Professional Documents
Culture Documents
2010 CWE/SANS Top 25: OWASP Education
2010 CWE/SANS Top 25: OWASP Education
2010 CWE/SANS Top 25: OWASP Education
2
Organizations
MITRE - http://www.mitre.org/
The MITRE Corporation is a not-for-profit organization that manages
several Federally Funded Research and Development Centers. Mitre
currently runs various IT security projects including the Common
Weakness Enumeration (CWE) and it is the official source for the
CWE/SANS Top 25 Most Dangerous Software Errors.
CWE Database - http://cwe.mitre.org/
SANS - http://www.sans.org
The SysAdmin, Audit, Network, Security (SANS) Institute operates as
a commercial research and education company. SANS is well known
for its Internet Storm Center, its comprehensive list computing security
training programs and its work with Mitre on the CWE/SANS Top 25
Most Dangerous Software Errors.
3
Selection and Ranking
4
2010 CWE/SANS Top 25
Rank ID Name
[1] CWE-79 Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')
[2] CWE-89 Improper Neutralization of Special Elements used in an SQL
Command ('SQL Injection')
[3] CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer
Overflow')
[4] CWE-352 Cross-Site Request Forgery (CSRF)
[5] CWE-285 Improper Authorization
[6] CWE-807 Reliance on Untrusted Inputs in a Security Decision
[7] CWE-22 Improper Limitation of a Pathname to a Restricted Directory
('Path Traversal')
[8] CWE-434 Unrestricted Upload of File with Dangerous Type
[9] CWE-78 Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')
[10] CWE-311 Missing Encryption of Sensitive Data
[11] CWE-798 Use of Hard-coded Credentials
[12] CWE-805 Buffer Access with Incorrect Length Value
5
SANS CWE Top 25
Rank ID Name
[13] CWE-98 Improper Control of Filename for Include/Require
Statement in PHP Program ('PHP File Inclusion')
[14] CWE-129 Improper Validation of Array Index
[15] CWE-754 Improper Check for Unusual or Exceptional Conditions
[16] CWE-209 Information Exposure Through an Error Message
[17] CWE-190 Integer Overflow or Wraparound
[18] CWE-131 Incorrect Calculation of Buffer Size
[19] CWE-306 Missing Authentication for Critical Function
[20] CWE-494 Download of Code Without Integrity Check
[21] CWE-732 Incorrect Permission Assignment for Critical Resource
[22] CWE-770 Allocation of Resources Without Limits or Throttling
[23] CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
[24] CWE-327 Use of a Broken or Risky Cryptographic Algorithm
[25] CWE-362 Concurrent Execution using Shared Resource with
Improper Synchronization ('Race Condition')
6
OWASP Top 10 & SANS CWE Top 25 mapping
https://www.owasp.org/index.php/ http://www.sans.org/top25-software-errors/
Category:OWASP_Top_Ten_Project http://cwe.mitre.org/top25/
A1: Injection [2] CWE-89: Improper Neutralization of Special Elements
used in an SQL Command
('SQL Injection')
[9] CWE-78: Improper Neutralization of Special
Elements used in an OS Command
('OS Command Injection')
A2: Cross-Site Scripting [1] CWE-79: Improper Neutralization of Input During
(XSS) Web Page Generation('Cross-site Scripting')
A3: Broken Authentication and Session [19] CWE-306: Missing Authentication for Critical Function
Management [11] CWE-798: Use of Hard-coded Credentials
A4: Insecure Direct Object References [5] CWE-285: Improper Authorization
[6] CWE-807: Reliance on Untrusted Inputs in a Security
Decision
[7] CWE-22: Improper Limitation of a Pathname to a
Restricted Directory ('Path Traversal')
A5: Cross-Site Request Forgery (CSRF) [4] CWE-352: Cross-Site Request Forgery (CSRF)
7
OWASP Top 10 & SANS CWE Top 25 mapping
A6: Security Misconfiguration [16] CWE-209: Information Exposure Through an Error Message
(Only partially covers OWASP Risk)
A7: Insecure Cryptographic [10] CWE-311: Missing Encryption of Sensitive Data
Storage [24] CWE-327: Use of a Broken or Risky Cryptographic Algorithm
A8: Failure to Restrict URL [5] CWE-285: Improper Authorization
Access (Also listed with OWASP A-4)
[21] CWE-732: Incorrect Permission Assignment for Critical
Resource (CWE-732 covers a broader scope than
OWASP A8)
A9: Insufficient Transport [10] CWE-311: Missing Encryption of Sensitive Data
Layer Protection (Also listed with OWASP A-7)
[24] CWE-327: Use of a Broken or Risky Cryptographic Algorithm
(Also listed with OWASP A-7)
A10: Unvalidated Redirects [23] CWE-601: URL Redirection to Untrusted Site
and Forwards ('Open Redirect')
8
SANS CWE Top 25
The following do not directly map to the OWASP Top 10 2010
[3] CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
[8] CWE-434: Unrestricted Upload of File with Dangerous Type
[12] CWE-805: Buffer Access with Incorrect Length Value
[13] CWE-98: Improper Control of Filename for Include/Require Statement in PHP
Program ('PHP File Inclusion')
[14] CWE-129: Improper Validation of Array Index
[15] CWE-754: Improper Check for Unusual or Exceptional Conditions
[17] CWE-190: Integer Overflow or Wraparound
[18] CWE-131: Incorrect Calculation of Buffer Size
[20] CWE-494: Download of Code Without Integrity Check
