Jump to navigation Jump to search
What is CWE/SANS Top 25?
CWE/SANS Top 25 is a set of 25 rules classified in 3 categories, relative to most dangerous programming errors.
- Insecure Interaction Between Components (8 errors)
- Risky Resource Management (10 errors)
- Porous Defenses (7 errors)
Global risk of each vulnerability is based on qualitative indicators:
- Weakness Prevalence: the term prevalence has been borrowed from the epidemiological field. In a nutshell, it represents the total number of cases in the total number of attacks at a given time.
- Remediation Cost: the amount of effort required to fix the weakness.
- Attack Frequency: how often the weakness occurs in vulnerabilities that are exploited by an attacker.
- Consequences: potential impacts of the attack (e.g. data loss, session theft, denial of access, ...)
- Ease of Detection: how easy it is for an attacker to find this weakness.
- Attacker Awareness: the likelihood that an attacker is going to be aware of this particular weakness, methods for detection, and methods for exploitation.
Insecure Interaction Between Components
- CWE-79: Failure to Preserve Web Page Structure ('Cross-site Scripting')
- CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')
- CWE-352: Cross-Site Request Forgery (CSRF)
- CWE-434: Unrestricted Upload of File with Dangerous Type
- CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')
- CWE-209: Information Exposure Through an Error Message
- CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
- CWE-362: Race Condition
Risky Resource Management
- CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
- CWE-805: Buffer Access with Incorrect Length Value
- CWE-754: Improper Check for Unusual or Exceptional Conditions
- CWE-129: Improper Validation of Array Index
- CWE-190: Integer Overflow or Wraparound
- CWE-131: Incorrect Calculation of Buffer Size
- CWE-494: Download of Code Without Integrity Check
- CWE-770: Allocation of Resources Without Limits or Throttling
- CWE-285: Improper Access Control (Authorization)
- CWE-807: Reliance on Untrusted Inputs in a Security Decision
- CWE-311: Missing Encryption of Sensitive Data
- CWE-798: Use of Hard-coded Credentials
- CWE-306: Missing Authentication for Critical Function
- CWE-732: Incorrect Permission Assignment for Critical Resource
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm