Panel Discussion: API Security in DevSecOps. Watch the Recording

Panel Discussion: API Security in DevSecOps. Watch the Recording

Panel Discussion: API Security in DevSecOps. Watch the Recording

Akto Vulnerabilities are now tagged with CWE

Developers and security teams crave a standardized frame of reference for vulnerabilities. CWE bridges the knowledge gap and provides much-needed context.

Ankita Gupta - Akto's CEO

Ankita Gupta

10 mins

Vulnerabilities are now tagged with CWE
Vulnerabilities are now tagged with CWE
Vulnerabilities are now tagged with CWE

Introduction

Imagine you're reading a medical report that flags certain symptoms. While some are categorized as 'severe' or 'moderate,' without medical expertise, it's hard to grasp the real implications. Similarly, when inspecting software vulnerabilities, merely labeling them as Critical or Low doesn't offer much context. What developers and security teams crave is a clearer picture: a standardized frame of reference.

Problem at Hand

Many many users when they look at vulnerabilities identified by Akto, want to understand how important is this vulnerability. While tagging vulnerabilities as Critical, High, Medium, Low helps, still lacks in giving context about the importance. Users want to understand how these vulnerabilities relate to standard vulnerabilities definition. This will help them get a lot more context before blindly fixing the vulnerability and also help development teams prioritize better.

Why CWE Context Matters?

In the cybersecurity realm, the magnitude of a vulnerability is more than its immediate threat. It's about understanding its nature, origin, and potential ripple effects. For teams, this means prioritizing fixes efficiently, ensuring resources are well-spent, and minimizing risk.

However, without a universal language or benchmark, this can be akin to navigating uncharted waters.

Enter the Common Weakness Enumeration (CWE).

This is precisely where CWE steps in, bridging the knowledge gap and providing much-needed context.

What is CWE?

CWE is a community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.

  1. Common Language: CWE provides a shared vocabulary, ensuring that everyone, from novice developers to security veterans, is on the same page.

  2. Benchmarking Tool: By aligning vulnerabilities with CWEs, security tools can offer more precise insights, enabling better decision-making.

  3. Identification & Mitigation Blueprint: With a clear understanding of the vulnerability's nature, teams can design more effective mitigation strategies and preventive measures.

Akto’s Solution with CWE Tagging

Recognizing the transformative potential of CWE, we've revamped Akto's test library. Our aim? To provide users with a 360-degree view of vulnerabilities.

Every vulnerability detected by Akto now comes with one or more associated CWE tags. This isn't merely a cosmetic update. It's a paradigm shift in how users perceive, understand, and tackle vulnerabilities.

  1. Informed Decision Making: With CWE tagging, users can gauge not only the severity but also the nature and implications of a vulnerability.

  2. Enhanced Triage: Development teams can now prioritize fixes with better clarity, ensuring that the most pressing threats are addressed first.

Improved Knowledge Sharing: By referencing a standardized list, teams can collaborate more efficiently, sharing insights and strategies anchored in a common understanding.

Monthly product updates in your inbox. No spam.

Monthly product updates in your inbox. No spam.

Monthly product updates in your inbox. No spam.

Akto’s test library with CWE tagging

  1. AbusingCRLFInHeaders.yaml - CWE-93, CWE-74, CWE-20 - CRLF Injection, Injection, Improper Input Validation

  2. AddUserId.yaml - CWE-639, CWE-284, CWE-285 - Authorization Bypass Through User-Controlled Key, Improper Access Control, Improper Authorization

  3. AirflowConfigurationExposure.yaml - CWE-200, CWE-213 - Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Sensitive Information Due to Incompatible Policies

  4. AmazonDockerConfig.yaml - CWE-200, CWE-213 - Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Sensitive Information Due to Incompatible Policies

  5. ApacheConfig.yaml - CWE-200, CWE-213 - Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Sensitive Information Due to Incompatible Policies

  6. AppendXSS.yaml - CWE-79 Cross-Site Scripting

  7. AppspecYmlDisclosure.yaml - CWE-200, CWE-213 - Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Sensitive Information Due to Incompatible Policies

