Akto Vulnerabilities are now tagged with CWE
Developers and security teams crave a standardized frame of reference for vulnerabilities. CWE bridges the knowledge gap and provides much-needed context.
Ankita Gupta
10 mins
Introduction
Imagine you're reading a medical report that flags certain symptoms. While some are categorized as 'severe' or 'moderate,' without medical expertise, it's hard to grasp the real implications. Similarly, when inspecting software vulnerabilities, merely labeling them as Critical or Low doesn't offer much context. What developers and security teams crave is a clearer picture: a standardized frame of reference.
Problem at Hand
Many many users when they look at vulnerabilities identified by Akto, want to understand how important is this vulnerability. While tagging vulnerabilities as Critical
, High
, Medium
, Low
helps, still lacks in giving context about the importance. Users want to understand how these vulnerabilities relate to standard vulnerabilities definition. This will help them get a lot more context before blindly fixing the vulnerability and also help development teams prioritize better.
Why CWE Context Matters?
In the cybersecurity realm, the magnitude of a vulnerability is more than its immediate threat. It's about understanding its nature, origin, and potential ripple effects. For teams, this means prioritizing fixes efficiently, ensuring resources are well-spent, and minimizing risk.
However, without a universal language or benchmark, this can be akin to navigating uncharted waters.
Enter the Common Weakness Enumeration (CWE).
This is precisely where CWE steps in, bridging the knowledge gap and providing much-needed context.
What is CWE?
CWE is a community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.
Common Language: CWE provides a shared vocabulary, ensuring that everyone, from novice developers to security veterans, is on the same page.
Benchmarking Tool: By aligning vulnerabilities with CWEs, security tools can offer more precise insights, enabling better decision-making.
Identification & Mitigation Blueprint: With a clear understanding of the vulnerability's nature, teams can design more effective mitigation strategies and preventive measures.
Akto’s Solution with CWE Tagging
Recognizing the transformative potential of CWE, we've revamped Akto's test library. Our aim? To provide users with a 360-degree view of vulnerabilities.
Every vulnerability detected by Akto now comes with one or more associated CWE tags. This isn't merely a cosmetic update. It's a paradigm shift in how users perceive, understand, and tackle vulnerabilities.
Informed Decision Making: With CWE tagging, users can gauge not only the severity but also the nature and implications of a vulnerability.
Enhanced Triage: Development teams can now prioritize fixes with better clarity, ensuring that the most pressing threats are addressed first.
Improved Knowledge Sharing: By referencing a standardized list, teams can collaborate more efficiently, sharing insights and strategies anchored in a common understanding.
Akto’s test library with CWE tagging
AbusingCRLFInHeaders.yaml - CWE-93, CWE-74, CWE-20 - CRLF Injection, Injection, Improper Input Validation
AddUserId.yaml - CWE-639, CWE-284, CWE-285 - Authorization Bypass Through User-Controlled Key, Improper Access Control, Improper Authorization
AirflowConfigurationExposure.yaml - CWE-200, CWE-213 - Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Sensitive Information Due to Incompatible Policies
AmazonDockerConfig.yaml - CWE-200, CWE-213 - Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Sensitive Information Due to Incompatible Policies
ApacheConfig.yaml - CWE-200, CWE-213 - Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Sensitive Information Due to Incompatible Policies
AppendXSS.yaml - CWE-79 Cross-Site Scripting
AppspecYmlDisclosure.yaml - CWE-200, CWE-213 - Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Sensitive Information Due to Incompatible Policies
BOLAByChangingAuthToken.yaml - CWE-639, CWE-284, CWE-285 - Authorization Bypass Through User-Controlled Key, Improper Access Control, Improper Authorization
BasicXSS.yaml - CWE-79 - Cross-Site Scripting
BypassCaptchaRemovingCookie.yaml - CWE-307 - Improper Restriction of Excessive Authentication Attempts
BypassCaptchaUsingHeader.yaml - CWE-287 - Improper Authentication
CORSMisconfigurationInvalidOrigin.yaml - CWE-16 - Configuration
