The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

The product stores sensitive information in cleartext in a cookie.

The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

The web application uses persistent cookies, but the cookies contain sensitive information.

The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.