Skip to content

CWE-Specific Remediation Guidance

This directory contains 168 CWE-specific remediation guides with OWASP-aligned recommendations for fixing security vulnerabilities discovered by SAST and Dynamic scans.

Coverage

  • 168 CWEs: With complete data path analysis guidance
  • 57 with Dynamic (DAST) Guidance: HTTP request/response analysis and source mapping hints integrated into static CWE pages

Browse CWE guidance:

  • CWE Guidance - 168 CWEs with comprehensive remediation guidance, geared to folks who've been presented with a Static or Dynamic Analysis report.

All CWEs include comprehensive remediation strategies that apply across languages:

  • Injection Flaws (17 CWEs): SQL, XSS, Command, XXE, LDAP, XML, etc.
  • Authentication & Authorization (13 CWEs): Access control, CSRF, SSRF, IDOR, etc.
  • Cryptography (24 CWEs): Weak crypto, hardcoded credentials, insecure storage, etc.
  • Memory Safety (14 CWEs): Buffer overflows, use-after-free, double-free, etc.
  • Path & File Handling (7 CWEs): Path traversal, deserialization, file inclusion, etc.
  • Information Disclosure (38 CWEs): Error messages, logging, XXE, temp files, etc.
  • Input Validation (17 CWEs): Integer overflow, regex DoS, format strings, etc.
  • Configuration (12 CWEs): Hard-coded paths, open redirect, Struts issues, etc.
  • Platform-Specific (10 CWEs): Android, ASP.NET, Mobile frameworks, etc.

Guidance Types

Static Analysis Guidance (153 CWEs):

  • 36 CWEs with language-specific examples (C, C#, Java, JavaScript, Perl, PHP, Python)
    • Examples: CWE-22 (Path Traversal), CWE-79 (XSS), CWE-89 (SQL Injection), CWE-78 (Command Injection)
  • 117 CWEs with generic remediation strategies (language-agnostic)
    • Examples: Memory safety, configuration issues, platform-specific vulnerabilities

Dynamic (DAST) Scan Guidance Available for 57 CWEs:

CWEs with integrated dynamic scan guidance include HTTP request/response analysis, framework-specific code search patterns, and strategies for mapping runtime findings to source code. Dynamic guidance appears in a dedicated section within each CWE's static guidance page.

Coverage includes: - Injection Vulnerabilities (14): SQL Injection, XSS, Command Injection, XXE, Deserialization, SSRF - Authentication & Authorization (8): Access Control, CSRF, Session Fixation, CORS
- Cryptography & Secrets (13): Hard-coded Credentials, Certificate Validation, Weak Algorithms - Path & File Handling (5): Path Traversal, File Upload, External File Control - Information Disclosure (17): Error Messages, Directory Listing, Environment Variables, Source Code Exposure - State & Data Integrity (2): External State Control, Obsolete Functions

Generic Guidance Content

Each generic CWE guidance file includes:

  • Overview: What the vulnerability is
  • Risk: Severity and potential impact
  • OWASP Classification: Mapping to OWASP Top 10 2025
  • Primary Remediation: Core fix strategy
  • Secure Coding Practices: Input validation, output encoding, defense-in-depth
  • Language-Specific Guidance: High-level pointers for major languages
  • Additional Resources: Links to CWE, OWASP, SAST/Dynamic Scanner documentation
  • Next Steps: Concrete action items

Language-Specific Guidance Content

Detailed language-specific guides include:

  • Vulnerable Patterns: Code examples showing the vulnerability
  • Secure Patterns: Code examples showing the fix
  • Framework-Specific Guidance: Spring, ASP.NET, Django, Express, etc.
  • Input Validation Patterns: Reusable validation code
  • Common Pitfalls: Mistakes developers make
  • Migration Strategy: Step-by-step refactoring guide
  • Security Checklist: Verification items

OWASP Alignment

All guidance aligns with OWASP recommendations:

  • OWASP Top 10 2025 classification included
  • OWASP Cheat Sheet Series patterns referenced
  • OWASP ESAPI principles followed
  • Defense in Depth emphasized throughout
  • Secure by Default approach recommended

Language Coverage

Language-Specific Guidance Available:

  • C - Memory safety vulnerabilities
  • C# - .NET Framework, .NET Core, ASP.NET
  • Java - Spring, Jakarta EE, JDBC
  • JavaScript - Node.js, Express
  • Perl - Selected vulnerabilities
  • PHP - Core PHP patterns
  • Python - Django, Flask

Generic Guidance applies to all languages with framework-agnostic remediation strategies

Dynamic (DAST) Guidance Content

57 CWEs include integrated dynamic scan guidance accessible via a "Dynamic Scan Guidance" section within each CWE page. This guidance includes:

  • Overview: What the vulnerability is and how it was detected dynamically
  • Risk: Why dynamic findings represent real attack surface
  • HTTP Context Analysis: Understanding request/response details
  • Finding the Vulnerable Code: Strategies for locating endpoints
    • URL-based search patterns
    • Parameter-based search patterns
    • Framework-specific routing patterns
  • Remediation Steps: Step-by-step fix implementation
  • Framework-Specific Guidance: Code search patterns for Java, C#, Python, JavaScript, PHP
  • Testing Your Fix: How to reproduce and verify
  • Security Headers: HTTP security header recommendations

Dynamic guidance is accessible by navigating to a CWE page and selecting the "Dynamic (DAST)" option in the left navigation.

Usage Statistics

  • 168 CWEs with comprehensive remediation guidance
    • 57 include Dynamic (DAST) guidance integrated into main CWE pages
  • 7 languages with detailed code examples (C, C#, Java, JavaScript, Perl, PHP, Python)
  • OWASP Top 10 2025 coverage included