CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE/SANS Top 25 > 2010 CWE/SANS Top 25: Focus Profiles  
ID

2010 CWE/SANS Top 25: Focus Profiles

The prioritization of items in the general Top 25 list is just that - general. The rankings, and even the selection of which items should be included, can vary widely depending on context. Ideally, each organization can decide how to rank weaknesses based on its own criteria, instead of relying on a single general-purpose list.

This document provides several "focus profiles" with their own criteria for selection and ranking, which may be more useful than the general list.

On the Cusp: Weaknesses that Did Not Make the 2010 Top 25

The Top 25 was selected using a voting process in which participants evaluated a Nominee List of 41 weaknesses. From this list, the final Top 25 was selected based on a combination of prevalence and importance, as evaluated by participants.

This leaves 16 "On the Cusp" weaknesses from the Nominee List that did not make it into the final Top 25. This could be due to one or more of the following reasons:

* Not prevalent enough

* Not important enough

* Not enough votes (implying limited prevalence/importance)

* Too new (or too old) to be sufficiently relevant in the current environment

RankScoreCWE Entry
[26]136CWE-749: Exposed Dangerous Method or Function
Just 2 points from the Top 25, possibly on the rise.
[27]129CWE-307: Improper Restriction of Excessive Authentication Attempts
Possibly squeezed off the Top 25 by cousins such as missing authentication.
[28]125CWE-212: Improper Cross-boundary Removal of Sensitive Data
Important when privacy is a main concern.
[29]124CWE-330: Use of Insufficiently Random Values
Not always security-relevant, but still dangerous if it is.
[30]120CWE-59: Improper Link Resolution Before File Access ('Link Following')
A burst in CVE statistics in 2008 shows that these can still be prevalent if focused attention is paid to them.
[31]
(tie)
120CWE-134: Uncontrolled Format String
Usually easily findable, and code execution possibilities have been reduced due to compiler changes, e.g. removal of support for "%n" sequences.
[32]119CWE-476: NULL Pointer Dereference
Typically cause a denial of service in C/C++ but, for certain Linux kernels and possibly other environments, exploitable for code execution.
[33]
(tie)
119CWE-681: Incorrect Conversion between Numeric Types
May be on the rise in future years, especially in transitions from 32-bit to 64-bit architectures.
[34]118CWE-426: Untrusted Search Path
Prevalence is uncertain.
[35]116CWE-454: External Initialization of Trusted Variables or Data Stores
High prevalence in PHP environments with register_globals enabled, or by programmers who are not familiar with the effectiveness of reverse engineering, or the many ways that inputs can be modified.
[36]114CWE-416: Use After Free
Likely on the rise in future years.
[37]
(tie)
114CWE-772: Missing Release of Resource after Effective Lifetime
Important when prevention of denial of service is critical.
[38]106CWE-799: Improper Control of Interaction Frequency
Important when prevention of denial of service is critical. Also a critical component of brute force attacks against security features.
[39]100CWE-456: Missing Initialization
Not always security-relevant; also, easily findable and fixable with modern compilers and code scanners.
[40]91CWE-672: Operation on a Resource after Expiration or Release
Sometimes catchable by the compiler, but may increase in future years.
[41]77CWE-804: Guessable CAPTCHA
Not very prevalent since the use of CAPTCHA is not very prevalent, and importance is generally less than that of other security features such as encryption and authentication.

Educational Emphasis

This profile ranks weaknesses that are important from an educational perspective within a school or university context. It focuses on the CWE entries that graduating students should know, including historically important weaknesses. There is an emphasis on higher-level root causes, mitigations, and issues that are difficult for new students to initially understand.

The score is generated from Prevalence ("Prev"), Importance ("Imp"), and Emphasis ("Emp").

Three factors were used to conduct scoring and ranking:

* EMPHASIS (Critical [Crit], High, Medium [Med], Low)

* IMPORTANCE (Critical [Crit], High, Medium [Med], Low)

* PREVALENCE (Widespread [Wide], High, Common [Comm], Limited [Ltd])

For each weakness, both IMPORTANCE and PREVALENCE are assigned values between 1 and 4 (in which 4 is equivalent to the highest rating, i.e., "Critical" or "Widespread.") EMPHASIS ratings are assigned values of 0, 2, 4, or 6, with 6 being equivalent to "Critical."

The score for the weakness is then calculated using the formula: (IMPORTANCE x PREVALENCE) + EMPHASIS

The rating for emphasis included factors such as difficulty of student understanding, general applicability of the weakness to broader concepts, presence in the programming languages being taught, and relevance to the curriculum or syllabus.

All 41 entries from the original Nominee List are included.

