2010 CWE/SANS Top 25 Most Dangerous Programming Errors
The 2010 CWE (Common Weakness Enumeration) / SANS Top 25 Most Dangerous Programming Errors has been released. The full report should be required reading for all web programmers and testers. A pdf version is also available.
Here are the 25 items:
- Failure to Preserve Web Page Structure (‘Cross-site Scripting’)
- Improper Sanitization of Special Elements used in an SQL Command (‘SQL Injection’)
- Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
- Cross-Site Request Forgery (CSRF)
- Improper Access Control (Authorization)
- Reliance on Untrusted Inputs in a Security Decision
- Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
- Unrestricted Upload of File with Dangerous Type
- Improper Sanitization of Special Elements used in an OS Command (‘OS Command Injection’)
- Missing Encryption of Sensitive Data
- Use of Hard-coded Credentials
- Buffer Access with Incorrect Length Value
- Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP File Inclusion’)
- Improper Validation of Array Index
- Improper Check for Unusual or Exceptional Conditions
- Information Exposure Through an Error Message
- Integer Overflow or Wraparound
- Incorrect Calculation of Buffer Size
- Missing Authentication for Critical Function
- Download of Code Without Integrity Check
- Incorrect Permission Assignment for Critical Resource
- Allocation of Resources Without Limits or Throttling
- URL Redirection to Untrusted Site (‘Open Redirect’)
- Use of a Broken or Risky Cryptographic Algorithm
- Race Condition