CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (3.0)  
ID

CWE VIEW: Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors

View ID: 750
Type: Graph
Status: Incomplete
+ Objective
CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors.
+ Audience
StakeholderDescription
Software DevelopersBy following the Top 25, developers will be able to significantly reduce the number of weaknesses that occur in their software.
Software CustomersIf a software developer claims to be following the Top 25, then customers can search for the weaknesses in this view in order to formulate independent evidence of that claim.
EducatorsEducators can use this view in multiple ways. For example, if there is a focus on teaching weaknesses, the educator could focus on the Top 25.
+ Relationships
Show Details:
750 - Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors
+CategoryCategory2009 Top 25 - Insecure Interaction Between Components - (751)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 751 (2009 Top 25 - Insecure Interaction Between Components)
Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.
*ClassClassImproper Encoding or Escaping of Output - (116)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 751 (2009 Top 25 - Insecure Interaction Between Components) > 116 (Improper Encoding or Escaping of Output)
The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.Output SanitizationOutput ValidationOutput Encoding
*ClassClassImproper Input Validation - (20)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 751 (2009 Top 25 - Insecure Interaction Between Components) > 20 (Improper Input Validation)
The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
*BaseBaseInformation Exposure Through an Error Message - (209)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 751 (2009 Top 25 - Insecure Interaction Between Components) > 209 (Information Exposure Through an Error Message)
The software generates an error message that includes sensitive information about its environment, users, or associated data.
*BaseBaseCleartext Transmission of Sensitive Information - (319)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 751 (2009 Top 25 - Insecure Interaction Between Components) > 319 (Cleartext Transmission of Sensitive Information)
The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
*CompositeCompositeCross-Site Request Forgery (CSRF) - (352)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 751 (2009 Top 25 - Insecure Interaction Between Components) > 352 (Cross-Site Request Forgery (CSRF))
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Session RidingCross Site Reference ForgeryXSRF
*ClassClassConcurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') - (362)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 751 (2009 Top 25 - Insecure Interaction Between Components) > 362 (Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'))
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
*BaseBaseImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - (78)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 751 (2009 Top 25 - Insecure Interaction Between Components) > 78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Shell injectionShell metacharacters
*BaseBaseImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - (79)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 751 (2009 Top 25 - Insecure Interaction Between Components) > 79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.XSSCSS
*BaseBaseImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - (89)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 751 (2009 Top 25 - Insecure Interaction Between Components) > 89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
+CategoryCategory2009 Top 25 - Risky Resource Management - (752)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 752 (2009 Top 25 - Risky Resource Management)
Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.
*ClassClassImproper Restriction of Operations within the Bounds of a Memory Buffer - (119)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 752 (2009 Top 25 - Risky Resource Management) > 119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Memory Corruption
*BaseBaseImproper Resource Shutdown or Release - (404)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 752 (2009 Top 25 - Risky Resource Management) > 404 (Improper Resource Shutdown or Release)
The program does not release or incorrectly releases a resource before it is made available for re-use.
*CompositeCompositeUntrusted Search Path - (426)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 752 (2009 Top 25 - Risky Resource Management) > 426 (Untrusted Search Path)
The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control.Untrusted Path
*BaseBaseDownload of Code Without Integrity Check - (494)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 752 (2009 Top 25 - Risky Resource Management) > 494 (Download of Code Without Integrity Check)
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
*ClassClassExternal Control of Critical State Data - (642)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 752 (2009 Top 25 - Risky Resource Management) > 642 (External Control of Critical State Data)
The software stores security-critical state information about its users, or the software itself, in a location that is accessible to unauthorized actors.
*ClassClassImproper Initialization - (665)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 752 (2009 Top 25 - Risky Resource Management) > 665 (Improper Initialization)
The software does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
*ClassClassIncorrect Calculation - (682)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 752 (2009 Top 25 - Risky Resource Management) > 682 (Incorrect Calculation)
The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
*ClassClassExternal Control of File Name or Path - (73)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 752 (2009 Top 25 - Risky Resource Management) > 73 (External Control of File Name or Path)
The software allows user input to control or influence paths or file names that are used in filesystem operations.
*ClassClassImproper Control of Generation of Code ('Code Injection') - (94)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 752 (2009 Top 25 - Risky Resource Management) > 94 (Improper Control of Generation of Code ('Code Injection'))
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
+CategoryCategory2009 Top 25 - Porous Defenses - (753)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 753 (2009 Top 25 - Porous Defenses)
Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.
*ClassClassExecution with Unnecessary Privileges - (250)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 753 (2009 Top 25 - Porous Defenses) > 250 (Execution with Unnecessary Privileges)
The software performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
*BaseBaseUse of Hard-coded Password - (259)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 753 (2009 Top 25 - Porous Defenses) > 259 (Use of Hard-coded Password)
The software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
*ClassClassImproper Authorization - (285)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 753 (2009 Top 25 - Porous Defenses) > 285 (Improper Authorization)
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.AuthZ
*BaseBaseUse of a Broken or Risky Cryptographic Algorithm - (327)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 753 (2009 Top 25 - Porous Defenses) > 327 (Use of a Broken or Risky Cryptographic Algorithm)
The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.
*ClassClassUse of Insufficiently Random Values - (330)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 753 (2009 Top 25 - Porous Defenses) > 330 (Use of Insufficiently Random Values)
The software may use insufficiently random numbers or values in a security context that depends on unpredictable numbers.
*BaseBaseClient-Side Enforcement of Server-Side Security - (602)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 753 (2009 Top 25 - Porous Defenses) > 602 (Client-Side Enforcement of Server-Side Security)
The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
*ClassClassIncorrect Permission Assignment for Critical Resource - (732)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 753 (2009 Top 25 - Porous Defenses) > 732 (Incorrect Permission Assignment for Critical Resource)
The software specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
*BaseBaseUse of Hard-coded Credentials - (798)
750 (Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors) > 753 (2009 Top 25 - Porous Defenses) > 798 (Use of Hard-coded Credentials)
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
+ References
[REF-615] "2009 CWE/SANS Top 25 Most Dangerous Programming Errors". 2009-01-12. <http://cwe.mitre.org/top25>.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2009-01-12CWE Content TeamMITRE
Modifications
Modification DateModifierOrganizationSource
2017-11-08CWE Content TeamMITRE
updated References
+ View Metrics
CWEs in this viewTotal CWEs
Total29out of982
Weaknesses26out of 714
Categories3out of 237
Views0out of 31

More information is available — Please select a different filter.
Page Last Updated: November 15, 2017