RankScorePrevImpEmphCWE Entry
[1]22WideCritCritCWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
There's no end to this. There are many attack modes, variants, many injection points (some subtle), and possible consequences. Students must understand how web technology is seriously flawed in the name of functionality at any cost.
[2]20WideCritHighCWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Foundational notion. Touches also on improperly terminated strings, stack, heap, and mitigation technologies (canary, address space layout randomization, etc...).
[3]16WideCritLowCWE-798: Use of Hard-coded Credentials
Trivial but very important concept with catastrophic consequences, unfortunately widespread historically.
[4]14WideHighMedCWE-285: Improper Access Control (Authorization)
Easy concept in principle but lots of subtleties.
[5]
(tie)
14HighCritMedCWE-362: Race Condition
Critical concept for students to learn, but is not too difficult to understand with respect to the filesystem. Rely on operating system class to teach the use of semaphores, and database class for the use of transactions.
[6]
(tie)
14HighCritMedCWE-807: Reliance on Untrusted Inputs in a Security Decision
Easy to understand, but often repeated mistake historically. Critical trust concept.
[7]13HighHighHighCWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Good time for teaching white lists. Touches URL-encoding and character encoding in general, multiple encodings, black lists failures, canonicalization concept.
[8]
(tie)
13HighHighHighCWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Touches on code injection as a foundational concept, data and code separation. Touches on System calls, exec calls, API ambiguity, environment poisoning. OS injection requires less background, infrastructure and preparation to demonstrate than other injection-related weaknesses such as SQL injection.
[9]
(tie)
13HighHighHighCWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
It takes time to explain how it works, and the strongest defenses.
[10]
(tie)
13HighHighHighCWE-754: Improper Check for Unusual or Exceptional Conditions
Students are rarely taught how to properly handle errors and exceptions, and graded appropriately. This reaches into the security mindset of looking for border cases and unusual situations, so awareness of this issue should lead to more careful programming and a more valuable developer.
[11]
(tie)
13HighHighHighCWE-805: Buffer Access with Incorrect Length Value
There are so many ways to get this wrong...
[12]11HighHighMedCWE-327: Use of a Broken or Risky Cryptographic Algorithm
Important concept, cryptography is hard to do. "Don't roll your own". Emphasis by examples of broken uses, and correct algorithms and libraries, should be sufficient.
[13]
(tie)
11HighHighMed[Cusp] CWE-330: Use of Insufficiently Random Values
Emphasis by examples of broken uses, and correct algorithms and libraries, should be sufficient. Touches on cryptography, race conditions, networking, games, testing (fuzzing)
[14]10CommHighHigh[Cusp] CWE-59: Improper Link Resolution Before File Access ('Link Following')
Touches on randomness, filesystem (esp. inodes), file handles vs file names, race conditions, elevated privileges (least privilege idea)
[15]
(tie)
10HighMedHighCWE-190: Integer Overflow or Wraparound
Lots of subtleties in this one.
[16]
(tie)
10WideMedMedCWE-209: Information Exposure Through an Error Message
Notion is easy to understand
[17]8WideMedLowCWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
Easy to understand in principle. Language specific issue, so of lower educational value. However, it's a mistake that students would make so often that "widespread" is warranted if the CWE is relevant.
[18]
(tie)
8CommHighMedCWE-129: Improper Validation of Array Index
Trust issue also.
[19]
(tie)
8CommMedHighCWE-131: Incorrect Calculation of Buffer Size
Touches concepts of wide characters, character encoding, variable-width characters, memory alignment.
[20]
(tie)
8HighMedMed[Cusp] CWE-134: Uncontrolled Format String
[21]
(tie)
8HighMedMed[Cusp] CWE-212: Improper Cross-boundary Removal of Sensitive Data
Subtle flaws and advanced subject. Touches on erasing unused space in buffers and allocated memory.
[22]
(tie)
8HighMedMedCWE-352: Cross-Site Request Forgery (CSRF)
Attack is easy to understand but prevention is more difficult, with several ways of doing it wrong.
[23]
(tie)
8HighMedMed[Cusp] CWE-454: External Initialization of Trusted Variables or Data Stores
Typical rookie mistake, esp. in HTML forms or JavaScript code (thinking that JS code running on client is not externally initialized values). Concept is easy to grasp. Touches on trust
[24]
(tie)
8HighMedMed[Cusp] CWE-681: Incorrect Conversion between Numeric Types
[25]
(tie)
8HighMedMedCWE-770: Allocation of Resources Without Limits or Throttling
Touches on asymmetric attacks, allocation of resources for anonymous users, unexpected DoS (e.g., SYN flood), accountability, trust
[26]6HighMedLow[Top25] CWE-311: Missing Encryption of Sensitive Data
Trivial concept
[27]
(tie)
6CommMedMedCWE-426: Untrusted Search Path
Touches on environment variables, poisoning, "." in paths, urls (resembles CWE-22: "Path Traversal" in that aspect)
[28]
(tie)
6HighMedLowCWE-476: NULL Pointer Dereference
Notion is easy to understand
[29]
(tie)
6HighMedLow[Top25] CWE-494: Download of Code Without Integrity Check
Trivial concept to learn, in principle.
[30]
(tie)
6CommMedMedCWE-749: Exposed Dangerous Method or Function
Trivial concept, but may bear emphasis on what makes a method dangerous.
[31]
(tie)
6HighMedLowCWE-772: Missing Release of Resource after Effective Lifetime
Trivial concept
[32]
(tie)
6HighMedLowCWE-799: Improper Control of Interaction Frequency
Concept is easy to understand
[33]4CommMedLowCWE-307: Improper Restriction of Excessive Authentication Attempts
Trivial concept
[34]
(tie)
4CommMedLowCWE-416: Use After Free
Easy to understand; may be a distraction error
[35]
(tie)
4CommMedLowCWE-456: Missing Initialization
[36]
(tie)
4CommMedLow[Top25] CWE-732: Incorrect Permission Assignment for Critical Resource
Case-specific issue, trivial concept.
[37]3LtdHighLow[Top25] CWE-306: Missing Authentication for Critical Function
Trivial concept.
[38]
(tie)
3LtdHighLow[Top25] CWE-434: Unrestricted Upload of File with Dangerous Type
Concept is trivial. Getting it right is hard, but the applicability is very limited.
[39]
(tie)
3HighLowLow[Top25] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
[40]2CommLowLowCWE-672: Operation on a Resource after Expiration or Release
Concept is trivial. Often a distraction mistake.
[41]
(tie)
2CommLowLowCWE-804: Guessable CAPTCHA
Trivial concept; application is limited.