  8. BOLAByChangingAuthToken.yaml - CWE-639, CWE-284, CWE-285 - Authorization Bypass Through User-Controlled Key, Improper Access Control, Improper Authorization

  9. BasicXSS.yaml - CWE-79 - Cross-Site Scripting

  10. BypassCaptchaRemovingCookie.yaml - CWE-307 - Improper Restriction of Excessive Authentication Attempts

  11. BypassCaptchaUsingHeader.yaml - CWE-287 - Improper Authentication

  12. CORSMisconfigurationInvalidOrigin.yaml - CWE-16 - Configuration

  13. CORSMisconfigurationWhitelistOrigin.yaml - CWE-16 - Configuration

  14. CSRFLoginAttack.yaml - CWE-352 - Cross-Site Request Forgery (CSRF)

  15. CgiPrintEnv.yaml - CWE-16 - Configuration

  16. CircleciConfig.yaml - CWE-16 - Configuration

  17. CommandInjectionByAddingQueryParams.yaml - CWE-77 - Command Injection

  18. ConfigJson.yaml - CWE-200, CWE-213 - Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Sensitive Information Due to Incompatible Policies

  19. ConfigRuby.yaml - CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory

  20. ConfigurationListing.yaml - CWE-16 - Configuration

  21. ContentTypeHeaderMissing.yaml - CWE-16 - Configuration

  22. CookieMisconfiguration.yaml - CWE-16 - Configuration

  23. DebugVars.yaml - CWE-16 - Configuration

  24. DefaultLoginCredentials.yml - CWE-1392 - Use of Default Credentials

  25. DescriptiveErrorMessageInvalidPayloads.yaml - CWE-209 - Generation of Error Message Containing Sensitive Information

  26. DjangoDefaultHomepageEnabled.yaml - CWE-16 - Configuration

  27. DjangoUrlExposed.yaml - CWE-16 - Configuration

  28. DockerComposeConfig.yaml - CWE-16 - Configuration

  29. DockerfileHiddenDisclosure.yaml - CWE-16 - Configuration

  30. EsmtprcConfig.yaml - CWE-16 - Configuration

  31. ExpressDefaultHomepageEnabled.yaml - CWE-16 - Configuration

  32. ExpressStackTraceEnabled.yaml - CWE-16 - Configuration

  33. FetchSensitiveFilesViaSSRF.yaml - CWE-918 - Server-Side Request Forgery (SSRF)

  34. FirebaseConfigExposure.yaml - CWE-16 - Configuration

  35. FirebaseUnauthenticated.yaml - CWE-16 - Configuration

  36. FlaskDebugModeEnabled.yaml - CWE-16 - Configuration

  37. FtpCredentialsExposure.yaml - CWE-200, CWE-213 - Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Sensitive Information Due to Incompatible Policies

  38. GitConfig.yaml - CWE-16 - Configuration

  39. GitConfigNginxoffbyslash.yaml - CWE-16 - Configuration

  40. GitCredentialsDisclosure.yaml - CWE-200, CWE-213 - Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Sensitive Information Due to Incompatible Policies

