Common Weakness Enumeration (CWE), a strategic initiative sponsored by the U.S. Department of Homeland Security, has published the document 2010 CWE/SANS Top 25 Most Dangerous Programming Errors (PDF), a list of 25 code errors that lead, in authors’ opinion, to the worst software vulnerabilities.
While the OWASP Top Ten list, presented by InfoQ, focuses on web application security risks, the CWE Top 25 covers a broader range of issues including the famous buffer overrun vulnerability. CWE also provides more details needed for programmers to write more secure code.
The list is the result of collaboration between the SANS Institute, MITRE, and “many top software security experts in the US and Europe”. While the CWE website has a catalogue of over 800 programming, design and architectural errors, the CWE document is limited to top 25 items addressed to programmers in the first place, to help them write safer code. But the document can also be used by software designers, architects and even CIOs, which should be aware of these possible vulnerabilities and take appropriate measures.
Cross-site scripting (XSS) and SQL Injection are considered the weakest points in software, while the buffer overflow comes third, according to CWE:
The authors do not believe their list is fixed in stone, recommending each organization to create its own list based on its own criteria. The document suggests a number of “Focus Profiles”, one of them being “Weaknesses by Language”:
C/C++ Java PHP Perl CWE Entry High Mod High High CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Language-independent, but prevalence is reduced in sandboxed environments. High Mod High High CWE-78: Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') Mod High High High CWE-79: Failure to Preserve Web Page Structure ('Cross-site Scripting') High High High High CWE-89: Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') High CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') Technically this type of problem can happen in most interpreted languages, but it seems to be most prevalent in PHP. High Ltd Ltd Ltd CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Interpreters and native code, often built using C/C++, may be subject to buffer overflows that are reachable from higher-level language constructs that otherwise appear "safe." High Ltd Ltd Ltd CWE-129: Improper Validation of Array Index Technically this can happen in many different languages, but it becomes security-relevant most often in C/C++ programs. High Ltd Ltd Ltd CWE-131: Incorrect Calculation of Buffer Size Up-and-coming as simpler buffer overflows are eliminated. Interpreters and native code, often built using C/C++, may be subject to buffer overflows that are reachable from higher-level language constructs that otherwise appear "safe." High Ltd Ltd Ltd CWE-190: Integer Overflow or Wraparound Technically this can happen in many different languages, but it becomes security-relevant most often in C/C++ programs. Mod High High Mod CWE-209: Information Exposure Through an Error Message Language-independent but occurs frequently in web-based environments and in languages where error reporting is automatically performed externally. High High High High CWE-285: Improper Access Control (Authorization) Mod Mod Mod Mod CWE-306: Missing Authentication for Critical Function Prevalent in web-based environments. High High High High CWE-311: Missing Encryption of Sensitive Data High Mod High Mod CWE-327: Use of a Broken or Risky Cryptographic Algorithm Some languages do not have built-in crypto or well-established libraries, leaving developers to build or integrate their own. High High High High CWE-352: Cross-Site Request Forgery (CSRF) Web-based problem, which is language-independent. High High Mod Ltd CWE-362: Race Condition Potential issue in any language that supports threading or interacts with OS system resources. Ltd Mod High Ltd CWE-434: Unrestricted Upload of File with Dangerous Type Ltd Mod Mod Ltd CWE-494: Download of Code Without Integrity Check Most often applicable to mobile code, although potentially present in any software that manages its own upgrades. Mod Mod Mod Mod CWE-601: URL Redirection to Untrusted Site ('Open Redirect') Web-based problem, which is language-independent. Many web applications do not use redirect functionality. High High High High CWE-732: Incorrect Permission Assignment for Critical Resource High Ltd High High CWE-754: Improper Check for Unusual or Exceptional Conditions Less prevalent for languages where exception handling forces checks to occur. High Mod Mod High CWE-770: Allocation of Resources Without Limits or Throttling Less problematic for environments with built-in resource management. Mod Mod Mod Mod CWE-798: Use of Hard-coded Credentials High CWE-805: Buffer Access with Incorrect Length Value Interpreters and native interfaces, often built using C/C++, may have overflows that are reachable from otherwise-"safe" code. High High High High CWE-807: Reliance on Untrusted Inputs in a Security Decision Language-independent, but very prevalent in web applications.
For each weakness the authors provide various information like: ranking, score summary, prevention and mitigation measures, related attack patterns, attack frequency, easy of detection, remediation costs and other information. A large portion of the document is dedicated to detailed description of each weakness, including technical details, code samples and prevention measures to be taken at architecture, design, implementation or operational level. For example, for the #1 weakness in the list, an excerpt of the information provided by the authors is:
Failure to Preserve Web Page Structure ('Cross-site Scripting') - “The software does not sufficiently validate, filter, escape, and encode user-controllable input before it is placed in output that is used as a web page that is served to other users.”
Weakness Prevalence | High | Consequences | Code execution, Security bypass |
Remediation Cost | Low | Ease of Detection | Easy |
Attack Frequency | Often | Attacker Awareness | High |
Detailed Technical Details including the three main types of Cross-site scripting (XSS): Reflected XSS (or Non-Persistent), Stored XSS (or Persistent), and DOM-Based XSS.
Code Samples, like this JSP example:
<% String eid = request.getParameter("eid"); %>
...
Employee ID: <%= eid %>
Detection Methods, like Automatic Static Analysis and Black Box.
For each weakness, the authors list several prevention measures like this one:
Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.
For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.
Parts of the same output document may require different encodings, which will vary depending on whether the output is in the:
HTML body
Element attributes (such as src="XYZ")
URIs
JavaScript sections
Cascading Style Sheets and style property
etc. Note that HTML Entity Encoding is only appropriate for the HTML body.
Consult the XSS Prevention Cheat Sheet [REF-16] for more details on the types of encoding and escaping that are needed.
The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors document also details the criteria used in selecting the top 25 weaknesses, a comparison to the same list generated in 2009, and a comparison to OWASP Top Ten 2010 RC1, a list of top 10 web application security vulnerabilities.