BT

InfoQ Homepage News CWE/SANS Top 25 Programming Errors

CWE/SANS Top 25 Programming Errors

Bookmarks

Common Weakness Enumeration (CWE), a strategic initiative sponsored by the U.S. Department of Homeland Security, has published the document 2010 CWE/SANS Top 25 Most Dangerous Programming Errors (PDF), a list of 25 code errors that lead, in authors’ opinion, to the worst software vulnerabilities.

While the OWASP Top Ten list, presented by InfoQ, focuses on web application security risks, the CWE Top 25 covers a broader range of issues including the famous buffer overrun vulnerability. CWE also provides more details needed for programmers to write more secure code.

The list is the result of collaboration between the SANS Institute, MITRE, and “many top software security experts in the US and Europe”. While the CWE website has a catalogue of over 800 programming, design and architectural errors, the CWE document is limited to top 25 items addressed to programmers in the first place, to help them write safer code. But the document can also be used by software designers, architects and even CIOs, which should be aware of these possible vulnerabilities and take appropriate measures.

Cross-site scripting (XSS) and SQL Injection are considered the weakest points in software, while the buffer overflow comes third, according to CWE:

Rank Name
1 Failure to Preserve Web Page Structure ('Cross-site Scripting')
2 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
3 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
4 Cross-Site Request Forgery (CSRF)
5 Improper Access Control (Authorization)
6 Reliance on Untrusted Inputs in a Security Decision
7 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
8 Unrestricted Upload of File with Dangerous Type
9 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')
10 Missing Encryption of Sensitive Data
11 Use of Hard-coded Credentials
12 Buffer Access with Incorrect Length Value
13 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
14 Improper Validation of Array Index
15 Improper Check for Unusual or Exceptional Conditions
16 Information Exposure Through an Error Message
17 Integer Overflow or Wraparound
18 Incorrect Calculation of Buffer Size
19 Missing Authentication for Critical Function
20 Download of Code Without Integrity Check
21 Incorrect Permission Assignment for Critical Resource
22 Allocation of Resources Without Limits or Throttling
23 URL Redirection to Untrusted Site ('Open Redirect')
24 Use of a Broken or Risky Cryptographic Algorithm
25 Race Condition

The authors do not believe their list is fixed in stone, recommending each organization to create its own list based on its own criteria. The document suggests a number of “Focus Profiles”, one of them being “Weaknesses by Language”:

C/C++ Java PHP Perl CWE Entry
High Mod High High CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  Language-independent, but prevalence is reduced in sandboxed environments.
High Mod High High CWE-78: Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')
Mod High High High CWE-79: Failure to Preserve Web Page Structure ('Cross-site Scripting')
High High High High CWE-89: Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
    High   CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
  Technically this type of problem can happen in most interpreted languages, but it seems to be most prevalent in PHP.
High Ltd Ltd Ltd CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
  Interpreters and native code, often built using C/C++, may be subject to buffer overflows that are reachable from higher-level language constructs that otherwise appear "safe."
High Ltd Ltd Ltd CWE-129: Improper Validation of Array Index
  Technically this can happen in many different languages, but it becomes security-relevant most often in C/C++ programs.
High Ltd Ltd Ltd CWE-131: Incorrect Calculation of Buffer Size
  Up-and-coming as simpler buffer overflows are eliminated. Interpreters and native code, often built using C/C++, may be subject to buffer overflows that are reachable from higher-level language constructs that otherwise appear "safe."
High Ltd Ltd Ltd CWE-190: Integer Overflow or Wraparound
  Technically this can happen in many different languages, but it becomes security-relevant most often in C/C++ programs.
Mod High High Mod CWE-209: Information Exposure Through an Error Message
  Language-independent but occurs frequently in web-based environments and in languages where error reporting is automatically performed externally.
High High High High CWE-285: Improper Access Control (Authorization)
Mod Mod Mod Mod CWE-306: Missing Authentication for Critical Function
  Prevalent in web-based environments.
High High High High CWE-311: Missing Encryption of Sensitive Data
High Mod High Mod CWE-327: Use of a Broken or Risky Cryptographic Algorithm
  Some languages do not have built-in crypto or well-established libraries, leaving developers to build or integrate their own.
High High High High CWE-352: Cross-Site Request Forgery (CSRF)
  Web-based problem, which is language-independent.
High High Mod Ltd CWE-362: Race Condition
  Potential issue in any language that supports threading or interacts with OS system resources.
Ltd Mod High Ltd CWE-434: Unrestricted Upload of File with Dangerous Type
Ltd Mod Mod Ltd CWE-494: Download of Code Without Integrity Check
  Most often applicable to mobile code, although potentially present in any software that manages its own upgrades.
Mod Mod Mod Mod CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
  Web-based problem, which is language-independent. Many web applications do not use redirect functionality.
High High High High CWE-732: Incorrect Permission Assignment for Critical Resource
High Ltd High High CWE-754: Improper Check for Unusual or Exceptional Conditions
  Less prevalent for languages where exception handling forces checks to occur.
High Mod Mod High CWE-770: Allocation of Resources Without Limits or Throttling
  Less problematic for environments with built-in resource management.
Mod Mod Mod Mod CWE-798: Use of Hard-coded Credentials
High       CWE-805: Buffer Access with Incorrect Length Value
  Interpreters and native interfaces, often built using C/C++, may have overflows that are reachable from otherwise-"safe" code.
High High High High CWE-807: Reliance on Untrusted Inputs in a Security Decision
  Language-independent, but very prevalent in web applications.