Weaknesses by Language

This profile specifies which weaknesses appear in which programming languages. Notice that most weaknesses are actually language-independent, although they may be more prevalent in one language or another.

For each language, the possible ratings are:

* High - this weakness frequently appears in software written in the language, and it is often a security problem instead of "just a bug."

* Moderate (Mod) - this weakness sometimes appears in software written in the language, but when it does, it is often a security problem.

* Limited (Ltd) - this weakness either (1) rarely appears in software written in the language, but is often a security problem when it does; or (2) can frequently appear, but is rarely a security problem when it does.

Some cells will be left blank if the problem is language-specific.

These items are sorted by CWE ID.

C/C++JavaPHPPerlCWE Entry
HighModHighHighCWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Language-independent, but prevalence is reduced in sandboxed environments.
HighModHighHighCWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
ModHighHighHighCWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
HighHighHighHighCWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
HighCWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
Technically this type of problem can happen in most interpreted languages, but it seems to be most prevalent in PHP.
HighLtdLtdLtdCWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Interpreters and native code, often built using C/C++, may be subject to buffer overflows that are reachable from higher-level language constructs that otherwise appear "safe."
HighLtdLtdLtdCWE-129: Improper Validation of Array Index
Technically this can happen in many different languages, but it becomes security-relevant most often in C/C++ programs.
HighLtdLtdLtdCWE-131: Incorrect Calculation of Buffer Size
Up-and-coming as simpler buffer overflows are eliminated. Interpreters and native code, often built using C/C++, may be subject to buffer overflows that are reachable from higher-level language constructs that otherwise appear "safe."
HighLtdLtdLtdCWE-190: Integer Overflow or Wraparound
Technically this can happen in many different languages, but it becomes security-relevant most often in C/C++ programs.
ModHighHighModCWE-209: Information Exposure Through an Error Message
Language-independent but occurs frequently in web-based environments and in languages where error reporting is automatically performed externally.
HighHighHighHighCWE-285: Improper Access Control (Authorization)
ModModModModCWE-306: Missing Authentication for Critical Function
Prevalent in web-based environments.
HighHighHighHighCWE-311: Missing Encryption of Sensitive Data
HighModHighModCWE-327: Use of a Broken or Risky Cryptographic Algorithm
Some languages do not have built-in crypto or well-established libraries, leaving developers to build or integrate their own.
HighHighHighHighCWE-352: Cross-Site Request Forgery (CSRF)
Web-based problem, which is language-independent.
HighHighModLtdCWE-362: Race Condition
Potential issue in any language that supports threading or interacts with OS system resources.
LtdModHighLtdCWE-434: Unrestricted Upload of File with Dangerous Type
LtdModModLtdCWE-494: Download of Code Without Integrity Check
Most often applicable to mobile code, although potentially present in any software that manages its own upgrades.
ModModModModCWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Web-based problem, which is language-independent. Many web applications do not use redirect functionality.
HighHighHighHighCWE-732: Incorrect Permission Assignment for Critical Resource
HighLtdHighHighCWE-754: Improper Check for Unusual or Exceptional Conditions
Less prevalent for languages where exception handling forces checks to occur.
HighModModHighCWE-770: Allocation of Resources Without Limits or Throttling
Less problematic for environments with built-in resource management.
ModModModModCWE-798: Use of Hard-coded Credentials
HighCWE-805: Buffer Access with Incorrect Length Value
Interpreters and native interfaces, often built using C/C++, may have overflows that are reachable from otherwise-"safe" code.
HighHighHighHighCWE-807: Reliance on Untrusted Inputs in a Security Decision
Language-independent, but very prevalent in web applications.

Weaknesses Typically Fixed in Design or Implementation

This profile lists weaknesses that are typically fixed in design or implementation.

When weaknesses occur in the architecture or design phases, the ideal solution may be out of the control of programmers, and the problem may be expensive to fix.

