Vulnerability Index

From Guidance Share

Jump to: navigation, search



  • Weak passwords.
  • Clear text credentials in configuration files
  • Passing clear text credentials over the network Attackers can monitor the network to steal authentication credentials and spoof identity.
  • Over-privileged accounts
  • Long authentication ticket sessions
  • Mixing personalization with authentication Personalization data is suited to persistent cookies.


  • Reliance on a single gatekeeper
  • Failing to lock down system resources against application identities
  • Failing to limit database access to specified stored procedures
  • Inadequate separation of privileges.

Auditing and Logging

  • Failing to audit failed logons
  • Failing to secure audit files
  • Failing to audit across application tiers

Configuration Management

  • Insecure administration interfaces
  • Insecure configuration stores
  • Clear text configuration data.
  • Too many administrators
  • Over-privileged process accounts and service accounts


  • Using custom cryptography
  • Using the wrong algorithm or too small a key size
  • Failing to secure encryption keys
  • Using the same key for a prolonged period of time

Exception Management

  • Failing to use structured exception handling
  • Revealing too much information to the client

Input /Data Validation

  • Non-validated input in the Hypertext Markup Language (HTML) output stream
  • Non-validated input used to generate SQL queries
  • Reliance on client-side validation
  • Use of input file names, URLs, or user names for security decisions
  • Application-only filters for malicious input
  • Failing to validate all input parameters
  • Sensitive data in unencrypted cookies
  • Sensitive data in query strings and form fields
  • Trusting HTTP header information
  • Unprotected view state.

Sensitive Data

  • Storing secrets when you do not need to.
  • Storing secrets in code
  • Storing secrets in clear text
  • Passing sensitive data in clear text over networks.

Session Management

  • Passing session identifiers over unencrypted channels
  • Prolonged user session identifier lifetime
  • Insecure session state stores
  • Session identifiers in query strings
Personal tools