SANS TOP 25
- Posted by Security Expert at Unical Systems
- Categories Blog
- Date December 14, 2023
Introduction
The SANS Institute, an esteemed collaborative hub for research and education in cybersecurity, meticulously compiles the SANS Top 25 Most Dangerous Software Errors. This distinguished catalog serves as a compendium of pervasive and high-impact errors that harbor the potential to engender severe vulnerabilities in software ecosystems. It is crucial to note that not all vulnerability types are universally applicable across diverse programming languages, accentuating the nuanced landscape of software security.
This compendium delves into multifaceted issues, encapsulating domains such as insecure component interactions, precarious resource management, and vulnerabilities within defensive mechanisms. The nuanced inclusion of these categories underscores the imperative to address vulnerabilities beyond the superficial layer, delving into intricate facets of software design and execution.
The identification and categorization of these errors within the SANS Top 25 serve as a beacon for the cybersecurity community, offering a roadmap to navigate the intricate terrain of software security. The emphasis on prevalent and critical errors underscores a proactive approach to fortify software against potential exploits, aligning with the overarching mission of the SANS Institute to disseminate knowledge and elevate the collective defense posture in the ever-evolving cybersecurity landscape.
CWE Top 25 Most Dangerous Software Errors
CWE-787
ID : CWE-787
Name :
Out-of-bounds Write
Description :
The product writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The product may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.
CWE-79
ID : CWE-79
Name :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description :
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-89
ID : CWE-89
Name :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description :
The product constructs all or part of an SQL command using externally influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
CWE-416
ID : CWE-416
Name :
Use After Free
Description :
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
CWE-78
ID : CWE-78
Name :
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Description :
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-20
ID : CWE-20
Name :
Improper Input Validation
Description :
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-125
ID : CWE-125
Name :
Out-of-bounds Read
Description :
The product reads data past the end, or before the beginning, of the intended buffer.
CWE-22
ID : CWE-22
Name :
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Description :
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-352
ID : CWE-352
Name :
Cross-Site Request Forgery (CSRF) pe
Cross-Site Request Forgery (CSRF)
Description :
The web application does not, or cannot, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
CWE-434
ID : CWE-434
Name :
Unrestricted Upload of File with Dangerous Type
Cross-Site Request Forgery (CSRF)
Description :
The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
CWE-862
ID : CWE-862
Name :
Missing Authorization
Missing Authorization
Description :
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-476
ID : CWE-476
Name :
NULL Pointer Dereference
Missing Authorization
Description :
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
CWE-287
ID : CWE-287
Name :
Improper Authentication
Integer Overflow or Wraparound
Description :
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-190
ID : CWE-190
Name :
Integer Overflow or Wraparound
Integer Overflow or Wraparound
Description :
The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.
CWE-502
ID : CWE-502
Name :
Deserialization of Untrusted Data
Integer Overflow or Wraparound
Description :
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CWE-77
ID : CWE-77
Name :
Improper Neutralization of Special Elements used in a Command ('Command Injection')
Description :
The product constructs all or part of a command using externally influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-119
ID : CWE-119
Name :
Improper Restriction of Operations within the Bounds of a Memory Buffer
Description :
The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
CWE-798
ID : CWE-798
Name :
Use of Hard-coded Credentials
Description :
The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
CWE-918
ID : CWE-918
Name :
Server-Side Request Forgery (SSRF)
Description :
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-306
ID : CWE-306
Name :
Missing Authentication for Critical Function
Description :
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant number of resources.
CWE-362
ID : CWE-362
Name :
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Description :
The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. .
CWE-269
ID : CWE-269
Name :
Improper Privilege Management
Description :
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CWE-94
ID : CWE-94
Name :
Improper Control of Generation of Code ('Code Injection')
Description :
The product constructs all or part of a code segment using externally influenced input from an upstream component, but it does not neutralize or incorrectly neutralize special elements that could modify the syntax or behavior of the intended code segment.
CWE-863
ID : CWE-863
Name :
Incorrect Authorization
Description :
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
CWE-276
ID : CWE-276
Name :
Incorrect Default Permissions
Description :
During installation, installed file permissions are set to allow anyone to modify those files.
CWE-787
ID : CWE-787
Name :
Out-of-bounds Write
Description :
The product writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The product may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.
CWE-79
ID : CWE-79
Name :
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
Description :
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-89
ID : CWE-89
Name :
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Description :
The product constructs all or part of an SQL command using externally influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
CWE-416
ID : CWE-416
Name :
Use After Free
Description :
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
Conclusin
In essence, the SANS Top 25 Most Dangerous Software Errors, curated by the SANS Institute, is a pivotal cybersecurity resource. It systematically categorizes critical vulnerabilities in software, delving into complex issues like insecure component interactions and deficiencies in defensive mechanisms. Acknowledging language-specific vulnerabilities, it emphasizes the need for a tailored and vigilant approach across diverse programming environments. This compendium serves as a technical guide, advocating proactive measures to fortify software against potential exploits and contributing significantly to advancing collective defense capabilities in the dynamic landscape of cybersecurity.
Reference: https://www.sans.org/top25-software-errors/
Previous post