2010 CWE/SANS Top 25: Focus Profiles
The prioritization of items in the general Top 25 list is just that -
general. The rankings, and even the selection of which items should be
included, can vary widely depending on context. Ideally, each
organization can decide how to rank weaknesses based on its own
criteria, instead of relying on a single general-purpose list.
This document provides several "focus profiles" with
their own criteria for selection and ranking, which may be more useful
than the general list.
|
On the Cusp: Weaknesses that Did Not Make the 2010 Top 25
The Top 25 was selected using a voting process in which participants
evaluated a Nominee List of 41 weaknesses. From this list, the final
Top 25 was selected based on a combination of prevalence and
importance, as evaluated by participants.
This leaves 16 "On the Cusp" weaknesses from the Nominee List that did
not make it into the final Top 25. This could be due to one or more of
the following reasons:
* Not prevalent enough
* Not important enough
* Not enough votes (implying limited prevalence/importance)
* Too new (or too old) to be sufficiently relevant in the current environment
| Rank | Score | CWE Entry |
|---|
| [26] | 136 | CWE-749: Exposed Dangerous Method or Function |
| Just 2 points from the Top 25, possibly on the rise. |
| [27] | 129 | CWE-307: Improper Restriction of Excessive Authentication Attempts |
| Possibly squeezed off the Top 25 by cousins such as missing
authentication. |
| [28] | 125 | CWE-212: Improper Cross-boundary Removal of Sensitive Data |
| Important when privacy is a main concern. |
| [29] | 124 | CWE-330: Use of Insufficiently Random Values |
| Not always security-relevant, but still dangerous if it is. |
| [30] | 120 | CWE-59: Improper Link Resolution Before File Access ('Link Following') |
| A burst in CVE statistics in 2008 shows that these can still be
prevalent if focused attention is paid to them. |
[31]
(tie) | 120 | CWE-134: Uncontrolled Format String |
| Usually easily findable, and code execution possibilities have been
reduced due to compiler changes, e.g. removal of support for "%n"
sequences. |
| [32] | 119 | CWE-476: NULL Pointer Dereference |
| Typically cause a denial of service in C/C++ but, for certain Linux
kernels and possibly other environments, exploitable for code
execution. |
[33]
(tie) | 119 | CWE-681: Incorrect Conversion between Numeric Types |
| May be on the rise in future years, especially in transitions from
32-bit to 64-bit architectures. |
| [34] | 118 | CWE-426: Untrusted Search Path |
| Prevalence is uncertain. |
| [35] | 116 | CWE-454: External Initialization of Trusted Variables or Data Stores |
| High prevalence in PHP environments with register_globals enabled, or
by programmers who are not familiar with the effectiveness of reverse
engineering, or the many ways that inputs can be modified. |
| [36] | 114 | CWE-416: Use After Free |
| Likely on the rise in future years. |
[37]
(tie) | 114 | CWE-772: Missing Release of Resource after Effective Lifetime |
| Important when prevention of denial of service is critical. |
| [38] | 106 | CWE-799: Improper Control of Interaction Frequency |
| Important when prevention of denial of service is critical. Also a
critical component of brute force attacks against security features. |
| [39] | 100 | CWE-456: Missing Initialization |
| Not always security-relevant; also, easily findable and fixable with
modern compilers and code scanners. |
| [40] | 91 | CWE-672: Operation on a Resource after Expiration or Release |
| Sometimes catchable by the compiler, but may increase in future years. |
| [41] | 77 | CWE-804: Guessable CAPTCHA |
| Not very prevalent since the use of CAPTCHA is not very prevalent, and
importance is generally less than that of other security features such
as encryption and authentication. |
Educational Emphasis
This profile ranks weaknesses that are important from an educational
perspective within a school or university context. It focuses on the
CWE entries that graduating students should know, including
historically important weaknesses. There is an emphasis on
higher-level root causes, mitigations, and issues that are difficult
for new students to initially understand.
The score is generated from Prevalence ("Prev"), Importance ("Imp"),
and Emphasis ("Emp").
Three factors were used to conduct scoring and ranking:
* EMPHASIS (Critical [Crit], High, Medium [Med], Low)
* IMPORTANCE (Critical [Crit], High, Medium [Med], Low)
* PREVALENCE (Widespread [Wide], High, Common [Comm], Limited [Ltd])
For each weakness, both IMPORTANCE and PREVALENCE are assigned values
between 1 and 4 (in which 4 is equivalent to the highest rating, i.e.,
"Critical" or "Widespread.") EMPHASIS ratings are assigned values of
0, 2, 4, or 6, with 6 being equivalent to "Critical."
The score for the weakness is then calculated using the formula:
(IMPORTANCE x PREVALENCE) + EMPHASIS
The rating for emphasis included factors such as difficulty of student
understanding, general applicability of the weakness to broader
concepts, presence in the programming languages being taught, and
relevance to the curriculum or syllabus.
All 41 entries from the original Nominee List are included.
| Rank | Score | Prev | Imp | Emph | CWE Entry |
|---|
| [1] | 22 | Wide | Crit | Crit | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| There's no end to this. There are many attack modes,
variants, many injection points (some subtle), and possible consequences.
Students must understand how web technology is seriously flawed in the name of
functionality at any cost. |
| [2] | 20 | Wide | Crit | High | CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| Foundational notion. Touches also on improperly terminated strings,
stack, heap, and mitigation technologies (canary, address space layout
randomization, etc...). |
| [3] | 16 | Wide | Crit | Low | CWE-798: Use of Hard-coded Credentials |
| Trivial but very important concept with catastrophic consequences,
unfortunately widespread historically. |
| [4] | 14 | Wide | High | Med | CWE-285: Improper Access Control (Authorization) |
| Easy concept in principle but lots of subtleties. |
[5]
(tie) | 14 | High | Crit | Med | CWE-362: Race Condition |
| Critical concept for students to learn, but is not too difficult to
understand with respect to the filesystem. Rely on operating system class to
teach the use of semaphores, and database class for the use of transactions. |
[6]
(tie) | 14 | High | Crit | Med | CWE-807: Reliance on Untrusted Inputs in a Security Decision |
| Easy to understand, but often repeated mistake historically.
