Top 25 programming errors
What Errors Are Included in the Top 25? The Top 25 Errors are listed below in three categories:
* Category: Insecure Interaction Between Components (9 errors)
* Category: Risky Resource Management (9 errors)
* Category: Porous Defenses (7 errors)
Clicking "MORE" in any of the listings takes you to the relevant spot in the MITRE CWE site where you will find the following: * links to the full CWE entry data,
* data fields for weakness prevalence and consequences,
* remediation cost,
* ease of detection,
* attack frequency and attacker awareness
* related CWE entries
* related patterns of attack for this weakness.
Each entry at the Top 25 Errors site also includes fairly extensive prevention and remediation steps that developers can take to mitigate or eliminate the weakness.
CATEGORY: Insecure Interaction Between Components
CWE-20: Improper Input ValidationIt's the number one killer of healthy software, so you're just asking for trouble if you don't ensure that your input conforms to expectations...MORE >> CWE-116: Improper Encoding or Escaping of Output
Computers have a strange habit of doing what you say, not what you mean. Insufficient output encoding is the often-ignored sibling to poor input validation, but it is at the root of most injection-based attacks, which are all the rage these days...MORE >> CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')
If attackers can influence the SQL that you use to communicate with your database, then they can...MORE >> CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications...If you're not careful, attackers can...MORE >> CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')
When you invoke another program on the operating system, but you allow untrusted inputs to be fed into the command string that you generate for executing the program, then you are inviting attackers...MORE >> CWE-319: Cleartext Transmission of Sensitive Information
If your software sends sensitive information across a network, such as private data or authentication credentials, that information crosses many...MORE >> CWE-352: Cross-Site Request Forgery (CSRF)
With cross-site request forgery, the attacker gets the victim to activate a request that goes to your site. Thanks to scripting and the way the web works in general, the victim...MORE >> CWE-362: Race Condition
Attackers will consciously look to exploit race conditions to cause chaos or get your application to cough up something valuable...MORE >> CWE-209: Error Message Information Leak
If you use chatty error messages, then they could disclose secrets to any attacker who dares to misuse your software. The secrets could cover a wide range of valuable data...MORE >> CATEGORY: Risky Resource Management CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
Buffer overflows are Mother Nature's little reminder of that law of physics that says if you try to put more stuff into a container than it can hold, you're...MORE >> CWE-642: External Control of Critical State Data
There are many ways to store user state data without the overhead of a database. Unfortunately, if you store that data in a place where an attacker can...MORE >> CWE-73: External Control of File Name or Path
When you use an outsider's input while constructing a filename, you're taking a chance. If you're not careful, an attacker could... MORE >> CWE-426: Untrusted Search Path
If a resource search path is under attacker control, then the attacker can modify it to point to resources of the attacker's choosing. This causes the software to access the wrong resources at the wrong time....
0 comments
[ 4.3 ms ] story [ 11.8 ms ] threadNo comments yet.