For weaknesses that are fixable during the implementation phase, minor localized code changes may be feasible, but the weaknesses may appear in large numbers throughout the code. A longer-term strategy may be to implement certain design-level changes that make it more difficult to introduce these weaknesses, and/or make them more easy to detect when they occur.

The columns are:

* Design (abbreviated "Des")

* Implementation (abbreviated "Impl")

These entries are sorted by their CWE ID.

DesImplCWE Entry
XCWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
XCWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Usually implementation, but sometimes this is a design-level problem when the software accepts an entire command from externally-controlled input.
XCWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Many XSS bugs can be fixed locally in the code. However, due to the high prevalence and complexity of XSS, design-level changes may be appropriate, such as the utilization of libraries that are aware of encoding context.
XCWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
While individual issues can be fixed locally, a broader design-level change may be appropriate, such as using parameterized queries.
XCWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
While local fixes are often possible, the design of the application may intentionally include files from remote sites, in which case a design change will be necessary.
XCWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
XCWE-129: Improper Validation of Array Index
Typically occurs during implementation, but sometimes this is a reflection of a design problem in an algorithm.
XCWE-131: Incorrect Calculation of Buffer Size
XCWE-190: Integer Overflow or Wraparound
These are often fixable using localized code changes, but adoption of libraries may be more appropriate.
XCWE-209: Information Exposure Through an Error Message
Sometimes occurs in requirements/specification or in operation.
XCWE-285: Improper Access Control (Authorization)
Accidental omission of fine-grained authorization may happen even if the design or specification requires it.
XCWE-306: Missing Authentication for Critical Function
XCWE-311: Missing Encryption of Sensitive Data
Sometimes occurs during operation.
XCWE-327: Use of a Broken or Risky Cryptographic Algorithm
XCWE-352: Cross-Site Request Forgery (CSRF)
Can occur during implementation if a CSRF solution is available and in active use, but the programmer accidentally omits applcation of the solution to a particular form, even when the solution is applied to most other forms.
XCWE-362: Race Condition
Sometimes occurs in implementation if the programmer uses non-atomic operations under the assumption that they are atomic, or otherwise introduces a bug during synchronization.
XCWE-434: Unrestricted Upload of File with Dangerous Type
Implementation-level occurrences are possible.
XCWE-494: Download of Code Without Integrity Check
XCWE-601: URL Redirection to Untrusted Site ('Open Redirect')
XCWE-732: Incorrect Permission Assignment for Critical Resource
Could be design, implementation, or installation/configuration depending on the specific software.
XCWE-754: Improper Check for Unusual or Exceptional Conditions
XCWE-770: Allocation of Resources Without Limits or Throttling
XCWE-798: Use of Hard-coded Credentials
Could also occur during installation/configuration.
XCWE-805: Buffer Access with Incorrect Length Value
XCWE-807: Reliance on Untrusted Inputs in a Security Decision
Implementation-level occurrences are possible.

Automated vs. Manual Analysis

This profile highlights which weaknesses can be detected using automated versus manual analysis. Currently, there is very little public, authoritative information about the efficacy of these methods and their utility. There are many competing opinions, even among experts. As a result, these ratings should only be treated as guidelines, not rules. The effectiveness of each method depends on the environment, cost/time/labor factors, expertise of the analysts, and other factors that may vary across organizations.

Automated techniques are performed by computers and include, but are not limited to: source code analyzers, binary code analyzers, fuzzers, data security analyzers, web application scanners, and dynamic code analyzers. Manual techniques are performed by human analysts and include, but are not limited to: penetration testing, architectural review, and manual code review. It is generally regarded that a hybrid of techniques is the most useful, by leveraging the strengths of each technique in the most cost-effective manner.

Whether automated or manual, white box techniques perform analysis against source code or architecture, while black box techniques execute the software and observe its external behavior and artifacts.

Automated methods are generally more effective for finding implementation-level problems than design-level problems. Automated static code analysis can offer broad code coverage, and automated dynamic analysis can perform a large number of attacks in a short amount of time. However, these methods may require you to develop custom detection rules, build your application with a special compiler, and/or provide any necessary credentials for logging into the targeted software. They may have difficulty recognizing custom routines and critical flaws in business logic, or they may not filter or de-prioritize certain results that are not relevant to the execution environment.

Manual methods are generally more effective for finding design-level problems, flaws in business logic, recognizing custom routines, and providing general feedback about the overall posture of the software. However, manual methods may be labor intensive, and they require proficient analysts to produce effective results. Different analysts may not produce consistent or repeatable results. For weaknesses that can be found by automated methods, manual methods may not achieve the same amount of code coverage without significant investment in labor.

Hybrid methods are often employed by combining both manual and automated analysis. It is generally regarded that a hybrid methods are the most useful, since they leverage the strengths of each technique. Hybrid analysis may be able achieve a reasonable balance between code coverage, labor/time costs, and false-positive/false-negative rates. Hybrid methods are not covered in this profile.