Critical trust concept. |
| [7] | 13 | High | High | High | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| Good time for teaching white lists. Touches URL-encoding and
character encoding in general, multiple encodings, black lists failures,
canonicalization concept. |
[8]
(tie) | 13 | High | High | High | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| Touches on code injection as a foundational concept, data and code
separation. Touches on System calls, exec calls, API ambiguity,
environment poisoning. OS injection requires less background,
infrastructure and preparation to demonstrate than other
injection-related weaknesses such as SQL injection. |
[9]
(tie) | 13 | High | High | High | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| It takes time to explain how it works, and the strongest defenses. |
[10]
(tie) | 13 | High | High | High | CWE-754: Improper Check for Unusual or Exceptional Conditions |
| Students are rarely taught how to properly handle errors and
exceptions, and graded appropriately. This reaches into the security mindset of
looking for border cases and unusual situations, so awareness of this issue
should lead to more careful programming and a more valuable developer. |
[11]
(tie) | 13 | High | High | High | CWE-805: Buffer Access with Incorrect Length Value |
| There are so many ways to get this wrong... |
| [12] | 11 | High | High | Med | CWE-327: Use of a Broken or Risky Cryptographic Algorithm |
| Important concept, cryptography is hard to do. "Don't roll your own".
Emphasis by examples of broken uses, and correct algorithms and libraries,
should be sufficient. |
[13]
(tie) | 11 | High | High | Med | [Cusp] CWE-330: Use of Insufficiently Random Values |
| Emphasis by examples of broken uses, and correct algorithms and
libraries, should be sufficient. Touches on cryptography, race conditions,
networking, games, testing (fuzzing) |
| [14] | 10 | Comm | High | High | [Cusp] CWE-59: Improper Link Resolution Before File Access ('Link Following') |
| Touches on randomness, filesystem (esp. inodes), file handles vs
file names, race conditions, elevated privileges (least privilege idea) |
[15]
(tie) | 10 | High | Med | High | CWE-190: Integer Overflow or Wraparound |
| Lots of subtleties in this one. |
[16]
(tie) | 10 | Wide | Med | Med | CWE-209: Information Exposure Through an Error Message |
| Notion is easy to understand |
| [17] | 8 | Wide | Med | Low | CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') |
| Easy to understand in principle. Language specific issue, so of
lower educational value. However, it's a mistake that students would make so
often that "widespread" is warranted if the CWE is relevant. |
[18]
(tie) | 8 | Comm | High | Med | CWE-129: Improper Validation of Array Index |
| Trust issue also. |
[19]
(tie) | 8 | Comm | Med | High | CWE-131: Incorrect Calculation of Buffer Size |
| Touches concepts of wide characters, character encoding,
variable-width characters, memory alignment. |
[20]
(tie) | 8 | High | Med | Med | [Cusp] CWE-134: Uncontrolled Format String |
[21]
(tie) | 8 | High | Med | Med | [Cusp] CWE-212: Improper Cross-boundary Removal of Sensitive Data |
| Subtle flaws and advanced subject. Touches on erasing unused space in
buffers and allocated memory. |
[22]
(tie) | 8 | High | Med | Med | CWE-352: Cross-Site Request Forgery (CSRF) |
| Attack is easy to understand but prevention is more difficult, with
several ways of doing it wrong. |
[23]
(tie) | 8 | High | Med | Med | [Cusp] CWE-454: External Initialization of Trusted Variables or Data Stores |
| Typical rookie mistake, esp. in HTML forms or JavaScript code
(thinking that JS code running on client is not externally initialized
values). Concept is easy to grasp. Touches on trust |
[24]
(tie) | 8 | High | Med | Med | [Cusp] CWE-681: Incorrect Conversion between Numeric Types |
[25]
(tie) | 8 | High | Med | Med | CWE-770: Allocation of Resources Without Limits or Throttling |
| Touches on asymmetric attacks, allocation of resources for
anonymous users, unexpected DoS (e.g., SYN flood), accountability, trust |
| [26] | 6 | High | Med | Low | [Top25] CWE-311: Missing Encryption of Sensitive Data |
| Trivial concept |
[27]
(tie) | 6 | Comm | Med | Med | CWE-426: Untrusted Search Path |
| Touches on environment variables, poisoning, "." in paths, urls
(resembles CWE-22: "Path Traversal" in that aspect) |
[28]
(tie) | 6 | High | Med | Low | CWE-476: NULL Pointer Dereference |
| Notion is easy to understand |
[29]
(tie) | 6 | High | Med | Low | [Top25] CWE-494: Download of Code Without Integrity Check |
| Trivial concept to learn, in principle. |
[30]
(tie) | 6 | Comm | Med | Med | CWE-749: Exposed Dangerous Method or Function |
| Trivial concept, but may bear emphasis on what makes a method
dangerous. |
[31]
(tie) | 6 | High | Med | Low | CWE-772: Missing Release of Resource after Effective Lifetime |
| Trivial concept |
[32]
(tie) | 6 | High | Med | Low | CWE-799: Improper Control of Interaction Frequency |
| Concept is easy to understand |
| [33] | 4 | Comm | Med | Low | CWE-307: Improper Restriction of Excessive Authentication Attempts |
| Trivial concept |
[34]
(tie) | 4 | Comm | Med | Low | CWE-416: Use After Free |
| Easy to understand; may be a distraction error |
[35]
(tie) | 4 | Comm | Med | Low | CWE-456: Missing Initialization |
[36]
(tie) | 4 | Comm | Med | Low | [Top25] CWE-732: Incorrect Permission Assignment for Critical Resource |
| Case-specific issue, trivial concept. |
| [37] | 3 | Ltd | High | Low | [Top25] CWE-306: Missing Authentication for Critical Function |
| Trivial concept. |
[38]
(tie) | 3 | Ltd | High | Low | [Top25] CWE-434: Unrestricted Upload of File with Dangerous Type |
| Concept is trivial. Getting it right is hard, but the applicability
is very limited. |
[39]
(tie) | 3 | High | Low | Low | [Top25] CWE-601: URL Redirection to Untrusted Site ('Open Redirect') |
| [40] | 2 | Comm | Low | Low | CWE-672: Operation on a Resource after Expiration or Release |
| Concept is trivial. Often a distraction mistake. |
[41]
(tie) | 2 | Comm | Low | Low | CWE-804: Guessable CAPTCHA |
| Trivial concept; application is limited. |
Weaknesses by Language
This profile specifies which weaknesses appear in which programming
languages. Notice that most weaknesses are actually
language-independent, although they may be more prevalent in one
language or another.