  41. GithubWorkflowsDisclosure.yaml - CWE-16 - Configuration

  42. GraphqlDebugModeEnabled.yaml - CWE-16 - Configuration

  43. GraphqlDevelopmentConsoleExposed.yaml - CWE-16 - Configuration

  44. GraphqlFieldSuggestionEnabled.yaml - CWE-16 - Configuration

  45. GraphqlIntrospectionEnabled.yaml - CWE-16 - Configuration

  46. GraphqlTypeIntrospectionAllowed.yaml - CWE-16 - Configuration

  47. HeadMethodTest.yaml - CWE-16 - Configuration

  48. HeaderReflectedInInvalidUrl.yaml - CWE-16 - Configuration

  49. HttpResponseSplitting.yaml - CWE-93 - CRLF Injection

  50. InvalidFileInput.yaml - CWE-728, CWE-388 - OWASP Top Ten 2004 Category A7 - Improper Error Handling, 7PK - Errors

  51. JWTSigningInClientSide.yaml - CWE-287 - Improper Authentication

  52. JwtAddJku.yaml - CWE-287 - Improper Authentication

  53. JwtInvalidSignature.yaml - CWE-287 - Improper Authentication

  54. JwtNoneAlgo.yaml - CWE-287 - Improper Authentication

  55. KernelOpenCommandInjection.yaml - CWE-77 - Command Injection

  56. KubernetesKustomizationDisclosure.yaml - CWE-16 - Configuration

  57. LFIAddingNewParam.yaml - CWE-98 - PHP Remote File Inclusion

  58. LFIInParameter.yaml - CWE-98 - PHP Remote File Inclusion

  59. LFIInPath.yaml - CWE-98 - PHP Remote File Inclusion

  60. LaravelDebugModeEnabled.yaml - CWE-16 - Configuration

  61. LaravelDefaultHomepageEnabled.yaml - CWE-16 - Configuration

  62. LaravelEnv.yaml - CWE-16 - Configuration

  63. LaravelTelescopeEnabled.yaml - CWE-16 - Configuration

  64. MassAssignmentChangeAccount.yaml - CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

  65. MassAssignmentChangeAdmin.yaml - CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

  66. MassAssignmentChangeRole.yaml - CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

  67. MassAssignmentCreateAdminUser.yaml - CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

  68. MisconfiguredDocker.yaml - CWE-16 - Configuration

  69. MsmtpConfig.yamlCWE-16Configuration

  70. MustContainResponseHeaders.yaml - CWE-16 - Configuration

  71. NginxConfig.yaml - CWE-16 - Configuration

  72. NginxDefaultPageEnabled.yaml - CWE-16 - Configuration

  73. NginxServerVersionDisclosed.yaml - CWE-16 - Configuration

  74. NginxStatusVisible.yaml - CWE-16 - Configuration

  75. NoAuth.yaml - CWE-287 - Improper Authentication

  76. OldApiVersion.yaml - CWE-937 - OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

  77. OpenRedirect.yaml - CWE-601, CWE-610 - Open Redirect, Externally Controlled Reference to a Resource in Another Sphere

  78. OpenRedirectHostHeaderInjection.yaml - CWE-601, CWE-610 - Open Redirect, Externally Controlled Reference to a Resource in Another Sphere

  79. OpenRedirectInPath.yaml - CWE-601, CWE-610 - Open Redirect, Externally Controlled Reference to a Resource in Another Sphere

  80. OpenRedirectSubdomainWhitelist.yaml - CWE-601, CWE-610 - Open Redirect, Externally Controlled Reference to a Resource in Another Sphere

