure Through Process Environment
233Improper Handling of Parameters
242Use of Inherently Dangerous Function
248Uncaught Exception
250Execution with Unnecessary Privileges
253Incorrect Check of Function Return Value
256Plaintext Storage of a Password
259Use of Hard-coded Password
291Reliance on IP Address for Authentication
295Improper Certificate Validation
297Improper Validation of Certificate with Host Mismatch
306Missing Authentication for Critical Function
321Use of Hard-coded Cryptographic Key
325Missing Required Cryptographic Step
327Use of a Broken or Risky Cryptographic Algorithm
328Reversible One-Way Hash
329Not Using a Random IV with CBC Mode
330Use of Insufficiently Random Values
331Insufficient Entropy
346Origin Validation Error
350Reliance on Reverse DNS Resolution for a Security-Critical Action
369Divide By Zero
384Session Fixation
390Detection of Error Condition Without Action
396Declaration of Catch for Generic Exception
397Declaration of Throws for Generic Exception
400Uncontrolled Resource Consumption ('Resource Exhaustion')
415Double Free
416Use After Free
434Unrestricted Upload of File with Dangerous Type
454External Initialization of Trusted Variables or Data Stores
456Missing Initialization of a Variable
470Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
471Modification of Assumed-Immutable Data (MAID)
473PHP External Variable Modification
476NULL Pointer Dereference
477Use of Obsolete Functions
478Missing Default Case in Switch Statement
481Assigning instead of Comparing
482Comparing instead of Assigning
484Omitted Break Statement in Switch
489Leftover Debug Code
494Download of Code Without Integrity Check
502Deserialization of Untrusted Data
506Embedded Malicious Code
523Unprotected Transport of Credentials
539Information Exposure Through Persistent Cookies
546Suspicious Comment
548Information Exposure Through Directory Listing
571Expression is Always True
572Expression is Always False
584Return Inside Finally Block
597Use of Wrong Operator in String Comparison
598Information Exposure Through Query Strings in GET Request
601URL Redirection to Untrusted Site ('Open Redirect')
613Insufficient Session Expiration
614Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
621Variable Extraction Error
624Executable Regular Expression Error
625Permissive Regular Expression
626Null Byte Interaction Error (Poison Null Byte)
627Dynamic Variable Evaluation
643Improper Neutralization of Data within XPath Expressions ('XPath Injection')
644Improper Neutralization of HTTP Headers for Scripting Syntax
652Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
676Use of Potentially Dangerous Function
693Protection Mechanism Failure
698Execution After Redirect (EAR)
730Denial of Service
732Incorrect Permission Assignment for Critical Resource
755Improper Handling of Exceptional Conditions
759Use of a One-Way Hash without a Salt
784Reliance on Cookies without Validation and Integrity Checking in a Security Decision
798Use of Hard-coded Credentials
807Reliance on Untrusted Inputs in a Security Decision
829Inclusion of Functionality from Untrusted Control Sphere
834Excessive Iteration
843Access of Resource Using Incompatible Type ('Type Confusion')
862Missing Authorization
863Incorrect Authorization
900Weaknesses in the CWE/SANS Top 25 Most Dangerous Software Errors
915Improperly Controlled Modification of Dynamically-Determined Object Attributes
916Use of Password Hash With Insufficient Computational Effort
918Server-Side Request Forgery (SSRF)
928Weaknesses in OWASP Top Ten
1004Sensitive Cookie Without 'HttpOnly' Flag
1021Improper Restriction of Rendered UI Layers or Frames
More Standards

Stay current
about our latest features