For each language, the possible ratings are:
* High - this weakness frequently appears in software written in the
language, and it is often a security problem instead of "just a
bug."
* Moderate (Mod) - this weakness sometimes appears in software written
in the language, but when it does, it is often a security problem.
* Limited (Ltd) - this weakness either (1) rarely appears in software
written in the language, but is often a security problem when it
does; or (2) can frequently appear, but is rarely a security problem
when it does.
Some cells will be left blank if the problem is language-specific.
These items are sorted by CWE ID.
| C/C++ | Java | PHP | Perl | CWE Entry |
|---|
| High | Mod | High | High | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| Language-independent, but prevalence is reduced in sandboxed
environments. |
| High | Mod | High | High | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| Mod | High | High | High | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| High | High | High | High | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| | High | | CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') |
| Technically this type of problem can happen in most interpreted
languages, but it seems to be most prevalent in PHP. |
| High | Ltd | Ltd | Ltd | CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| Interpreters and native code, often built using C/C++, may be subject
to buffer overflows that are reachable from higher-level language
constructs that otherwise appear "safe." |
| High | Ltd | Ltd | Ltd | CWE-129: Improper Validation of Array Index |
| Technically this can happen in many different languages, but it
becomes security-relevant most often in C/C++ programs. |
| High | Ltd | Ltd | Ltd | CWE-131: Incorrect Calculation of Buffer Size |
| Up-and-coming as simpler buffer overflows are eliminated.
Interpreters and native code, often built using C/C++, may be subject
to buffer overflows that are reachable from higher-level language
constructs that otherwise appear "safe." |
| High | Ltd | Ltd | Ltd | CWE-190: Integer Overflow or Wraparound |
| Technically this can happen in many different languages, but it
becomes security-relevant most often in C/C++ programs. |
| Mod | High | High | Mod | CWE-209: Information Exposure Through an Error Message |
| Language-independent but occurs frequently in web-based environments
and in languages where error reporting is automatically performed
externally. |
| High | High | High | High | CWE-285: Improper Access Control (Authorization) |
| Mod | Mod | Mod | Mod | CWE-306: Missing Authentication for Critical Function |
| Prevalent in web-based environments. |
| High | High | High | High | CWE-311: Missing Encryption of Sensitive Data |
| High | Mod | High | Mod | CWE-327: Use of a Broken or Risky Cryptographic Algorithm |
| Some languages do not have built-in crypto or well-established
libraries, leaving developers to build or integrate their own. |
| High | High | High | High | CWE-352: Cross-Site Request Forgery (CSRF) |
| Web-based problem, which is language-independent. |
| High | High | Mod | Ltd | CWE-362: Race Condition |
| Potential issue in any language that supports threading or interacts
with OS system resources. |
| Ltd | Mod | High | Ltd | CWE-434: Unrestricted Upload of File with Dangerous Type |
| Ltd | Mod | Mod | Ltd | CWE-494: Download of Code Without Integrity Check |
| Most often applicable to mobile code, although potentially present in
any software that manages its own upgrades. |
| Mod | Mod | Mod | Mod | CWE-601: URL Redirection to Untrusted Site ('Open Redirect') |
| Web-based problem, which is language-independent. Many web
applications do not use redirect functionality. |
| High | High | High | High | CWE-732: Incorrect Permission Assignment for Critical Resource |
| High | Ltd | High | High | CWE-754: Improper Check for Unusual or Exceptional Conditions |
| Less prevalent for languages where exception handling forces checks to
occur. |
| High | Mod | Mod | High | CWE-770: Allocation of Resources Without Limits or Throttling |
| Less problematic for environments with built-in resource management. |
| Mod | Mod | Mod | Mod | CWE-798: Use of Hard-coded Credentials |
| High | | | | CWE-805: Buffer Access with Incorrect Length Value |
| Interpreters and native interfaces, often built using C/C++, may have
overflows that are reachable from otherwise-"safe" code. |
| High | High | High | High | CWE-807: Reliance on Untrusted Inputs in a Security Decision |
| Language-independent, but very prevalent in web applications. |
Weaknesses Typically Fixed in Design or Implementation
This profile lists weaknesses that are typically fixed in design or
implementation.
When weaknesses occur in the architecture or design phases, the ideal
solution may be out of the control of programmers, and the problem may
be expensive to fix.
For weaknesses that are fixable during the implementation phase, minor
localized code changes may be feasible, but the weaknesses may appear
in large numbers throughout the code. A longer-term strategy may be
to implement certain design-level changes that make it more difficult
to introduce these weaknesses, and/or make them more easy to detect
when they occur.