CORSMisconfigurationWhitelistOrigin.yaml - CWE-16 - Configuration
CSRFLoginAttack.yaml - CWE-352 - Cross-Site Request Forgery (CSRF)
CgiPrintEnv.yaml - CWE-16 - Configuration
CircleciConfig.yaml - CWE-16 - Configuration
CommandInjectionByAddingQueryParams.yaml - CWE-77 - Command Injection
ConfigJson.yaml - CWE-200, CWE-213 - Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Sensitive Information Due to Incompatible Policies
ConfigRuby.yaml - CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory
ConfigurationListing.yaml - CWE-16 - Configuration
ContentTypeHeaderMissing.yaml - CWE-16 - Configuration
CookieMisconfiguration.yaml - CWE-16 - Configuration
DebugVars.yaml - CWE-16 - Configuration
DefaultLoginCredentials.yml - CWE-1392 - Use of Default Credentials
DescriptiveErrorMessageInvalidPayloads.yaml - CWE-209 - Generation of Error Message Containing Sensitive Information
DjangoDefaultHomepageEnabled.yaml - CWE-16 - Configuration
DjangoUrlExposed.yaml - CWE-16 - Configuration
DockerComposeConfig.yaml - CWE-16 - Configuration
DockerfileHiddenDisclosure.yaml - CWE-16 - Configuration
EsmtprcConfig.yaml - CWE-16 - Configuration
ExpressDefaultHomepageEnabled.yaml - CWE-16 - Configuration
ExpressStackTraceEnabled.yaml - CWE-16 - Configuration
FetchSensitiveFilesViaSSRF.yaml - CWE-918 - Server-Side Request Forgery (SSRF)
FirebaseConfigExposure.yaml - CWE-16 - Configuration
FirebaseUnauthenticated.yaml - CWE-16 - Configuration
FlaskDebugModeEnabled.yaml - CWE-16 - Configuration
FtpCredentialsExposure.yaml - CWE-200, CWE-213 - Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Sensitive Information Due to Incompatible Policies
GitConfig.yaml - CWE-16 - Configuration
GitConfigNginxoffbyslash.yaml - CWE-16 - Configuration
GitCredentialsDisclosure.yaml - CWE-200, CWE-213 - Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Sensitive Information Due to Incompatible Policies
GithubWorkflowsDisclosure.yaml - CWE-16 - Configuration
GraphqlDebugModeEnabled.yaml - CWE-16 - Configuration
GraphqlDevelopmentConsoleExposed.yaml - CWE-16 - Configuration
GraphqlFieldSuggestionEnabled.yaml - CWE-16 - Configuration
GraphqlIntrospectionEnabled.yaml - CWE-16 - Configuration
GraphqlTypeIntrospectionAllowed.yaml - CWE-16 - Configuration
HeadMethodTest.yaml - CWE-16 - Configuration
HeaderReflectedInInvalidUrl.yaml - CWE-16 - Configuration
HttpResponseSplitting.yaml - CWE-93 - CRLF Injection
InvalidFileInput.yaml - CWE-728, CWE-388 - OWASP Top Ten 2004 Category A7 - Improper Error Handling, 7PK - Errors
JWTSigningInClientSide.yaml - CWE-287 - Improper Authentication
JwtAddJku.yaml - CWE-287 - Improper Authentication
JwtInvalidSignature.yaml - CWE-287 - Improper Authentication
JwtNoneAlgo.yaml - CWE-287 - Improper Authentication
KernelOpenCommandInjection.yaml - CWE-77 - Command Injection
KubernetesKustomizationDisclosure.yaml - CWE-16 - Configuration
LFIAddingNewParam.yaml - CWE-98 - PHP Remote File Inclusion
LFIInParameter.yaml - CWE-98 - PHP Remote File Inclusion
LFIInPath.yaml - CWE-98 - PHP Remote File Inclusion
LaravelDebugModeEnabled.yaml - CWE-16 - Configuration
LaravelDefaultHomepageEnabled.yaml - CWE-16 - Configuration
LaravelEnv.yaml - CWE-16 - Configuration
LaravelTelescopeEnabled.yaml - CWE-16 - Configuration
MassAssignmentChangeAccount.yaml - CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
MassAssignmentChangeAdmin.yaml - CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
MassAssignmentChangeRole.yaml - CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
MassAssignmentCreateAdminUser.yaml - CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
MisconfiguredDocker.yaml - CWE-16 - Configuration
MsmtpConfig.yamlCWE-16Configuration
MustContainResponseHeaders.yaml - CWE-16 - Configuration
NginxConfig.yaml - CWE-16 - Configuration
NginxDefaultPageEnabled.yaml - CWE-16 - Configuration
NginxServerVersionDisclosed.yaml - CWE-16 - Configuration
NginxStatusVisible.yaml - CWE-16 - Configuration
NoAuth.yaml - CWE-287 - Improper Authentication
OldApiVersion.yaml - CWE-937 - OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
OpenRedirect.yaml - CWE-601, CWE-610 - Open Redirect, Externally Controlled Reference to a Resource in Another Sphere
OpenRedirectHostHeaderInjection.yaml - CWE-601, CWE-610 - Open Redirect, Externally Controlled Reference to a Resource in Another Sphere
OpenRedirectInPath.yaml - CWE-601, CWE-610 - Open Redirect, Externally Controlled Reference to a Resource in Another Sphere