[22] CWE-770: Allocation of Resources Without Limits or Throttling
[25] CWE-362: Concurrent Execution using Shared Resource with Improper
Synchronization ('Race Condition')
9
Mapping Considerations
SANS CWE Top 25 is only a fraction of the full CWE
list of weaknesses
10
[1] CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
General Description
• The software does not properly neutralize user-controllable input before
using it in a web page. Variants include:
• Reflected: The software reads data directly from the HTTP request
and reflects it back in the HTTP response
• Stored: The software stores data in a database or other trusted data
store and includes that data as part of a future web page
• DOM: Client supplied input is inserted into an HTML response page
by a client side script that processed Document Object Model (DOM)
data (e.g. document.location, document.URL, etc)
Try this in your browser: <script>javascript:alert(document.cookie)</script>
11
[1] CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Potential Impacts
Common Mitigations
• Properly neutralize all input from the client. Be sure to address all content
used by the software, that originated in an HTTP Request
• Conduct all data validation and encoding on a trusted system (e.g., The
server)
• Establish and enforce appropriate data type, range and length controls for
all content
• Use a vetted library or framework to make it easier to generate properly
encoded output including Microsoft's Anti-XSS library, the OWASP ESAPI
Encoding module, and Apache Wicket
E.g. output encoding < becomes <, > becomes > & becomes & and " becomes "
<script> -> <script> (markup)
12
[2] CWE-89
Improper Neutralization of Special Elements used in an SQL Command
('SQL Injection')
General Description
• The software constructs a dynamic SQL statement using input that has
not been properly neutralized
• Example of dynamic query modification:
• String query = "SELECT * FROM accounts WHERE custID='" +
request.getParameter("id") +"'";
• The attacker modifies the ‘id’ parameter in their browser to send: ' or
'1'='1
• This changes the meaning of the query to return all the records from
the accounts database, instead of only the intended customer’s
• http://example.com/app/accountView?id=' or '1'='1
13
[2] CWE-89
Improper Neutralization of Special Elements used in an SQL Command
('SQL Injection')
Potential Impacts
Common Mitigations
• Use a safe API to avoid using the interpreter entirely or to provide
parameterized interface
• Use strongly typed parameterized queries
String sqlString = "select * from db_user where username=? …
PreparedStatement stmt = connection.prepareStatement(sqlString);
stmt.setString (1, username); …
• Input validation-Validate and Filter user input to remove special characters
' " ` ; * % _ =&\|*?~<>^()[]{}$\n\r
• Utilize output encoding
• Turn off all unnecessary database functionality
14
[3] CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
General Description
Example: C
char last_name[20]; ...................................Declare array with 20 character limit
printf ("Enter your last name: ");
scanf ("%s", last_name); ...........................Get input (no limit) and store in array
The software does not limit the size of the name entered by the user, so an entry of more than 20
characters will cause a buffer overflow, since the "last_name" array can only hold 20 characters
15
[3] CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Potential Impacts
Common Mitigations
• Use a language that does not allow this weakness to occur (e.g., Java)
• Use a vetted library or framework that help prevent this weakness (e.g.,
Strsafe.h library from Microsoft)
• Use a compiler with features or extensions that provide a protection
mechanism against buffer overflows
• Ensure the destination buffer size is equal to or larger than the source
buffer size
• Utilize input validation to enforce length limits
16
[4] CWE-352
Cross-Site Request Forgery (CSRF)
General Description
• If the software does not sufficiently verify that the user "intentionally"
submitted a request, a user with an active session may be tricked into
executing an unintended action on the software. This URL and required
parameters must be known to the attacker
Potential Impacts
• Attackers can cause the victim to execute any action the victim
is authorized to perform
Common Mitigations
18
[5] CWE-285
Improper Authorization
General Description
19
[5] CWE-285
Improper Authorization
Potential Impacts
Common Mitigations
20
[6] CWE-807
Reliance on Untrusted Inputs in a Security Decision
General Description
Potential Impacts
Common Mitigations
22
[7] CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
General Description
Potential Impacts
Common Mitigations
• Properly neutralize all input from the client especially path characters (., /,
\) and null bytes (%00)
• Conduct all data validation and encoding on a trusted system (e.g., The
server)
• Reduce input encodings and representations of data to a single simple
form before validating