The columns are:
* Design (abbreviated "Des")
* Implementation (abbreviated "Impl")
These entries are sorted by their CWE ID.
| Des | Impl | CWE Entry |
|---|
| X | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| X | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| Usually implementation, but sometimes this is a design-level problem
when the software accepts an entire command from externally-controlled
input. |
| X | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| Many XSS bugs can be fixed locally in the code. However, due to the
high prevalence and complexity of XSS, design-level changes may be
appropriate, such as the utilization of libraries that are aware of
encoding context. |
| X | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| While individual issues can be fixed locally, a broader design-level
change may be appropriate, such as using parameterized queries. |
| X | CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') |
| While local fixes are often possible, the design of the application
may intentionally include files from remote sites, in which case a
design change will be necessary. |
| X | CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| X | CWE-129: Improper Validation of Array Index |
| Typically occurs during implementation, but sometimes this is a
reflection of a design problem in an algorithm. |
| X | CWE-131: Incorrect Calculation of Buffer Size |
| X | CWE-190: Integer Overflow or Wraparound |
| These are often fixable using localized code changes, but adoption of
libraries may be more appropriate. |
| X | CWE-209: Information Exposure Through an Error Message |
| Sometimes occurs in requirements/specification or in operation. |
| X | | CWE-285: Improper Access Control (Authorization) |
| Accidental omission of fine-grained authorization may happen even if
the design or specification requires it. |
| X | | CWE-306: Missing Authentication for Critical Function |
| X | | CWE-311: Missing Encryption of Sensitive Data |
| Sometimes occurs during operation. |
| X | | CWE-327: Use of a Broken or Risky Cryptographic Algorithm |
| X | | CWE-352: Cross-Site Request Forgery (CSRF) |
| Can occur during implementation if a CSRF solution is available and in
active use, but the programmer accidentally omits applcation of the
solution to a particular form, even when the solution is applied to
most other forms. |
| X | | CWE-362: Race Condition |
| Sometimes occurs in implementation if the programmer uses non-atomic
operations under the assumption that they are atomic, or otherwise
introduces a bug during synchronization. |
| X | | CWE-434: Unrestricted Upload of File with Dangerous Type |
| Implementation-level occurrences are possible. |
| X | | CWE-494: Download of Code Without Integrity Check |
| X | | CWE-601: URL Redirection to Untrusted Site ('Open Redirect') |
| X | CWE-732: Incorrect Permission Assignment for Critical Resource |
| Could be design, implementation, or installation/configuration
depending on the specific software. |
| X | CWE-754: Improper Check for Unusual or Exceptional Conditions |
| X | | CWE-770: Allocation of Resources Without Limits or Throttling |
| X | | CWE-798: Use of Hard-coded Credentials |
| Could also occur during installation/configuration. |
| X | CWE-805: Buffer Access with Incorrect Length Value |
| X | | CWE-807: Reliance on Untrusted Inputs in a Security Decision |
| Implementation-level occurrences are possible. |
Automated vs. Manual Analysis
This profile highlights which weaknesses can be detected using
automated versus manual analysis. Currently, there is very little
public, authoritative information about the efficacy of these methods
and their utility. There are many competing opinions, even among
experts. As a result, these ratings should only be treated as
guidelines, not rules. The effectiveness of each method depends on
the environment, cost/time/labor factors, expertise of the analysts,
and other factors that may vary across organizations.
Automated techniques are performed by computers and include, but are
not limited to: source code analyzers, binary code analyzers, fuzzers,
data security analyzers, web application scanners, and dynamic code
analyzers. Manual techniques are performed by human analysts and
include, but are not limited to: penetration testing, architectural
review, and manual code review. It is generally regarded that a
hybrid of techniques is the most useful, by leveraging the strengths
of each technique in the most cost-effective manner.
Whether automated or manual, white box techniques perform analysis
against source code or architecture, while black box techniques
execute the software and observe its external behavior and artifacts.
Automated methods are generally more effective for finding
implementation-level problems than design-level problems. Automated
static code analysis can offer broad code coverage, and automated
dynamic analysis can perform a large number of attacks in a short
amount of time. However, these methods may require you to develop
custom detection rules, build your application with a special
compiler, and/or provide any necessary credentials for logging into
the targeted software. They may have difficulty recognizing custom
routines and critical flaws in business logic, or they may not filter
or de-prioritize certain results that are not relevant to the
execution environment.
Manual methods are generally more effective for finding design-level
problems, flaws in business logic, recognizing custom routines, and
providing general feedback about the overall posture of the software.
However, manual methods may be labor intensive, and they require
proficient analysts to produce effective results. Different analysts
may not produce consistent or repeatable results. For weaknesses that
can be found by automated methods, manual methods may not achieve the
same amount of code coverage without significant investment in labor.
Hybrid methods are often employed by combining both manual and
automated analysis. It is generally regarded that a hybrid methods
are the most useful, since they leverage the strengths of each
technique. Hybrid analysis may be able achieve a reasonable balance
between code coverage, labor/time costs, and
false-positive/false-negative rates. Hybrid methods are not covered
in this profile.
The columns are labeled as follows:
* Auto-WB - automated white box
* Auto-BB - automated black box
* Man-WB - manual white box
* Man-BB - manual black box
For each technique and weakness, the effectiveness of the technique
against the weakness is classified as follows. NOTE: these ratings
assume the use of best-of-breed tools, analysts, and methods. There
is limited consideration for financial costs, labor, or time. See
above for a summary of some of the challenges.
* High - has well-known, well-understood strengths and limitations;
there are reasonable false-positive or false-negative rates,
especially in comparison to other methods; there is good coverage
with respect to other methods; might not require significant labor
to achieve useful results.
* Moderate (Mod) - applicable to multiple circumstances, but may be
subject to high false-positive or false-negative rates that may vary
widely; may require significant training/customization; may require
significant labor, time, or expertise to achieve useful results.
