Vulnerability classification

XBOW detects vulnerabilities and groups them according to the Common Weakness Enumerations (CWEs) selected by NIST (National Vulnerability Database).

The National Vulnerability Database (NVD) uses CWEs to classify vulnerability types. XBOW uses the CWE classes chosen by the NVD that describe attacks relevant to web applications.

CWEs used to classify findings

The Finding type column indicates whether XBOW validates each CWE and its remediation priority. Finding types are listed from highest to lowest priority for remediation.

  1. Validated XBOW has created a non-AI, deterministic, exploit validator for this class. All findings reported for this CWE are verified as true vulnerabilities.
  2. Private preview Identification of this class of findings still results in many false positive results. Talk to XBOW if you want to enable this option.
  3. Informational An informational finding indicates a potential issue or a non-standard configuration, but is not an immediate, exploitable vulnerability. An informational finding suggests a departure from best practices.
CWE IDCWE NameFinding typeCommon Name
CWE-22Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)ValidatedPath Traversal
CWE-74Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)ValidatedInjection
CWE-77Improper Neutralization of Special Elements used in a Command (‘Command Injection’)ValidatedCommand Injection
CWE-78Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)ValidatedOS Command Injection
CWE-79Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)Validated(Stored/DOM) Cross-Site Scripting (XSS)
CWE-89Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)ValidatedSQL Injection
CWE-94Improper Control of Generation of Code (‘Code Injection’)ValidatedCode Injection
CWE-116Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Request/Response Splitting’)InformationalImproper Encoding or Escaping of Output
CWE-287Improper AuthenticationInformationalImproper Authentication
CWE-306Missing Authentication for Critical FunctionInformationalMissing Authentication for Critical Function
CWE-352Cross-Site Request Forgery (CSRF)InformationalCross-Site Request Forgery (CSRF)
CWE-384Session FixationInformationalSession Fixation
CWE-425Direct Request (‘Forced Browsing’)InformationalDirect Request (Forced Browsing)
CWE-434Unrestricted Upload of File with Dangerous TypeValidatedUnrestricted Upload of File with Dangerous Type
CWE-470Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’)ValidatedUnsafe Reflection
CWE-502Deserialization of Untrusted DataValidatedDeserialization of Untrusted Data
CWE-552Files or Directories Accessible to External PartiesInformationalFiles or Directories Accessible to External Parties
CWE-601URL Redirection to Untrusted Site (‘Open Redirect’)ValidatedOpen Redirect
CWE-611Improper Restriction of XML External Entity Reference (‘XXE’)ValidatedXML External Entity Reference (XXE)
CWE-639Authorization Bypass Through User-Controlled KeyPrivate previewAuthorization Bypass Through User-Controlled Key (IDOR)
CWE-829Inclusion of Functionality from Untrusted Control SphereInformationalInclusion of Functionality from Untrusted Control Sphere
CWE-862Missing AuthorizationValidatedMissing Authorization
CWE-863Incorrect AuthorizationInformationalIncorrect Authorization
CWE-917Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)ValidatedExpression Language Injection
CWE-918Server-Side Request Forgery (SSRF)ValidatedServer-Side Request Forgery (SSRF)
CWE-1021ClickjackingInformationalClickjacking

Related content