OpenRedirectSubdomainWhitelist.yaml - CWE-601, CWE-610 - Open Redirect, Externally Controlled Reference to a Resource in Another Sphere
OracleEbsCredentials.yaml - CWE-16 - Configuration
PageDos.yaml - CWE-400 - Uncontrolled Resource Consumption
ParameterPollution.yaml - CWE-88, CWE-235 - Argument Injection, Improper Handling of Extra Parameters
ParametersConfig.yaml - CWE-16 - Configuration
PortScanningViaSSRF.yaml - CWE-918 - Server-Side Request Forgery (SSRF)
PrometheusMetrics.yaml - CWE-16 - Configuration
RailsDebugModeEnabled.yaml - CWE-16 - Configuration
RailsDefaultHomepageEnabled.yaml - CWE-16 - Configuration
RandomMethodTest.yaml - CWE-16 - Configuration
RedisConfig.yaml - CWE-16 - Configuration
RemoveCSRF.yaml - CWE-352 - Cross-Site Request Forgery (CSRF)
RemoveCaptcha.yaml - CWE-287 - Improper Authentication
ReplaceCSRF.yaml - CWE-352 - Cross-Site Request Forgery (CSRF)
ReplayCaptcha.yaml - CWE-287 - Improper Authentication
RobomongoCredential.yaml - CWE-16 - Configuration
SSRFOnAWSMetaEndpointAbusingEnclosedAlphanumerics.yaml - CWE-918 - Server-Side Request Forgery (SSRF)
SSRFOnAwsMetaEndpoint.yaml - CWE-918 - Server-Side Request Forgery (SSRF)
SSRFOnCSVUpload.yaml - CWE-918 - Server-Side Request Forgery (SSRF)
SSRFOnFiles.yaml - CWE-918 - Server-Side Request Forgery (SSRF)
SSRFOnImageUpload.yaml - CWE-918 - Server-Side Request Forgery (SSRF)
SSRFOnLocalhost.yaml - CWE-918 - Server-Side Request Forgery (SSRF)
SSRFOnLocalhostDNSPinning.yaml - CWE-918 - Server-Side Request Forgery (SSRF)
SSRFOnLocalhostEncoded.yaml - CWE-918 - Server-Side Request Forgery (SSRF)
SSRFOnPDFUpload.yaml - CWE-918 - Server-Side Request Forgery (SSRF)
SSRFOnXMLUpload.yaml - CWE-918 - Server-Side Request Forgery (SSRF)
SSTIInFlaskAndJinja.yaml - CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
SSTIInFreemarker.yaml - CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
SSTIInTwig.yaml - CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
ServerPrivateKeys.yaml - CWE-200, CWE-213 - Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Sensitive Information Due to Incompatible Policies
ServerVersionExposedInvalid.yaml - CWE-209 - Generation of Error Message Containing Sensitive Information
ServerVersionExposedValid.yaml - CWE-209 - Generation of Error Message Containing Sensitive Information
SessionFixation.yaml - CWE-384 - Session Fixation
SftpConfigExposure.yaml - CWE-16 - Configuration
SonarqubePublicProjects.yaml - CWE-16 - Configuration
SpringBootBeansActuatorExposed.yaml - CWE-16 - Configuration
SpringBootConfigPropsActuatorExposed.yaml - CWE-16 - Configuration
SpringBootEnvActuatorExposed.yaml - CWE-16 - Configuration
SpringBootHttpTraceActuatorExposed.yaml - CWE-16 - Configuration
SpringBootThreadDumpActuatorExposed.yaml - CWE-16 - Configuration
SshAuthorizedKeys.yaml - CWE-16 - Configuration
SshKnownHosts.yaml - CWE-16 - Configuration
StrutsDebugModeEnabled.yaml - CWE-16 - Configuration
StrutsOgnlConsoleEnabled.yaml - CWE-16 - Configuration
TextInjectionViaInvalidUrls.yaml - CWE-345 - Insufficient Verification of Data Authenticity
TraceMethodTest.yaml - CWE-16 - Configuration
TrackMethodTest.yaml - CWE-16 - Configuration
UnauthenticatedMongoExpress.yaml - CWE-16 - Configuration
UnwantedResponseHeaders.yaml - CWE-16 - Configuration
WgetrcConfig.yaml - CWE-16 - Configuration
WpconfigAwsKeys.yaml - CWE-200, CWE-213 - Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Sensitive Information Due to Incompatible Policies
XSSInPath.yaml - CWE-79 - Cross-Site Scripting
XSSViaFilename.yaml - CWE-79 - Cross-Site Scripting
Where to find CWE tagging in Akto
Follow these Steps:
Navigate to test results
Click on one of the results
Scroll down and see CWE tagging
Wrapping up
Start your journey of finding API vulnerabilities now with Akto. You can start by deploying Akto self hosted or running Akto cloud.
Keep reading
API Security
3 minutes
What is API Discovery?
API Discovery helps identify, map, and manage APIs within an organization, ensuring security, performance, and seamless integration across systems.
API Security
5 minutes
Top 10 DAST Tools in 2024
DAST tools secure web apps by identifying vulnerabilities through automated security testing.
API Security
8 minutes
Security Information and Event Management (SIEM)
SIEM aggregates and analyzes security data across an organization to detect, monitor, and respond to potential threats in real time.
Experience enterprise-grade API Security solution