  81. OracleEbsCredentials.yaml - CWE-16 - Configuration

  82. PageDos.yaml - CWE-400 - Uncontrolled Resource Consumption

  83. ParameterPollution.yaml - CWE-88, CWE-235 - Argument Injection, Improper Handling of Extra Parameters

  84. ParametersConfig.yaml - CWE-16 - Configuration

  85. PortScanningViaSSRF.yaml - CWE-918 - Server-Side Request Forgery (SSRF)

  86. PrometheusMetrics.yaml - CWE-16 - Configuration

  87. RailsDebugModeEnabled.yaml - CWE-16 - Configuration

  88. RailsDefaultHomepageEnabled.yaml - CWE-16 - Configuration

  89. RandomMethodTest.yaml - CWE-16 - Configuration

  90. RedisConfig.yaml - CWE-16 - Configuration

  91. RemoveCSRF.yaml - CWE-352 - Cross-Site Request Forgery (CSRF)

  92. RemoveCaptcha.yaml - CWE-287 - Improper Authentication

  93. ReplaceCSRF.yaml - CWE-352 - Cross-Site Request Forgery (CSRF)

  94. ReplayCaptcha.yaml - CWE-287 - Improper Authentication

  95. RobomongoCredential.yaml - CWE-16 - Configuration

  96. SSRFOnAWSMetaEndpointAbusingEnclosedAlphanumerics.yaml - CWE-918 - Server-Side Request Forgery (SSRF)

  97. SSRFOnAwsMetaEndpoint.yaml - CWE-918 - Server-Side Request Forgery (SSRF)

  98. SSRFOnCSVUpload.yaml - CWE-918 - Server-Side Request Forgery (SSRF)

  99. SSRFOnFiles.yaml - CWE-918 - Server-Side Request Forgery (SSRF)

  100. SSRFOnImageUpload.yaml - CWE-918 - Server-Side Request Forgery (SSRF)

  101. SSRFOnLocalhost.yaml - CWE-918 - Server-Side Request Forgery (SSRF)

  102. SSRFOnLocalhostDNSPinning.yaml - CWE-918 - Server-Side Request Forgery (SSRF)

  103. SSRFOnLocalhostEncoded.yaml - CWE-918 - Server-Side Request Forgery (SSRF)

  104. SSRFOnPDFUpload.yaml - CWE-918 - Server-Side Request Forgery (SSRF)

  105. SSRFOnXMLUpload.yaml - CWE-918 - Server-Side Request Forgery (SSRF)

  106. SSTIInFlaskAndJinja.yaml - CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine

  107. SSTIInFreemarker.yaml - CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine

  108. SSTIInTwig.yaml - CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine

  109. ServerPrivateKeys.yaml - CWE-200, CWE-213 - Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Sensitive Information Due to Incompatible Policies

  110. ServerVersionExposedInvalid.yaml - CWE-209 - Generation of Error Message Containing Sensitive Information

  111. ServerVersionExposedValid.yaml - CWE-209 - Generation of Error Message Containing Sensitive Information

  112. SessionFixation.yaml - CWE-384 - Session Fixation

  113. SftpConfigExposure.yaml - CWE-16 - Configuration

  114. SonarqubePublicProjects.yaml - CWE-16 - Configuration

  115. SpringBootBeansActuatorExposed.yaml - CWE-16 - Configuration

  116. SpringBootConfigPropsActuatorExposed.yaml - CWE-16 - Configuration

  117. SpringBootEnvActuatorExposed.yaml - CWE-16 - Configuration

  118. SpringBootHttpTraceActuatorExposed.yaml - CWE-16 - Configuration

  119. SpringBootThreadDumpActuatorExposed.yaml - CWE-16 - Configuration

  120. SshAuthorizedKeys.yaml - CWE-16 - Configuration

  121. SshKnownHosts.yaml - CWE-16 - Configuration

  122. StrutsDebugModeEnabled.yaml - CWE-16 - Configuration

  123. StrutsOgnlConsoleEnabled.yaml - CWE-16 - Configuration

  124. TextInjectionViaInvalidUrls.yaml - CWE-345 - Insufficient Verification of Data Authenticity

  125. TraceMethodTest.yaml - CWE-16 - Configuration

  126. TrackMethodTest.yaml - CWE-16 - Configuration

  127. UnauthenticatedMongoExpress.yaml - CWE-16 - Configuration

  128. UnwantedResponseHeaders.yaml - CWE-16 - Configuration

  129. WgetrcConfig.yaml - CWE-16 - Configuration

  130. WpconfigAwsKeys.yaml - CWE-200, CWE-213 - Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Sensitive Information Due to Incompatible Policies

  131. XSSInPath.yaml - CWE-79 - Cross-Site Scripting

  132. XSSViaFilename.yaml - CWE-79 - Cross-Site Scripting

Where to find CWE tagging in Akto

Follow these Steps:

  1. Navigate to test results

Navigate to test results
  1. Click on one of the results

Click on scan resultsClick on vulnerability results
  1. Scroll down and see CWE tagging

CWE in a vulnerability

Wrapping up

Start your journey of finding API vulnerabilities now with Akto. You can start by deploying Akto self hosted or running Akto cloud.

Want to ask something?

Our community offers a network of support and resources. You can ask any question there and will get a reply in 24 hours.

Want to ask something?

Our community offers a network of support and resources. You can ask any question there and will get a reply in 24 hours.

Want to ask something?

Our community offers a network of support and resources. You can ask any question there and will get a reply in 24 hours.

Follow us for more updates

Experience enterprise-grade API Security solution