* Limited (Ltd) - applicable in limited circumstances, or not at all;
has high false-positive or false-negative rates, or generates a
large number of irrelevant findings; may require extensive
training/customization; or gives limited visibility into the root
cause.
These weaknesses are sorted by CWE ID.
| Auto-WB | Auto-BB | Man-WB | Man-BB | CWE Entry |
|---|
| High | Mod | High | Ltd | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| Automated techniques can find areas where path traversal weaknesses
exist, but tuning/customization may be required, e.g. to filter
path-traversal problems that are only exploitable by the software's
administrator and thus potentially valid. Manual white box techniques
may be able to provide sufficient code coverage and reduction of false
positives if all file accesses can be evaluated within limited time
constraints. |
| High | Mod | High | Mod | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| Black box methods may be hampered if there is limited control over the
contents of the OS command. For code that is portable across multiple
OSes, Auto-WB may be limited by assumptions about OS context. |
| Mod | Mod | Mod | Mod | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| There is some disagreement about whether automated methods have enough
coverage, since web applications often process large numbers of inputs
and can involve complex interactions between multiple processes or
components. |
| High | Mod | High | Mod | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| Auto-BB may not be able to generate sufficient test cases or detect
evidence of a problem. Auto-BB or Auto-WB methods may not recognize
SQL injection when there are complex interactions between multiple
processes or components. |
| High | Mod | High | Mod | CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') |
| Black box methods may not be effective in finding non-trivial
instances of this weakness. |
| High | Mod | Mod | Mod | CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| Auto-WB may require tuning to ensure that all sources and sinks are
properly identified. Auto-BB may have some success if fuzzing is
employed and all interfaces are well understood. Man-WB and Man-BB
may not achieve desired code coverage within limited time constraints. |
| High | Mod | Mod | Mod | CWE-129: Improper Validation of Array Index |
| Code coverage is important since many operations use an array index.
Black box methods might not get the needed code coverage, and a
successful test might not produce any noticeable side effects. |
| High | Ltd | Mod | Ltd | CWE-131: Incorrect Calculation of Buffer Size |
| Black box methods may not be able to diagnose this specific weakness.
Code coverage may be a problem for manual methods. |
| High | Ltd | Mod | Ltd | CWE-190: Integer Overflow or Wraparound |
| Black box methods may not be able to diagnose this specific weakness,
although some fuzzing (Auto-BB) techniques may focus on
integer-boundary issues. |
| Ltd | Ltd | High | Mod | CWE-209: Information Exposure Through an Error Message |
| Certain idioms may be detectable automatically, such as exposed stack
traces or pathnames, but this weakness generally requires
domain-specific interpretation using manual analysis. |
| Ltd | Ltd | High | Mod | CWE-285: Improper Access Control (Authorization) |
| Automated techniques may detect generic protections, or identify many
or all possible interfaces that do not require authorization, but
manual analysis is required to determine if the lack of authorization
violates business logic. Manual efforts might not achieve desired
code coverage within limited time constraints. |
| Ltd | Mod | High | Mod | CWE-306: Missing Authentication for Critical Function |
| Requires domain-specific understanding of which functionality requires
authentication. Black box methods may not detect all exposed
functionality. |
| Ltd | Ltd | High | High | CWE-311: Missing Encryption of Sensitive Data |
| Requires domain-specific understanding of which data is sensitive, so
manual methods are needed. However, manual efforts might not achieve
desired code coverage within limited time constraints. Black box
analysis may produce artifacts (e.g. stored data or unencrypted
network transfer) that require manual evaluation. |
| Mod | Ltd | High | Ltd | CWE-327: Use of a Broken or Risky Cryptographic Algorithm |
| Automated methods may require training to recognize the use of
libraries for obsolete algorithms. Manual methods will be necessary
to recognize custom implementations of obsolete algorithms or perform
cryptanalysis of proprietary or non-standard algorithms; in the latter
case, cryptographic expertise is likely needed. |
| Ltd | Ltd | High | Mod | CWE-352: Cross-Site Request Forgery (CSRF) |
| CSRF generally requires domain-specific knowledge to distinguish from
legitimate behavior, thus manual effort is needed. Automated
techniques may be able to detect the absence of certain anti-CSRF
idioms, but this would likely require custom tuning. Auto-BB may
still rely on manual review for effective results. Manual efforts
might not achieve desired code coverage within limited time
constraints. |
| Mod | Ltd | Mod | Ltd | CWE-362: Race Condition |
| Common idioms are detectable in white box analysis, such as
time-of-check-time-of-use (TOCTOU) file access checks. Black box
methods may be able to identify potential race conditions via methods
such as multiple simultaneous connections, although race conditions
with very narrow timing windows would not be detectable. |
| Mod | Mod | Mod | Mod | CWE-434: Unrestricted Upload of File with Dangerous Type |
| There is some disagreement about the effectiveness of these
techniques. |
| Ltd | Ltd | High | Mod | CWE-494: Download of Code Without Integrity Check |
| Typically requires understanding of intended behavior. Automated
methods might be useful for detecting the usage of common idioms for
integrity checks. |
| Mod | Mod | High | High | CWE-601: URL Redirection to Untrusted Site ('Open Redirect') |
| Auto-BB tools that supply URLs to every input may be able to spot
Location header modifications, but test case coverage is a factor, and
custom redirects may not be detected. Auto-WB tools may not be able
to determine whether input influences the beginning of a URL, which is
important for reducing false positives. |
| Mod | Mod | Mod | Mod | CWE-732: Incorrect Permission Assignment for Critical Resource |
| Permission weaknesses for common system resources such as files or
registry keys are detectable using automated techniques, but many
applications have their own custom permission schemes for
domain-specific resources, requiring manual analysis. Manual efforts
might not achieve desired code coverage within limited time
constraints. |
| High | Mod | Mod | Mod | CWE-754: Improper Check for Unusual or Exceptional Conditions |
| Black box methods cannot necessarily force the appropriate unusual
conditions, especially those that may be domain-specific. Manual
efforts might not achieve desired code coverage within limited time
constraints. |
| Mod | High | High | Mod | CWE-770: Allocation of Resources Without Limits or Throttling |
| Automated fuzzing or flooding attacks may expose certain types of this
weakness - e.g., uncontrolled allocation of system resources such as
files and CPU - but this may still require manual interpretation of
the results. Manual efforts might not achieve desired code coverage
within limited time constraints, but would be better suited to
detecting business-level cases. |
| Mod | Ltd | High | Ltd | CWE-798: Use of Hard-coded Credentials |
| Credential storage in configuration files is findable using black box
methods, but the use of hard-coded credentials for an incoming
authentication routine typically involves an account that is not
visible outside of the code. Automated white box techniques have been
published for detecting hard-coded credentials for incoming
authentication, but there is some expert disagreement regarding their
effectiveness. |
| High | Mod | Mod | Ltd | CWE-805: Buffer Access with Incorrect Length Value |
| Auto-BB techniques such as fuzzing may find evidence of this issue.