The columns are labeled as follows:

* Auto-WB - automated white box

* Auto-BB - automated black box

* Man-WB - manual white box

* Man-BB - manual black box

For each technique and weakness, the effectiveness of the technique against the weakness is classified as follows. NOTE: these ratings assume the use of best-of-breed tools, analysts, and methods. There is limited consideration for financial costs, labor, or time. See above for a summary of some of the challenges.

* High - has well-known, well-understood strengths and limitations; there are reasonable false-positive or false-negative rates, especially in comparison to other methods; there is good coverage with respect to other methods; might not require significant labor to achieve useful results.

* Moderate (Mod) - applicable to multiple circumstances, but may be subject to high false-positive or false-negative rates that may vary widely; may require significant training/customization; may require significant labor, time, or expertise to achieve useful results.

* Limited (Ltd) - applicable in limited circumstances, or not at all; has high false-positive or false-negative rates, or generates a large number of irrelevant findings; may require extensive training/customization; or gives limited visibility into the root cause.

These weaknesses are sorted by CWE ID.

Auto-WBAuto-BBMan-WBMan-BBCWE Entry
HighModHighLtdCWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Automated techniques can find areas where path traversal weaknesses exist, but tuning/customization may be required, e.g. to filter path-traversal problems that are only exploitable by the software's administrator and thus potentially valid. Manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all file accesses can be evaluated within limited time constraints.
HighModHighModCWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Black box methods may be hampered if there is limited control over the contents of the OS command. For code that is portable across multiple OSes, Auto-WB may be limited by assumptions about OS context.
ModModModModCWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
There is some disagreement about whether automated methods have enough coverage, since web applications often process large numbers of inputs and can involve complex interactions between multiple processes or components.
HighModHighModCWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Auto-BB may not be able to generate sufficient test cases or detect evidence of a problem. Auto-BB or Auto-WB methods may not recognize SQL injection when there are complex interactions between multiple processes or components.
HighModHighModCWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
Black box methods may not be effective in finding non-trivial instances of this weakness.
HighModModModCWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Auto-WB may require tuning to ensure that all sources and sinks are properly identified. Auto-BB may have some success if fuzzing is employed and all interfaces are well understood. Man-WB and Man-BB may not achieve desired code coverage within limited time constraints.
HighModModModCWE-129: Improper Validation of Array Index
Code coverage is important since many operations use an array index. Black box methods might not get the needed code coverage, and a successful test might not produce any noticeable side effects.
HighLtdModLtdCWE-131: Incorrect Calculation of Buffer Size
Black box methods may not be able to diagnose this specific weakness. Code coverage may be a problem for manual methods.
HighLtdModLtdCWE-190: Integer Overflow or Wraparound
Black box methods may not be able to diagnose this specific weakness, although some fuzzing (Auto-BB) techniques may focus on integer-boundary issues.
LtdLtdHighModCWE-209: Information Exposure Through an Error Message
Certain idioms may be detectable automatically, such as exposed stack traces or pathnames, but this weakness generally requires domain-specific interpretation using manual analysis.
LtdLtdHighModCWE-285: Improper Access Control (Authorization)
Automated techniques may detect generic protections, or identify many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic. Manual efforts might not achieve desired code coverage within limited time constraints.
LtdModHighModCWE-306: Missing Authentication for Critical Function
Requires domain-specific understanding of which functionality requires authentication. Black box methods may not detect all exposed functionality.
LtdLtdHighHighCWE-311: Missing Encryption of Sensitive Data
Requires domain-specific understanding of which data is sensitive, so manual methods are needed. However, manual efforts might not achieve desired code coverage within limited time constraints. Black box analysis may produce artifacts (e.g. stored data or unencrypted network transfer) that require manual evaluation.
ModLtdHighLtdCWE-327: Use of a Broken or Risky Cryptographic Algorithm
Automated methods may require training to recognize the use of libraries for obsolete algorithms. Manual methods will be necessary to recognize custom implementations of obsolete algorithms or perform cryptanalysis of proprietary or non-standard algorithms; in the latter case, cryptographic expertise is likely needed.
LtdLtdHighModCWE-352: Cross-Site Request Forgery (CSRF)
CSRF generally requires domain-specific knowledge to distinguish from legitimate behavior, thus manual effort is needed. Automated techniques may be able to detect the absence of certain anti-CSRF idioms, but this would likely require custom tuning. Auto-BB may still rely on manual review for effective results. Manual efforts might not achieve desired code coverage within limited time constraints.
ModLtdModLtdCWE-362: Race Condition
Common idioms are detectable in white box analysis, such as time-of-check-time-of-use (TOCTOU) file access checks. Black box methods may be able to identify potential race conditions via methods such as multiple simultaneous connections, although race conditions with very narrow timing windows would not be detectable.
ModModModModCWE-434: Unrestricted Upload of File with Dangerous Type
There is some disagreement about the effectiveness of these techniques.
LtdLtdHighModCWE-494: Download of Code Without Integrity Check
Typically requires understanding of intended behavior. Automated methods might be useful for detecting the usage of common idioms for integrity checks.
ModModHighHighCWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Auto-BB tools that supply URLs to every input may be able to spot Location header modifications, but test case coverage is a factor, and custom redirects may not be detected. Auto-WB tools may not be able to determine whether input influences the beginning of a URL, which is important for reducing false positives.
ModModModModCWE-732: Incorrect Permission Assignment for Critical Resource
Permission weaknesses for common system resources such as files or registry keys are detectable using automated techniques, but many applications have their own custom permission schemes for domain-specific resources, requiring manual analysis. Manual efforts might not achieve desired code coverage within limited time constraints.
HighModModModCWE-754: Improper Check for Unusual or Exceptional Conditions
Black box methods cannot necessarily force the appropriate unusual conditions, especially those that may be domain-specific. Manual efforts might not achieve desired code coverage within limited time constraints.
ModHighHighModCWE-770: Allocation of Resources Without Limits or Throttling
Automated fuzzing or flooding attacks may expose certain types of this weakness - e.g., uncontrolled allocation of system resources such as files and CPU - but this may still require manual interpretation of the results. Manual efforts might not achieve desired code coverage within limited time constraints, but would be better suited to detecting business-level cases.
ModLtdHighLtdCWE-798: Use of Hard-coded Credentials
Credential storage in configuration files is findable using black box methods, but the use of hard-coded credentials for an incoming authentication routine typically involves an account that is not visible outside of the code. Automated white box techniques have been published for detecting hard-coded credentials for incoming authentication, but there is some expert disagreement regarding their effectiveness.
HighModModLtdCWE-805: Buffer Access with Incorrect Length Value
Auto-BB techniques such as fuzzing may find evidence of this issue. Manual efforts might not achieve desired code coverage within limited time constraints.
LtdLtdHighModCWE-807: Reliance on Untrusted Inputs in a Security Decision
Automated methods may not be able to distinguish between allowable inputs and those used for security functionality.

