http://cwe.mitre.org/top25/#CWE-120
| [1] | 346 | Failure to Preserve Web Page Structure ('Cross-site Scripting') | |
| [2] | 330 | Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') | |
| [3] | 273 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | |
| [4] | 261 | Cross-Site Request Forgery (CSRF) | |
| [5] | 219 | Improper Access Control (Authorization) | |
| [6] | 202 | Reliance on Untrusted Inputs in a Security Decision | |
| [7] | 197 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | |
| [8] | 194 | Unrestricted Upload of File with Dangerous Type | |
| [9] | 188 | Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') | |
| [10] | 188 | Missing Encryption of Sensitive Data | |
| [11] | 176 | Use of Hard-coded Credentials | |
| [12] | 158 | Buffer Access with Incorrect Length Value | |
| [13] | 157 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') | |
| [14] | 156 | Improper Validation of Array Index | |
| [15] | 155 | Improper Check for Unusual or Exceptional Conditions | |
| [16] | 154 | Information Exposure Through an Error Message | |
| [17] | 154 | Integer Overflow or Wraparound | |
| [18] | 153 | Incorrect Calculation of Buffer Size | |
| [19] | 147 | Missing Authentication for Critical Function | |
| [20] | 146 | Download of Code Without Integrity Check | |
| [21] | 145 | Incorrect Permission Assignment for Critical Resource | |
| [22] | 145 | Allocation of Resources Without Limits or Throttling | |
| [23] | 142 | URL Redirection to Untrusted Site ('Open Redirect') | |
| [24] | 141 | Use of a Broken or Risky Cryptographic Algorithm | |
| [25] | 138 | Race Condition |
Cross-site scripting and SQL injection are the 1-2 punch of security weaknesses in 2010. Even when a software package doesn't primarily run on the web, there's a good chance that it has a web-based management interface or HTML-based output formats that allow cross-site scripting. For data-rich software applications, SQL injection is the means to steal the keys to the kingdom. The classic buffer overflow comes in third, while more complex buffer overflow variants are sprinkled in the rest of the Top 25.
Category-Based View of the Top 25
This section sorts the entries into the three high-level categories that were used in the 2009 Top 25:
· Insecure Interaction Between Components
· Risky Resource Management
· Porous Defenses
Insecure Interaction Between Components
These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.
For each weakness, its ranking in the general list is provided in square brackets.
| Rank | CWE ID | Name |
| [1] | Failure to Preserve Web Page Structure ('Cross-site Scripting') | |
| [2] | Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') | |
| [4] | Cross-Site Request Forgery (CSRF) | |
| [8] | Unrestricted Upload of File with Dangerous Type | |
| [9] | Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') | |
| [17] | Information Exposure Through an Error Message | |
| [23] | URL Redirection to Untrusted Site ('Open Redirect') | |
| [25] | Race Condition |
Risky Resource Management
The weaknesses in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources.
| Rank | CWE ID | Name |
| [3] | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | |
| [7] | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | |
| [12] | Buffer Access with Incorrect Length Value | |
| [13] | Improper Check for Unusual or Exceptional Conditions | |
| [14] | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') | |
| [15] | Improper Validation of Array Index | |
| [16] | Integer Overflow or Wraparound | |
| [18] | Incorrect Calculation of Buffer Size | |
| [20] | Download of Code Without Integrity Check | |
| [22] | Allocation of Resources Without Limits or Throttling |
Porous Defenses
The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored.
| Rank | CWE ID | Name |
| [5] | Improper Access Control (Authorization) | |
| [6] | Reliance on Untrusted Inputs in a Security Decision | |
| [10] | Missing Encryption of Sensitive Data | |
| [11] | Use of Hard-coded Credentials | |
| [19] | Missing Authentication for Critical Function | |
| [21] | Incorrect Permission Assignment for Critical Resource | |
| [24] | Use of a Broken or Risky Cryptographic Algorithm |
The prioritization of items in the general Top 25 list is just that - general. The rankings, and even the selection of which items should be included, can vary widely depending on context. Ideally, each organization can decide how to rank weaknesses based on its own criteria, instead of relying on a single general-purpose list.
A separate document provides several "focus profiles" with their own criteria for selection and ranking, which may be more useful than the general list.
| Name | Description |
| From the original nominee list of 41 submitted CWE entries, the Top 25 was selected. This "On the Cusp" profile includes the remaining 16 weaknesses that did not make it into the final Top 25. | |
| This profile ranks weaknesses that are important from an educational perspective within a school or university context. It focuses on the CWE entries that graduating students should know, including historically important weaknesses. | |
| This profile specifies which weaknesses appear in which programming languages. Notice that most weaknesses are actually language-independent, although they may be more prevalent in one language or another. | |
| This profile lists weaknesses that are typically fixed in design or implementation. | |
| This profile highlights which weaknesses can be detected using automated versus manual analysis. Currently, there is very little public, authoritative information about the efficacy of these methods and their utility. There are many competing opinions, even among experts. As a result, these ratings should only be treated as guidelines, not rules. | |
| This profile is for developers who have already established security in their practice. It uses votes from the major developers who contributed to the Top 25. | |
| This profile ranks weaknesses based primarily on their importance, as determined from the base voting data that was used to create the general list. Prevalence is included in the scores, but it has much less weighting than importance. | |
| This profile lists weaknesses based on their technical impact, i.e., what an attacker can accomplish by exploiting each weakness. |
For each individual weakness entry, additional information is provided. The primary audience is intended to be software programmers and designers.
| Ranking | The ranking of the weakness in the general list. |
| Score Summary | A summary of the individual ratings and scores that were given to this weakness, including Prevalence, Importance, and Adjusted Score. |
| CWE ID and name | CWE identifier and short name of the weakness |
| Supporting Information | Supplementary information about the weakness that may be useful for decision-makers to further prioritize the entries. |
| Discussion | Short, informal discussion of the nature of the weakness and its consequences. The discussion avoids digging too deeply into technical detail. |
| Prevention and Mitigations | Steps that developers can take to mitigate or eliminate the weakness. Developers may choose one or more of these mitigations to fit their own needs. Note that the effectiveness of these techniques vary, and multiple techniques may be combined for greater defense-in-depth. |
| Related CWEs | Other CWE entries that are related to the Top 25 weakness. Note: This list is illustrative, not comprehensive. |
| General Parent | One or more pointers to more general CWE entries, so you can see the breadth and depth of the problem. |
| Related Attack Patterns | CAPEC entries for attacks that may be successfully conducted against the weakness. Note: the list is not necessarily complete. |
| Other pointers | Links to more details including source code examples that demonstrate the weakness, methods for detection, etc. |
Supporting Information
Each Top 25 entry includes supporting data fields for weakness prevalence, technical impact, and other information. Each entry also includes the following data fields.
| Field | Description |
| Attack Frequency | How often the weakness occurs in vulnerabilities that are exploited by an attacker. |
| Ease of Detection | How easy it is for an attacker to find this weakness. |
| Remediation Cost | The amount of effort required to fix the weakness. |
| Attacker Awareness | The likelihood that an attacker is going to be aware of this particular weakness, methods for detection, and methods for exploitation. |
See Appendix A for more details.
This section provides details for each individual CWE entry, along with links to additional information. See the Organization of the Top 25 section for an explanation of the various fields.
| CWE-79: Failure to Preserve Web Page Structure ('Cross-site Scripting') |
Summary
| Weakness Prevalence | High | | Consequences | Code execution, Security bypass |
| Remediation Cost | Low | | Ease of Detection | Easy |
| Attack Frequency | Often | | Attacker Awareness | High |
No comments:
Post a Comment