Manual efforts might not achieve desired code coverage within limited
time constraints. |
| Ltd | Ltd | High | Mod | CWE-807: Reliance on Untrusted Inputs in a Security Decision |
| Automated methods may not be able to distinguish between allowable
inputs and those used for security functionality. |
For Developers with Established Software Security Practices
This profile is for developers who have already begun integration of
security into their development life cycle and may have had some
success in ridding their software of some of the most common
weaknesses.
Weakness rankings are constructed using "Prevalence" and "Importance"
as assessed by the original votes of the major software vendors who
participated in the Top 25 effort: Red Hat, Oracle, Microsoft, EMC,
Symantec, and Apple.
| Rank | Score | GenRank | CWE Entry |
|---|
| [1] | 80 | 3 | CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| [2] | 66 | 1 | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| [3] | 59 | 2 | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| [4] | 53 | 4 | CWE-352: Cross-Site Request Forgery (CSRF) |
| [5] | 51 | 5 | CWE-285: Improper Access Control (Authorization) |
| [6] | 48 | 18 | CWE-131: Incorrect Calculation of Buffer Size |
| Sharp rise compared to the general Top 25. |
| [7] | 47 | 9 | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| [8] | 46 | 17 | CWE-190: Integer Overflow or Wraparound |
| Sharp rise compared to the general Top 25. |
| [9] | 45 | 12 | CWE-805: Buffer Access with Incorrect Length Value |
| [10] | 44 | 15 | CWE-129: Improper Validation of Array Index |
| Sharp rise compared to the general Top 25. |
| [11] | 40 | 11 | CWE-798: Use of Hard-coded Credentials |
| [12] | 38 | 6 | CWE-807: Reliance on Untrusted Inputs in a Security Decision |
| Sharp drop compared to the general Top 25. |
| [13] | 37 | 8 | CWE-434: Unrestricted Upload of File with Dangerous Type |
| Sharp drop compared to the general Top 25. |
| [14] | 36 | 10 | CWE-311: Missing Encryption of Sensitive Data |
[15]
(tie) | 36 | 24 | CWE-327: Use of a Broken or Risky Cryptographic Algorithm |
| Sharp rise compared to the general Top 25. |
| [16] | 35 | 7 | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| Sharp drop compared to the general Top 25. |
| [17] | 33 | 20 | CWE-494: Download of Code Without Integrity Check |
| [18] | 32 | 26 | [Cusp] CWE-749: Exposed Dangerous Method or Function |
| Not in the general Top 25. |
| [19] | 29 | 25 | CWE-362: Race Condition |
| Sharp rise compared to the general Top 25. |
[20]
(tie) | 29 | 23 | CWE-601: URL Redirection to Untrusted Site ('Open Redirect') |
| [21] | 28 | 17 | CWE-209: Information Exposure Through an Error Message |
| [22] | 27 | 28 | [Cusp] CWE-212: Improper Cross-boundary Removal of Sensitive Data |
| Not in the general Top 25. |
[23]
(tie) | 27 | 22 | CWE-732: Incorrect Permission Assignment for Critical Resource |
| [24] | 26 | 36 | [Cusp] CWE-416: Use After Free |
| Not in the general Top 25. |
| [25] | 25 | 29 | [Cusp] CWE-330: Use of Insufficiently Random Values |
| Not in the general Top 25. |
[26]
(tie) | 25 | 37 | CWE-772: Missing Release of Resource after Effective Lifetime |
| Sharp rise - not in the general Top 25. |
| [27] | 24 | 27 | CWE-307: Improper Restriction of Excessive Authentication Attempts |
[28]
(tie) | 24 | 32 | CWE-476: NULL Pointer Dereference |
[29]
(tie) | 24 | 33 | CWE-681: Incorrect Conversion between Numeric Types |
[30]
(tie) | 24 | 13 | [Top25] CWE-754: Improper Check for Unusual or Exceptional Conditions |
| Sharp drop - in the general Top 25. |
[31]
(tie) | 24 | 21 | [Top25] CWE-770: Allocation of Resources Without Limits or Throttling |
| Sharp drop - in the general Top 25. |
| [32] | 22 | 30 | CWE-59: Improper Link Resolution Before File Access ('Link Following') |
[33]
(tie) | 22 | 31 | CWE-134: Uncontrolled Format String |
[34]
(tie) | 22 | 19 | [Top25] CWE-306: Missing Authentication for Critical Function |
| Sharp drop - in the general Top 25. |
| [35] | 21 | 40 | CWE-672: Operation on a Resource after Expiration or Release |
| [36] | 19 | 35 | CWE-454: External Initialization of Trusted Variables or Data Stores |
[37]
(tie) | 19 | 39 | CWE-456: Missing Initialization |
[38]
(tie) | 19 | 38 | CWE-799: Improper Control of Interaction Frequency |
| [39] | 18 | 34 | CWE-426: Untrusted Search Path |
| [40] | 15 | 41 | CWE-804: Guessable CAPTCHA |
| [41] | 7 | 15 | [Top25] CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') |
| Sharp drop - in the general Top 25. Voters rarely use PHP in their
organizations. |
Notes
The first five entries are also in the first five slots of the General
Top 25; the only difference is a change in the order of the first
three places.
