diff --git a/.gitattributes b/.gitattributes index 9f45a92b72..c8491a0e7f 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1 +1,2 @@ evals/registry/data/**/*.jsonl filter=lfs diff=lfs merge=lfs -text +evals/registry/data/cwes/samples.jsonl filter=lfs diff=lfs merge=lfs -text diff --git a/evals/registry/data/cwes/samples.jsonl b/evals/registry/data/cwes/samples.jsonl new file mode 100644 index 0000000000..cfc920695b --- /dev/null +++ b/evals/registry/data/cwes/samples.jsonl @@ -0,0 +1,182 @@ +{"input": [{"role": "user", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "Debugging messages help attackers learn about the system and plan a form of attack."}], "ideal": ["Debug Misconfiguration","Security Misconfiguration"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers."}], "ideal": ["Hardcoded Credentials","Security Misconfiguration"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "One or more system settings or configuration elements can be externally controlled by a user."}], "ideal": ["External Control of System or Configuration Setting","Security Misconfiguration"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly."}], "ideal": ["Improper Input Validation","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory."}], "ideal": ["Path Traversal","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory."}], "ideal": ["Relative Path Traversal","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory."}], "ideal": ["Path Traversal","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource."}], "ideal": ["Link Following","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product allows user input to control or influence paths or file names that are used in filesystem operations."}], "ideal": ["External Control of File Name or Path","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component."}], "ideal": ["Injection","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not adequately filter user-controlled input for special elements with control implications."}], "ideal": ["Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component."}], "ideal": ["Command Injection","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component."}], "ideal": ["OS Command Injection","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users."}], "ideal": ["Cross-site Scripting","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as <, >, and & that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages."}], "ideal": ["Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not neutralize or incorrectly neutralizes javascript: or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style."}], "ideal": ["Improper Neutralization of Script in Attributes in a Web Page","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax."}], "ideal": ["Improper Neutralization of Alternate XSS Syntax","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string."}], "ideal": ["Argument Injection","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component."}], "ideal": ["SQL Injection","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component."}], "ideal": ["LDAP Injection","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system."}], "ideal": ["XML Injection (aka Blind XPath Injection)","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs."}], "ideal": ["CRLF Injection","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment."}], "ideal": ["Code Injection","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. eval)."}], "ideal": ["Eval Injection","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template."}], "ideal": ["Static Code Injection","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive."}], "ideal": ["Improper Neutralization of Server-Side Includes (SSI) Within a Web Page","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in require, include, or similar functions."}], "ideal": ["PHP Remote File Inclusion","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control."}], "ideal": ["Resource Injection","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers."}], "ideal": ["HTTP Request/Response Splitting","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved."}], "ideal": ["Improper Encoding or Escaping of Output","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not neutralize or incorrectly neutralizes output that is written to logs."}], "ideal": ["Improper Output Neutralization for Logs","Security Logging and Monitoring Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component."}], "ideal": ["Improper Neutralization of Special Elements","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses."}], "ideal": ["Permissive List of Allowed Inputs","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses."}], "ideal": ["Incomplete List of Disallowed Inputs","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information."}], "ideal": ["Exposure of Sensitive Information to an Unauthorized Actor","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor."}], "ideal": ["Insertion of Sensitive Information Into Sent Data","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product generates an error message that includes sensitive information about its environment, users, or associated data."}], "ideal": ["Generation of Error Message Containing Sensitive Information","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed."}], "ideal": ["Exposure of Sensitive Information Due to Incompatible Policies","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties."}], "ideal": ["Storage of File with Sensitive Data Under Web Root","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe."}], "ideal": ["Omission of Security-relevant Information","Security Logging and Monitoring Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount."}], "ideal": ["Improper Handling of Extra Parameters","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "Storing a password in plaintext may result in a system compromise."}], "ideal": ["Plaintext Storage of a Password","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts."}], "ideal": ["Storing Passwords in a Recoverable Format","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components."}], "ideal": ["Use of Hard-coded Password","Identification and Authentication Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product stores a password in a configuration file that might be accessible to actors who do not know the password."}], "ideal": ["Password in Configuration File","Security Misconfiguration"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "Obscuring a password with a trivial encoding does not protect the password."}], "ideal": ["Weak Encoding for Password","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor."}], "ideal": ["Incorrect Privilege Assignment","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor."}], "ideal": ["Improper Privilege Management","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "During installation, installed file permissions are set to allow anyone to modify those files."}], "ideal": ["Incorrect Default Permissions","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state."}], "ideal": ["Improper Handling of Insufficient Permissions or Privileges ","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor."}], "ideal": ["Improper Access Control","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action."}], "ideal": ["Improper Authorization","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct."}], "ideal": ["Improper Authentication","Identification and Authentication Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "A product requires authentication, but the product has an alternate path or channel that does not require authentication."}], "ideal": ["Authentication Bypass Using an Alternate Path or Channel","Identification and Authentication Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks."}], "ideal": ["Authentication Bypass by Spoofing","Identification and Authentication Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes)."}], "ideal": ["Authentication Bypass by Capture-replay","Identification and Authentication Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not validate, or incorrectly validates, a certificate."}], "ideal": ["Improper Certificate Validation","Identification and Authentication Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate."}], "ideal": ["Improper Following of a Certificate's Chain of Trust","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host."}], "ideal": ["Improper Validation of Certificate with Host Mismatch","Identification and Authentication Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint."}], "ideal": ["Channel Accessible by Non-Endpoint","Identification and Authentication Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker."}], "ideal": ["Authentication Bypass by Assumed-Immutable Data","Identification and Authentication Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product implements an authentication technique, but it skips a step that weakens the technique."}], "ideal": ["Missing Critical Step in Authentication","Identification and Authentication Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources."}], "ideal": ["Missing Authentication for Critical Function","Identification and Authentication Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks."}], "ideal": ["Improper Restriction of Excessive Authentication Attempts","Identification and Authentication Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not encrypt sensitive or critical information before storage or transmission."}], "ideal": ["Missing Encryption of Sensitive Data","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere."}], "ideal": ["Cleartext Storage of Sensitive Information","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product stores sensitive information in cleartext in a file, or on disk."}], "ideal": ["Cleartext Storage in a File or on Disk","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product stores sensitive information in cleartext in a cookie."}], "ideal": ["Cleartext Storage of Sensitive Information in a Cookie","Security Misconfiguration"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product stores sensitive information in cleartext in memory."}], "ideal": ["Cleartext Storage of Sensitive Information in Memory","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors."}], "ideal": ["Cleartext Transmission of Sensitive Information","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered."}], "ideal": ["Use of Hard-coded Cryptographic Key","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product performs a key exchange with an actor without verifying the identity of that actor."}], "ideal": ["Key Exchange without Entity Authentication","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "Nonces should be used for the present occasion and only once."}], "ideal": ["Reusing a Nonce, Key Pair in Encryption","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key."}], "ideal": ["Use of a Key Past its Expiration Date","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm."}], "ideal": ["Missing Cryptographic Step","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required."}], "ideal": ["Inadequate Encryption Strength","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses a broken or risky cryptographic algorithm or protocol."}], "ideal": ["Use of a Broken or Risky Cryptographic Algorithm","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack)."}], "ideal": ["Use of Weak Hash","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key."}], "ideal": ["Generation of Predictable IV with CBC Mode","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers."}], "ideal": ["Use of Insufficiently Random Values","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others."}], "ideal": ["Insufficient Entropy","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds."}], "ideal": ["Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized."}], "ideal": ["Same Seed in Pseudo-Random Number Generator (PRNG)","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time."}], "ideal": ["Predictable Seed in Pseudo-Random Number Generator (PRNG)","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong."}], "ideal": ["Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses a scheme that generates numbers or identifiers that are more predictable than required."}], "ideal": ["Generation of Predictable Numbers or Identifiers","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data."}], "ideal": ["Insufficient Verification of Data Authenticity","Software and Data Integrity Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not properly verify that the source of data or communication is valid."}], "ideal": ["Origin Validation Error","Identification and Authentication Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not verify, or incorrectly verifies, the cryptographic signature for data."}], "ideal": ["Improper Verification of Cryptographic Signature","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request."}], "ideal": ["Cross-Site Request Forgery (CSRF)","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum."}], "ideal": ["Missing Support for Integrity Check","Software and Data Integrity Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected."}], "ideal": ["Exposure of Private Personal Information to an Unauthorized Actor","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "Creating and using insecure temporary files can leave application and system data vulnerable to attack."}], "ideal": ["Insecure Temporary File","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions."}], "ideal": ["Session Fixation","Identification and Authentication Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product."}], "ideal": ["Resource Leak","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel."}], "ideal": ["Unprotected Primary Channel","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files."}], "ideal": ["Forced Browsing","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control."}], "ideal": ["Untrusted Search Path","Software and Data Integrity Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The wrong handler is assigned to process an object."}], "ideal": ["Deployment of Wrong Handler","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment."}], "ideal": ["Unrestricted Upload of File with Dangerous Type","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor."}], "ideal": ["Confused Deputy","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination."}], "ideal": ["HTTP Request/Response Smuggling","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks."}], "ideal": ["User Interface (UI) Misrepresentation of Critical Information","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code."}], "ideal": ["Unsafe Reflection","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not properly protect an assumed-immutable element from being modified by an attacker."}], "ideal": ["Modification of Assumed-Immutable Data (MAID)","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields."}], "ideal": ["External Control of Assumed-Immutable Web Parameter","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code."}], "ideal": ["Download of Code Without Integrity Check","Software and Data Integrity Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does."}], "ideal": ["Exposure of Sensitive System Information to an Unauthorized Control Sphere","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product mixes trusted and untrusted data in the same data structure or structured message."}], "ideal": ["Trust Boundary Violation","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid."}], "ideal": ["Deserialization of Untrusted Data","Software and Data Integrity Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks."}], "ideal": [".NET Misconfiguration: Use of Impersonation","Security Misconfiguration"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts."}], "ideal": ["Weak Password Requirements","Identification and Authentication Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval."}], "ideal": ["Insufficiently Protected Credentials","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server."}], "ideal": ["Unprotected Transport of Credentials","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached."}], "ideal": ["Use of Web Browser Cache Containing Sensitive Information","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses an environment variable to store unencrypted sensitive information."}], "ideal": ["Cleartext Storage of Sensitive Information in an Environment Variable","Security Misconfiguration"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information."}], "ideal": ["Insertion of Sensitive Information into Log File","Security Logging and Monitoring Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system."}], "ideal": ["Java Runtime Error Message Containing Sensitive Information","Security Misconfiguration"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information."}], "ideal": ["Insertion of Sensitive Information into Externally-Accessible File or Directory","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The web application uses persistent cookies, but the cookies contain sensitive information."}], "ideal": ["Use of Persistent Cookies Containing Sensitive Information","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "Source code on a web server or repository often contains sensitive information and should generally not be accessible to users."}], "ideal": ["Inclusion of Sensitive Information in Source Code","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system."}], "ideal": ["Inclusion of Sensitive Information in an Include File","Security Misconfiguration"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change."}], "ideal": ["Use of Hard-coded, Security-relevant Constants","Security Misconfiguration"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers."}], "ideal": ["Exposure of Information Through Directory Listing","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product makes files or directories accessible to unauthorized actors, even though they should not be."}], "ideal": ["Files or Directories Accessible to External Parties","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands."}], "ideal": ["SQL Injection: Hibernate","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user."}], "ideal": ["Reliance on Cookies without Validation and Integrity Checking","Software and Data Integrity Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor."}], "ideal": ["Authorization Bypass Through User-Controlled SQL Primary Key","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability."}], "ideal": ["J2EE Bad Practices: Non-serializable Object Stored in Session","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request."}], "ideal": ["Use of GET Request Method With Sensitive Query Strings","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks."}], "ideal": ["Open Redirect","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server."}], "ideal": ["Client-Side Enforcement of Server-Side Security","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere."}], "ideal": ["Externally Controlled Reference to a Resource in Another Sphere","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output."}], "ideal": ["Improper Restriction of XML External Entity Reference","Security Misconfiguration"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "According to WASC, Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."}], "ideal": ["Insufficient Session Expiration","Identification and Authentication Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session."}], "ideal": ["Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","Security Misconfiguration"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication."}], "ideal": ["Unverified Password Change","Identification and Authentication Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data."}], "ideal": ["Authorization Bypass Through User-Controlled Key","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak."}], "ideal": ["Weak Password Recovery Mechanism for Forgotten Password","Identification and Authentication Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors."}], "ideal": ["External Control of Critical State Data","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query."}], "ideal": ["XPath Injection","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash."}], "ideal": ["Improper Neutralization of HTTP Headers for Scripting Syntax","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion."}], "ideal": ["Reliance on File Name or Extension of Externally-Supplied File","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state."}], "ideal": ["Trusting HTTP Permission Methods on the Server Side","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g. what parameters they expect and what types they return)."}], "ideal": ["Exposure of WSDL File Containing Sensitive Information","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query."}], "ideal": ["XQuery Injection","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions."}], "ideal": ["Improper Isolation or Compartmentalization","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism."}], "ideal": ["Reliance on Security Through Obscurity","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product violates well-established principles for secure design."}], "ideal": ["Violation of Secure Design Principles","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource."}], "ideal": ["Exposure of Resource to Wrong Sphere","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere."}], "ideal": ["Use of Incorrectly-Resolved Name or Reference","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not return custom error pages to the user, possibly exposing sensitive information."}], "ideal": ["Missing Custom Error Page","Security Misconfiguration"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties."}], "ideal": ["Algorithm Downgrade","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input."}], "ideal": ["Use of a One-Way Hash without a Salt","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input."}], "ideal": ["Use of a One-Way Hash with a Predictable Salt","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities."}], "ideal": ["XML Entity Expansion","Security Misconfiguration"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it."}], "ideal": ["Insufficient Logging","Security Logging and Monitoring Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption."}], "ideal": ["Use of RSA Algorithm without OAEP","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user."}], "ideal": ["Reliance on Cookies without Validation and Integrity Checking in a Security Decision","Software and Data Integrity Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data."}], "ideal": ["Use of Hard-coded Credentials","Identification and Authentication Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests."}], "ideal": ["Improper Control of Interaction Frequency","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism."}], "ideal": ["Reliance on Untrusted Inputs in a Security Decision","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere."}], "ideal": ["Inclusion of Functionality from Untrusted Control Sphere","Software and Data Integrity Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially granting total access and control of the product to the untrusted source."}], "ideal": ["Inclusion of Web Functionality from an Untrusted Source","Software and Data Integrity Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence."}], "ideal": ["Improper Enforcement of Behavioral Workflow","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not perform an authorization check when an actor attempts to access a resource or perform an action."}], "ideal": ["Missing Authorization","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions."}], "ideal": ["Incorrect Authorization","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements."}], "ideal": ["Improper Control of Dynamically-Managed Code Resources","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified."}], "ideal": ["Improperly Controlled Modification of Dynamically-Determined Object Attributes","Software and Data Integrity Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive."}], "ideal": ["Use of Password Hash With Insufficient Computational Effort","Cryptographic Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed."}], "ideal": ["Expression Language Injection","Injection"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination."}], "ideal": ["Server-Side Request Forgery","SSRF"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product stores sensitive information without properly limiting read or write access by unauthorized actors."}], "ideal": ["Insecure Storage of Sensitive Information","Broken Access Control"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The Android application uses an implicit intent for transmitting sensitive data to other applications."}], "ideal": ["Use of Implicit Intent for Sensitive Communication","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin."}], "ideal": ["Improper Verification of Source of a Communication Channel","Identification and Authentication Failures"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses a cross-domain policy file that includes domains that should not be trusted."}], "ideal": ["Permissive Cross-domain Policy with Untrusted Domains","Security Misconfiguration"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag."}], "ideal": ["Sensitive Cookie Without 'HttpOnly' Flag","Security Misconfiguration"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with."}], "ideal": ["Improper Restriction of Rendered UI Layers or Frames","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer."}], "ideal": ["Use of Unmaintained Third Party Components","Vulnerable and Outdated Components"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The product does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library."}], "ideal": ["Improper Use of Validation Framework","Insecure Design"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The ASP.NET application does not use, or incorrectly uses, the model validation framework."}], "ideal": ["ASP.NET Misconfiguration: Improper Model Validation","Security Misconfiguration"]} +{"input": [{"role": "system", "content": "You are a security practitioner fulfilling a task accurately to name security weaknesses (CWEs). Please note: For this task, it is important that you only respond with a single line using only a few words naming the weakness, no numeric identifier."}, {"role": "user", "content": "The SameSite attribute for sensitive cookies is not set, or an insecure value is used."}], "ideal": ["Sensitive Cookie with Improper SameSite Attribute","Broken Access Control"]} \ No newline at end of file diff --git a/evals/registry/evals/cwes.yaml b/evals/registry/evals/cwes.yaml new file mode 100644 index 0000000000..e4d9594d8c --- /dev/null +++ b/evals/registry/evals/cwes.yaml @@ -0,0 +1,9 @@ +cwes: + id: cwes.dev.v0 + description: Test the model's ability to name well known security weaknesses (english, not weakness IDs) + metrics: [accuracy] + +cwes.dev.v0: + class: evals.elsuite.basic.match:Match + args: + samples_jsonl: cwes/samples.jsonl