• Use parameterized place holders that map to the target, instead of actual
file names or paths (e.g., client only sees id=1, on the server id 1 maps to
file.txt )
24
[8] CWE-434
Unrestricted Upload of File with Dangerous Type
General Description
• The software allows the for the uploading or transfer files of dangerous
types that can be automatically processed within the product's
environment
• In a web application the intent may be to allow users to upload image
files. However if proper validation of the file type is not done the user
may upload something else like malicious.php and then access that file
to gain unauthorized privileges. The malicious.php file could do anything
including providing access to the host OS:
Example: PHP
<?php
system($_GET['cmd']);
?>
25
[8] CWE-434
Unrestricted Upload of File with Dangerous Type
Potential Impacts
Common Mitigations
• The software should generate its own filename for an uploaded file
instead of the user-supplied filename
• Validate uploaded files are the expected type by checking file headers
• Prevent or restrict the uploading of any file that may be interpreted by the
web server
• Turn off execution privileges on file upload directories
• Do not save files in the same web context as the application
26
[9] CWE-78
Improper Neutralization of Special Elements used in an OS Command
('OS Command Injection')
General Description
• The software constructs all or part of an OS command using input that
has not been properly neutralized
• Variants include:
• The software intends to execute a single, fixed program that is under its
own control using externally-supplied inputs as arguments to that
program. However, if the program does not remove command
separators from input, separators in the argument for the execution of
additional programs
• The software accepts an input that it uses to fully select which program
to run, as well as which commands to use. The application redirects this
entire command to the operating system
27
[9] CWE-78
Improper Neutralization of Special Elements used in an OS Command
('OS Command Injection')
Potential Impacts
Common Mitigations
28
[10] CWE-311
Missing Encryption of Sensitive Data
General Description
29
[10] CWE-311
Missing Encryption of Sensitive Data
Potential Impacts
Common Mitigations
30
[11] CWE-798
Use of Hard-coded Credentials
General Description
Potential Impacts
Common Mitigations
32
[12] CWE-805
Buffer Access with Incorrect Length Value
General Description
33
[12] CWE-805
Buffer Access with Incorrect Length Value
Potential Impacts
Common Mitigations
• Use a language that does not allow this weakness to occur (e.g., Java)
• Use a vetted library or framework that help prevent this weakness (e.g.,
Strsafe.h library from Microsoft)
• Use a compiler with features or extensions that provide a protection
mechanism against buffer overflows
• Ensure the destination buffer size is equal to or larger than the source
buffer size
• Utilize input validation to enforce length limits
34
[13] CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
File Inclusion')
OWASP Top 10 and PCI Mapping
General Description
35
[13] CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program
('PHP File Inclusion')
Potential Impacts
• Execution of arbitrary code,
• Ability to gain additional privileges that could lead to a
complete compromise of the software's security controls
Common Mitigations
• Properly neutralize all input from the client especially path characters (., /, \)
and null bytes (%00)
• Conduct all data validation and encoding on a trusted system (e.g., The
server)
• Use parameterized place holders that map to the target, instead of actual
file names or paths (e.g., client only sees id=1, on the server id 1 maps to
file.txt )
• Run your code in a "jail" or similar sandbox environment that enforces strict
boundaries between the process and the operating system
• Set allow_url_fopen to false, which limits the ability to include files from
remote locations
36
[14] CWE-129
Improper Validation of Array Index
General Description
37
[14] CWE-129
Improper Validation of Array Index
Potential Impacts
• System crash
• Allow for the execution of arbitrary code
• Unauthorized access to read or modify data
Common Mitigations
• Use program level exception handlers if they are available (e.g., Java,
Ruby)
• Utilize input validation to enforce length and range limits
• Conduct all data validation and encoding on a trusted system (e.g., The
server)
• Run your code in a "jail" or similar sandbox environment that enforces
strict boundaries between the process and the operating system
38
[15] CWE-754
Improper Check for Unusual or Exceptional Condition
General Description
39
[15] CWE-754
Improper Check for Unusual or Exceptional Condition
Potential Impacts
• System crash
• Allow for the execution of arbitrary code
• Unauthorized access to read or modify data
Common Mitigations
• Use program level exception handlers if they are available (e.g., Java,
Ruby)
• Check the results of all functions that return a value and verify that the