Notice how more subtle buffer errors rose sharply in comparison to the
general list: CWE-190, CWE-131, and CWE-129. This may be a reflection
of a larger percentage of C/C++ applications used by the participating
vendors.
There may appear to be a conflict between the rise in buffer errors
while CSRF, XSS, and SQL injection remain near the top. These
weaknesses are not specific to web-based languages, and indeed, SQL
injection is a problem for a broader range of software than just
web-based applications. The ranking of XSS and CSRF may be due to
their prevalence - even non-web software may have web-based
components, such as a management interface. In addition, a large
amount of web-based software is written using C or C++.
With respect to the absence of security features, there was generally
a drop, e.g. for missing encryption (CWE-311) and missing
authentication (CWE-306), along with reliance on untrusted inputs in a
security decision (CWE-807). At the same time, the use of broken or
risky encryption (CWE-327) had a sharp rise. Perhaps there is an
increasing adoption of encryption, but the implementation is not
always correct.
In comparison to the general list, the relatively high ranking of
Exposed Dangerous Method or Function (CWE-749) and Use After Free
(CWE-416) may reflect general trends in vulnerability research as seen
in CVE, which has seen increases in both of these weaknesses in recent
years.
Ranked by Importance - for Software Customers
This profile ranks weaknesses based primarily on their importance, as
determined from the base voting data that was used to create the
general list. Prevalence is included in the scores, but it has much
less weighting than importance.
The two factors are:
* IMPORTANCE (Critical, High, Medium, Low)
* PREVALENCE (Widespread, High, Common, Limited)
For each vote, both IMPORTANCE and PREVALENCE are assigned values
between 1 and 4 (in which 4 is equivalent to the highest rating, i.e.,
"Critical" or "Widespread.")
The individual sub-score for the weakness is then calculated using the
formula:
(IMPORTANCE * IMPORTANCE) + PREVALENCE
All sub-scores for each weakness are added together to get a final
score.
| Rank | Score | CWE Entry |
|---|
| [1] | 676 | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| [2] | 582 | CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| [3] | 535 | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| [4] | 525 | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| [5] | 378 | CWE-434: Unrestricted Upload of File with Dangerous Type |
| [6] | 364 | CWE-352: Cross-Site Request Forgery (CSRF) |
| [7] | 350 | CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') |
| [8] | 336 | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| [9] | 324 | CWE-285: Improper Access Control (Authorization) |
| [10] | 322 | CWE-807: Reliance on Untrusted Inputs in a Security Decision |
| [11] | 304 | CWE-798: Use of Hard-coded Credentials |
| [12] | 300 | CWE-311: Missing Encryption of Sensitive Data |
| [13] | 281 | CWE-805: Buffer Access with Incorrect Length Value |
| [14] | 277 | CWE-306: Missing Authentication for Critical Function |
| [15] | 271 | CWE-129: Improper Validation of Array Index |
| [16] | 267 | CWE-131: Incorrect Calculation of Buffer Size |
| [17] | 261 | CWE-494: Download of Code Without Integrity Check |
| [18] | 244 | [Cusp] CWE-749: Exposed Dangerous Method or Function |
| Not in the general Top 25. |
| [19] | 241 | CWE-190: Integer Overflow or Wraparound |
| [20] | 225 | CWE-362: Race Condition |
| [21] | 224 | [Cusp] CWE-134: Uncontrolled Format String |
| Not in the general Top 25. |
[22]
(tie) | 224 | CWE-732: Incorrect Permission Assignment for Critical Resource |
| [23] | 223 | [Cusp] CWE-454: External Initialization of Trusted Variables or Data Stores |
| Not in the general Top 25. |
| [24] | 215 | [Cusp] CWE-212: Improper Cross-boundary Removal of Sensitive Data |
| Not in the general Top 25. |
[25]
(tie) | 215 | CWE-327: Use of a Broken or Risky Cryptographic Algorithm |
| [26] | 204 | [Top25] CWE-770: Allocation of Resources Without Limits or Throttling |
| In the general Top 25. |
| [27] | 203 | [Top25] CWE-754: Improper Check for Unusual or Exceptional Conditions |
| In the general Top 25. |
| [28] | 199 | [Top25] CWE-209: Information Exposure Through an Error Message |
| In the general Top 25. |
| [29] | 196 | CWE-426: Untrusted Search Path |
| [30] | 194 | CWE-330: Use of Insufficiently Random Values |
[31]
(tie) | 194 | [Top25] CWE-601: URL Redirection to Untrusted Site ('Open Redirect') |
| In the general Top 25. |
[32]
(tie) | 194 | CWE-681: Incorrect Conversion between Numeric Types |
| [33] | 192 | CWE-476: NULL Pointer Dereference |
| [34] | 189 | CWE-59: Improper Link Resolution Before File Access ('Link Following') |
| [35] | 184 | CWE-416: Use After Free |
| [36] | 180 | CWE-307: Improper Restriction of Excessive Authentication Attempts |
| [37] | 166 | CWE-456: Missing Initialization |
| [38] | 159 | CWE-772: Missing Release of Resource after Effective Lifetime |
| [39] | 150 | CWE-799: Improper Control of Interaction Frequency |
| [40] | 148 | CWE-672: Operation on a Resource after Expiration or Release |
| [41] | 127 | CWE-804: Guessable CAPTCHA |
Weaknesses by Technical Impact
This profile lists weaknesses based on their technical impact, i.e.,
what an attacker can accomplish by exploiting each weakness.