For each weakness the authors provide various information like: ranking, score summary, prevention and mitigation measures, related attack patterns, attack frequency, easy of detection, remediation costs and other information. A large portion of the document is dedicated to detailed description of each weakness, including technical details, code samples and prevention measures to be taken at architecture, design, implementation or operational level. For example, for the #1 weakness in the list, an excerpt of the information provided by the authors is:

Failure to Preserve Web Page Structure ('Cross-site Scripting') - “The software does not sufficiently validate, filter, escape, and encode user-controllable input before it is placed in output that is used as a web page that is served to other users.”

Weakness Prevalence High Consequences Code execution, Security bypass
Remediation Cost Low Ease of Detection Easy
Attack Frequency Often Attacker Awareness High

Detailed Technical Details including the three main types of Cross-site scripting (XSS): Reflected XSS (or Non-Persistent), Stored XSS (or Persistent), and DOM-Based XSS.

Code Samples, like this JSP example:

<% String eid = request.getParameter("eid"); %>

...

Employee ID: <%= eid %>

Detection Methods, like Automatic Static Analysis and Black Box.

For each weakness, the authors list several prevention measures like this one:

Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.

Parts of the same output document may require different encodings, which will vary depending on whether the output is in the:

HTML body

Element attributes (such as src="XYZ")

URIs

JavaScript sections

Cascading Style Sheets and style property

etc. Note that HTML Entity Encoding is only appropriate for the HTML body.

Consult the XSS Prevention Cheat Sheet [REF-16] for more details on the types of encoding and escaping that are needed.

The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors document also details the criteria used in selecting the top 25 weaknesses, a comparison to the same list generated in 2009, and a comparison to OWASP Top Ten 2010 RC1, a list of top 10 web application security vulnerabilities.

Rate this Article

Adoption
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

  • Crunching some numbers

    by Jim Leonardo /

    Your message is awaiting moderation. Thank you for participating in the discussion.

    Out of curiosity, I crunched the numbers. This is a bit artificial, so mileage may vary, but it is illuminating...
    Ltd = 0
    Mod = 1
    High = 2
    C/C++ = 39
    Java and Perl = 27
    PHP = 34

    I assume C#/VB.Net probably rank similar to Java?
    This may reflect more the size of the code base in the languages in question than any particular weakness of a language. There's more code written in C/C++, hence more of the top vulnerabilities are specific to C/C++.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT

Is your profile up-to-date? Please take a moment to review and update.

Note: If updating/changing your email, a validation request will be sent

Company name:
Company role:
Company size:
Country/Zone:
State/Province/Region:
You will be sent an email to validate the new email address. This pop-up will close itself in a few moments.