For Developers with Established Software Security Practices

This profile is for developers who have already begun integration of security into their development life cycle and may have had some success in ridding their software of some of the most common weaknesses.

Weakness rankings are constructed using "Prevalence" and "Importance" as assessed by the original votes of the major software vendors who participated in the Top 25 effort: Red Hat, Oracle, Microsoft, EMC, Symantec, and Apple.

RankScoreGenRankCWE Entry
[1]803CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
[2]661CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
[3]592CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
[4]534CWE-352: Cross-Site Request Forgery (CSRF)
[5]515CWE-285: Improper Access Control (Authorization)
[6]4818CWE-131: Incorrect Calculation of Buffer Size
Sharp rise compared to the general Top 25.
[7]479CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
[8]4617CWE-190: Integer Overflow or Wraparound
Sharp rise compared to the general Top 25.
[9]4512CWE-805: Buffer Access with Incorrect Length Value
[10]4415CWE-129: Improper Validation of Array Index
Sharp rise compared to the general Top 25.
[11]4011CWE-798: Use of Hard-coded Credentials
[12]386CWE-807: Reliance on Untrusted Inputs in a Security Decision
Sharp drop compared to the general Top 25.
[13]378CWE-434: Unrestricted Upload of File with Dangerous Type
Sharp drop compared to the general Top 25.
[14]3610CWE-311: Missing Encryption of Sensitive Data
[15]
(tie)
3624CWE-327: Use of a Broken or Risky Cryptographic Algorithm
Sharp rise compared to the general Top 25.
[16]357CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Sharp drop compared to the general Top 25.
[17]3320CWE-494: Download of Code Without Integrity Check
[18]3226[Cusp] CWE-749: Exposed Dangerous Method or Function
Not in the general Top 25.
[19]2925CWE-362: Race Condition
Sharp rise compared to the general Top 25.
[20]
(tie)
2923CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
[21]2817CWE-209: Information Exposure Through an Error Message
[22]2728[Cusp] CWE-212: Improper Cross-boundary Removal of Sensitive Data
Not in the general Top 25.
[23]
(tie)
2722CWE-732: Incorrect Permission Assignment for Critical Resource
[24]2636[Cusp] CWE-416: Use After Free
Not in the general Top 25.
[25]2529[Cusp] CWE-330: Use of Insufficiently Random Values
Not in the general Top 25.
[26]
(tie)
2537CWE-772: Missing Release of Resource after Effective Lifetime
Sharp rise - not in the general Top 25.
[27]2427CWE-307: Improper Restriction of Excessive Authentication Attempts
[28]
(tie)
2432CWE-476: NULL Pointer Dereference
[29]
(tie)
2433CWE-681: Incorrect Conversion between Numeric Types
[30]
(tie)
2413[Top25] CWE-754: Improper Check for Unusual or Exceptional Conditions
Sharp drop - in the general Top 25.
[31]
(tie)
2421[Top25] CWE-770: Allocation of Resources Without Limits or Throttling
Sharp drop - in the general Top 25.
[32]2230CWE-59: Improper Link Resolution Before File Access ('Link Following')
[33]
(tie)
2231CWE-134: Uncontrolled Format String
[34]
(tie)
2219[Top25] CWE-306: Missing Authentication for Critical Function
Sharp drop - in the general Top 25.
[35]2140CWE-672: Operation on a Resource after Expiration or Release
[36]1935CWE-454: External Initialization of Trusted Variables or Data Stores
[37]
(tie)
1939CWE-456: Missing Initialization
[38]
(tie)
1938CWE-799: Improper Control of Interaction Frequency
[39]1834CWE-426: Untrusted Search Path
[40]1541CWE-804: Guessable CAPTCHA
[41]715[Top25] CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
Sharp drop - in the general Top 25. Voters rarely use PHP in their organizations.