Note that skilled attackers can combine multiple weaknesses into a
single, larger attack that is more severe than any of its parts. For
example, a minor information leak (CWE-209) might allow an attacker to
determine the e-mail address of an administrator account, then use a
CSRF attack (CWE-352) to leverage the administrator's privileges to
upload a file with a dangerous extension (CWE-434) that allows code
execution.
Since attack trees are difficult to model in a flat structure like the
Top 25 list, the technical impact for each weakness is only measured
in isolation.
KEY:
* Code - code or command execution can occur
* Info - sensitive information or data can be stolen
* Privs - access to a high-privileged account
* Bypass - bypass a security protection mechanism
* DoS - denial of service
| Code | Info | Privs | Bypass | DoS | CWE Entry |
|---|
| Sometimes | Often | Sometimes | Rarely | Sometimes | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| Sometimes | Often | Sometimes | Rarely | Sometimes | CWE-59: Improper Link Resolution Before File Access ('Link Following') |
| Often | Sometimes | Sometimes | Rarely | Sometimes | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| Often | Often | Sometimes | Sometimes | Rarely | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| Often | Often | Sometimes | Often | Sometimes | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| Often | Often | Sometimes | Rarely | Rarely | CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') |
| Often | Rarely | Sometimes | Rarely | Often | CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| Often | Sometimes | Sometimes | Rarely | Often | CWE-129: Improper Validation of Array Index |
| Often | Sometimes | Sometimes | Rarely | Often | CWE-131: Incorrect Calculation of Buffer Size |
| Often | Sometimes | Sometimes | Rarely | Often | CWE-134: Uncontrolled Format String |
| Sometimes | Rarely | Rarely | Rarely | Sometimes | CWE-190: Integer Overflow or Wraparound |
| Rarely | Often | Sometimes | Sometimes | Rarely | CWE-209: Information Exposure Through an Error Message |
| Rarely | Often | Rarely | Rarely | Rarely | CWE-212: Improper Cross-boundary Removal of Sensitive Data |
| Rarely | Often | Often | Often | Often | CWE-285: Improper Access Control (Authorization) |
| Sometimes | Sometimes | Often | Often | Sometimes | CWE-306: Missing Authentication for Critical Function |
| Rarely | Rarely | Often | Often | Often | CWE-307: Improper Restriction of Excessive Authentication Attempts |
| Sometimes | Often | Sometimes | Sometimes | Sometimes | CWE-311: Missing Encryption of Sensitive Data |
| Rarely | Often | Sometimes | Often | Sometimes | CWE-327: Use of a Broken or Risky Cryptographic Algorithm |
| Rarely | Sometimes | Sometimes | Often | Rarely | CWE-330: Use of Insufficiently Random Values |
| Rarely | Sometimes | Often | Often | Sometimes | CWE-352: Cross-Site Request Forgery (CSRF) |
| Sometimes | Sometimes | Often | Sometimes | Often | CWE-362: Race Condition |
| Sometimes | Rarely | Sometimes | Rarely | Often | CWE-416: Use After Free |
| Often | Rarely | Often | Sometimes | Rarely | CWE-426: Untrusted Search Path |
| Often | Sometimes | Sometimes | Rarely | Rarely | CWE-434: Unrestricted Upload of File with Dangerous Type |
| Sometimes | Sometimes | Sometimes | Often | Rarely | CWE-454: External Initialization of Trusted Variables or Data Stores |
| Sometimes | Rarely | Sometimes | Sometimes | Sometimes | CWE-456: Missing Initialization |
| Sometimes | Sometimes | Rarely | Rarely | Often | CWE-476: NULL Pointer Dereference |
| Often | Sometimes | Often | Often | Sometimes | CWE-494: Download of Code Without Integrity Check |
| Sometimes | Rarely | Rarely | Often | Sometimes | CWE-601: URL Redirection to Untrusted Site ('Open Redirect') |
| Sometimes | Sometimes | Sometimes | Rarely | Often | CWE-672: Operation on a Resource after Expiration or Release |
| Sometimes | Rarely | Sometimes | Rarely | Sometimes | CWE-681: Incorrect Conversion between Numeric Types |
| Sometimes | Often | Sometimes | Sometimes | Sometimes | CWE-732: Incorrect Permission Assignment for Critical Resource |
| Often | Sometimes | Often | Rarely | Sometimes | CWE-749: Exposed Dangerous Method or Function |
| Sometimes | Sometimes | Sometimes | Sometimes | Often | CWE-754: Improper Check for Unusual or Exceptional Conditions |
| Rarely | Sometimes | Rarely | Rarely | Often | CWE-770: Allocation of Resources Without Limits or Throttling |
| Rarely | Rarely | Rarely | Sometimes | Often | CWE-772: Missing Release of Resource after Effective Lifetime |
| Rarely | Sometimes | Often | Often | Sometimes | CWE-798: Use of Hard-coded Credentials |
| Rarely | Rarely | Sometimes | Sometimes | Often | CWE-799: Improper Control of Interaction Frequency |
| Rarely | Sometimes | Rarely | Often | Often | CWE-804: Guessable CAPTCHA |
| Often | Often | Sometimes | Rarely | Often | CWE-805: Buffer Access with Incorrect Length Value |
| Sometimes | Sometimes | Often | Often | Sometimes | CWE-807: Reliance on Untrusted Inputs in a Security Decision |
More information is available — Please edit the custom filter or select a different filter.
|