value is expected
• Ensure that error messages only contain minimal details that are useful to
the intended audience
• If the program must fail, ensure it fails securely
• Ensure the software can handle low resource conditions
40
[16] CWE-209
Information Exposure Through an Error Message
General Description
41
[16] CWE-209
Information Exposure Through an Error Message
Potential Impacts
Common Mitigations
• Use program level exception handlers if they are available (e.g., Java,
Ruby)
• Ensure that error messages only contain minimal details that are useful to
the intended audience. Error messages to users should not display
system details, session identifiers, account information, debugging or
stack trace information
• In web applications implement generic error messages and use custom
error pages
42
[17] CWE-190
Integer Overflow or Wraparound
General Description
Potential Impacts
• System crash
• Allow for the execution of arbitrary code
• Data Corruption
Common Mitigations
• Ensure that all protocols are strictly defined, such that all out-of-bounds
behavior can be identified simply, and require strict conformance to the
protocol
• Use libraries or frameworks that make it easier to handle numbers
without unexpected consequences. (e.g., SafeInt (C++) or IntegerLib (C
or C++)
• Utilize input validation to enforce length and range limits
• Conduct all data validation and encoding on a trusted system (e.g., The
server)
44
[18] CWE-131
Incorrect Calculation of Buffer Size
General Description
• The software does not correctly calculate the size to be used when
allocating a buffer, which could lead to a buffer overflow
Example: C
int *id_sequence;
id_sequence = (int*) malloc(3);
if (id_sequence == NULL) exit(1);
id_sequence[0] = 13579;
id_sequence[1] = 24680;
id_sequence[2] = 97531;
The size parameter used during the malloc() call is set to '3' which results in a buffer of 3
bytes. The intent was to create a buffer that holds three ints, and in C, each int requires 4
bytes, so an array of 12 bytes is needed. Executing the above code could result in a buffer
overflow as 12 bytes of data is being saved into 3 bytes worth of allocated space
45
[18] CWE-131
Incorrect Calculation of Buffer Size
Potential Impacts
• System crash
• Allow for the execution of arbitrary code
• Unauthorized access to read or modify data
Common Mitigations
46
[19] CWE-306
Missing Authentication for Critical Function
General Description
• The software does not perform any authentication for functionality that
requires a provable user identity or consumes a significant amount of
resources
47
[19] CWE-306
Missing Authentication for Critical Function
Potential Impacts
Common Mitigations
48
[20] CWE-494
Download of Code Without Integrity Check
General Description
This code does not ensure that the class loaded is the intended one, for example by
verifying the class's checksum.
49
[20] CWE-494
Download of Code Without Integrity Check
Potential Impacts
Common Mitigations
• Perform proper forward and reverse DNS lookups to detect DNS spoofing
• Encrypt the code with a reliable encryption scheme before transmitting
• Perform integrity checking on the transmitted code
• Use code signing technologies such as Authenticode
50
[21] CWE-732
Incorrect Permission Assignment for Critical Resource
General Description
51
[21] CWE-732
Incorrect Permission Assignment for Critical Resource
Potential Impacts
Common Mitigations
52
[22] CWE-770
Allocation of Resources Without Limits or Throttling
General Description
Potential Impacts
• Denial of service
Common Mitigations
54
[23] CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
General Description
This page could be used as part of a phishing scam by initialing on a trusted domain, but
redirecting users to a malicious site. An attacker could supply a user with the following link:
http://example.com/example.php?url=http://malicious.example.com
This is the same URL only obfuscated with URL encoding to mask the off site redirect:
http://example.com/example.php?url=%68%74%74%70%3a%2f%2f%6d%61%6c%69%63%6
9%6f%75%73%2e%65%78%61%6d%70%6c%65%2e%63%6f%6d
55
[23] CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
Potential Impacts
Common Mitigations
General Description
57
[24] CWE-327
Use of a Broken or Risky Cryptographic Algorithm
Potential Impacts
Common Mitigations
General Description
• The program contains a code sequence that can run concurrently with
other code, and the code sequence requires temporary, exclusive access
to a shared resource, but a timing window exists in which the shared
resource can be modified by another code sequence that is operating
concurrently
• This can have security implications when the expected synchronization is
in security-critical code, such as recording whether a user is
authenticated or modifying important state information that should not be
influenced by an outsider
59
[25] CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization
('Race Condition')
Potential Impacts
Common Mitigations
60
61