Notes

The first five entries are also in the first five slots of the General Top 25; the only difference is a change in the order of the first three places.

Notice how more subtle buffer errors rose sharply in comparison to the general list: CWE-190, CWE-131, and CWE-129. This may be a reflection of a larger percentage of C/C++ applications used by the participating vendors.

There may appear to be a conflict between the rise in buffer errors while CSRF, XSS, and SQL injection remain near the top. These weaknesses are not specific to web-based languages, and indeed, SQL injection is a problem for a broader range of software than just web-based applications. The ranking of XSS and CSRF may be due to their prevalence - even non-web software may have web-based components, such as a management interface. In addition, a large amount of web-based software is written using C or C++.

With respect to the absence of security features, there was generally a drop, e.g. for missing encryption (CWE-311) and missing authentication (CWE-306), along with reliance on untrusted inputs in a security decision (CWE-807). At the same time, the use of broken or risky encryption (CWE-327) had a sharp rise. Perhaps there is an increasing adoption of encryption, but the implementation is not always correct.

In comparison to the general list, the relatively high ranking of Exposed Dangerous Method or Function (CWE-749) and Use After Free (CWE-416) may reflect general trends in vulnerability research as seen in CVE, which has seen increases in both of these weaknesses in recent years.

Ranked by Importance - for Software Customers

This profile ranks weaknesses based primarily on their importance, as determined from the base voting data that was used to create the general list. Prevalence is included in the scores, but it has much less weighting than importance.

The two factors are:

* IMPORTANCE (Critical, High, Medium, Low)

* PREVALENCE (Widespread, High, Common, Limited)

For each vote, both IMPORTANCE and PREVALENCE are assigned values between 1 and 4 (in which 4 is equivalent to the highest rating, i.e., "Critical" or "Widespread.")

The individual sub-score for the weakness is then calculated using the formula:

(IMPORTANCE * IMPORTANCE) + PREVALENCE

All sub-scores for each weakness are added together to get a final score.

RankScoreCWE Entry
[1]676CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
[2]582CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
[3]535CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
[4]525CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
[5]378CWE-434: Unrestricted Upload of File with Dangerous Type
[6]364CWE-352: Cross-Site Request Forgery (CSRF)
[7]350CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
[8]336CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
[9]324CWE-285: Improper Access Control (Authorization)
[10]322CWE-807: Reliance on Untrusted Inputs in a Security Decision
[11]304CWE-798: Use of Hard-coded Credentials
[12]300CWE-311: Missing Encryption of Sensitive Data
[13]281CWE-805: Buffer Access with Incorrect Length Value
[14]277CWE-306: Missing Authentication for Critical Function
[15]271CWE-129: Improper Validation of Array Index
[16]267CWE-131: Incorrect Calculation of Buffer Size
[17]261CWE-494: Download of Code Without Integrity Check
[18]244[Cusp] CWE-749: Exposed Dangerous Method or Function
Not in the general Top 25.
[19]241CWE-190: Integer Overflow or Wraparound
[20]225CWE-362: Race Condition
[21]224[Cusp] CWE-134: Uncontrolled Format String
Not in the general Top 25.
[22]
(tie)
224CWE-732: Incorrect Permission Assignment for Critical Resource
[23]223[Cusp] CWE-454: External Initialization of Trusted Variables or Data Stores
Not in the general Top 25.
[24]215[Cusp] CWE-212: Improper Cross-boundary Removal of Sensitive Data
Not in the general Top 25.
[25]
(tie)
215CWE-327: Use of a Broken or Risky Cryptographic Algorithm
[26]204[Top25] CWE-770: Allocation of Resources Without Limits or Throttling
In the general Top 25.
[27]203[Top25] CWE-754: Improper Check for Unusual or Exceptional Conditions
In the general Top 25.
[28]199[Top25] CWE-209: Information Exposure Through an Error Message
In the general Top 25.
[29]196CWE-426: Untrusted Search Path
[30]194CWE-330: Use of Insufficiently Random Values
[31]
(tie)
194[Top25] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
In the general Top 25.
[32]
(tie)
194CWE-681: Incorrect Conversion between Numeric Types
[33]192CWE-476: NULL Pointer Dereference
[34]189CWE-59: Improper Link Resolution Before File Access ('Link Following')
[35]184CWE-416: Use After Free
[36]180CWE-307: Improper Restriction of Excessive Authentication Attempts
[37]166CWE-456: Missing Initialization
[38]159CWE-772: Missing Release of Resource after Effective Lifetime
[39]150CWE-799: Improper Control of Interaction Frequency
[40]148CWE-672: Operation on a Resource after Expiration or Release
[41]127CWE-804: Guessable CAPTCHA

Weaknesses by Technical Impact

This profile lists weaknesses based on their technical impact, i.e., what an attacker can accomplish by exploiting each weakness.

Note that skilled attackers can combine multiple weaknesses into a single, larger attack that is more severe than any of its parts. For example, a minor information leak (CWE-209) might allow an attacker to determine the e-mail address of an administrator account, then use a CSRF attack (CWE-352) to leverage the administrator's privileges to upload a file with a dangerous extension (CWE-434) that allows code execution.

Since attack trees are difficult to model in a flat structure like the Top 25 list, the technical impact for each weakness is only measured in isolation.

KEY:

* Code - code or command execution can occur

* Info - sensitive information or data can be stolen

* Privs - access to a high-privileged account

* Bypass - bypass a security protection mechanism

* DoS - denial of service

CodeInfoPrivsBypassDoSCWE Entry
SometimesOftenSometimesRarelySometimesCWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
SometimesOftenSometimesRarelySometimesCWE-59: Improper Link Resolution Before File Access ('Link Following')
OftenSometimesSometimesRarelySometimesCWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
OftenOftenSometimesSometimesRarelyCWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OftenOftenSometimesOftenSometimesCWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
OftenOftenSometimesRarelyRarelyCWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
OftenRarelySometimesRarelyOftenCWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
OftenSometimesSometimesRarelyOftenCWE-129: Improper Validation of Array Index
OftenSometimesSometimesRarelyOftenCWE-131: Incorrect Calculation of Buffer Size
OftenSometimesSometimesRarelyOftenCWE-134: Uncontrolled Format String
SometimesRarelyRarelyRarelySometimesCWE-190: Integer Overflow or Wraparound
RarelyOftenSometimesSometimesRarelyCWE-209: Information Exposure Through an Error Message
RarelyOftenRarelyRarelyRarelyCWE-212: Improper Cross-boundary Removal of Sensitive Data
RarelyOftenOftenOftenOftenCWE-285: Improper Access Control (Authorization)
SometimesSometimesOftenOftenSometimesCWE-306: Missing Authentication for Critical Function
RarelyRarelyOftenOftenOftenCWE-307: Improper Restriction of Excessive Authentication Attempts
SometimesOftenSometimesSometimesSometimesCWE-311: Missing Encryption of Sensitive Data
RarelyOftenSometimesOftenSometimesCWE-327: Use of a Broken or Risky Cryptographic Algorithm
RarelySometimesSometimesOftenRarelyCWE-330: Use of Insufficiently Random Values
RarelySometimesOftenOftenSometimesCWE-352: Cross-Site Request Forgery (CSRF)
SometimesSometimesOftenSometimesOftenCWE-362: Race Condition
SometimesRarelySometimesRarelyOftenCWE-416: Use After Free
OftenRarelyOftenSometimesRarelyCWE-426: Untrusted Search Path
OftenSometimesSometimesRarelyRarelyCWE-434: Unrestricted Upload of File with Dangerous Type
SometimesSometimesSometimesOftenRarelyCWE-454: External Initialization of Trusted Variables or Data Stores
SometimesRarelySometimesSometimesSometimesCWE-456: Missing Initialization
SometimesSometimesRarelyRarelyOftenCWE-476: NULL Pointer Dereference
OftenSometimesOftenOftenSometimesCWE-494: Download of Code Without Integrity Check
SometimesRarelyRarelyOftenSometimesCWE-601: URL Redirection to Untrusted Site ('Open Redirect')
SometimesSometimesSometimesRarelyOftenCWE-672: Operation on a Resource after Expiration or Release
SometimesRarelySometimesRarelySometimesCWE-681: Incorrect Conversion between Numeric Types
SometimesOftenSometimesSometimesSometimesCWE-732: Incorrect Permission Assignment for Critical Resource
OftenSometimesOftenRarelySometimesCWE-749: Exposed Dangerous Method or Function
SometimesSometimesSometimesSometimesOftenCWE-754: Improper Check for Unusual or Exceptional Conditions
RarelySometimesRarelyRarelyOftenCWE-770: Allocation of Resources Without Limits or Throttling
RarelyRarelyRarelySometimesOftenCWE-772: Missing Release of Resource after Effective Lifetime
RarelySometimesOftenOftenSometimesCWE-798: Use of Hard-coded Credentials
RarelyRarelySometimesSometimesOftenCWE-799: Improper Control of Interaction Frequency
RarelySometimesRarelyOftenOftenCWE-804: Guessable CAPTCHA
OftenOftenSometimesRarelyOftenCWE-805: Buffer Access with Incorrect Length Value
SometimesSometimesOftenOftenSometimesCWE-807: Reliance on Untrusted Inputs in a Security Decision

More information is available — Please select a different filter.
Page Last Updated: January 12, 2017