We can develop more secure software by focusing on the most common pitfalls. The Common Weakness Enumeration (CWE) is an important system that we use to identify and describe weaknesses in software, firmware and hardware. The CWE Top 25 Most Dangerous Software Weaknesses is a list that focuses on the most common and impactful weaknesses that every developer should be looking out for. Familiarizing yourself with these common issues can help you create better and more secure software.
1. CWE-787 Out-of-bounds write
Coming in at number 1, we have CWE-787 out-of-bounds write. This error involves writing data that either precedes or extends past the intended buffer. It can lead to code execution, crashing, or corruption of data.
2. CWE-79 Improper neutralization of input during web page generation (cross-site scripting)
Cross-site scripting occurs when untrusted user inputs are displayed on web pages to other users. It allows attackers to do things like spread malware or access sensitive data.
3. CWE-89 Improper neutralization of special elements used in an SQL command ('SQL Injection')
SQL injections allow attackers to modify the SQL queries so that they can do things like execute commands. They are the result of improperly validating user inputs.
4. CWE-416 Use after free
Using previously-freed memory can lead to arbitrary code execution, the corruption of valid data and more. This error is generally caused by error conditions or confusion regarding which aspect of the software bears responsibility for freeing memory.
5. CWE-78 Improper neutralization of special elements used in an OS command ('OS command injection')
This error allows attackers to execute OS commands on the server running an application, and it can lead to the compromise of both the app and its data.
6. CWE-20 Improper input validation
If user inputs aren’t validated appropriately, attackers may be able to craft unexpected inputs and perform things like arbitrary code execution.
7. CWE-125 Out-of-bounds read
Out-of-bounds read can allow attackers to read memory locations outside of the intended buffer. This has the potential to leak sensitive information or cause crashes.
8. CWE-22 Improper limitation of a pathname to a restricted directory ('path traversal')
This involves an attacker using special elements to escape a restricted location and access other directories or files. Improperly limiting pathnames can lead to sensitive data becoming exposed.
9. CWE-352 Cross-site request forgery (CSRF)
When web servers have insufficient mechanisms for verifying requests, attackers may be able to trick clients into making unintended requests using the clients’ credentials. The web server will treat it as a legitimate client request, even if the client has no idea about the subterfuge. CSRF attacks can lead to things like data exposure or code execution.
10. CWE-434 Unrestricted upload of file with dangerous type
Without the proper restrictions, attackers may be able to transfer or upload malicious files that could compromise the system.
11. CWE-862 Missing authorization
Users may be able to access resources that they should not be allowed to view if insufficient authorization checks are in place.
12. CWE-476 NULL pointer dereference
Flaws such as programming omissions and race conditions can lead to null pointer dereference errors. These involve applications dereferencing pointers that are expected to be valid but are NULL instead. NULL pointer dereference can result in exits or crashes.
13. CWE-287 Improper authentication
When insufficient authorization mechanisms are in place, an attacker may be able to claim a false identity and access systems under the false identity
14. CWE-190 Integer overflow or wraparound
Integer overflows occur when the result of a computation is larger than expected and wraps around to become a small or negative number. This type of unexpected result can cause security issues if the result is supposed to be used in making security decisions, determining behavior sizes or behaviors in memory allocation, or in control looping.
15. CWE-502 Deserialization of untrusted data
Objects are often serialized into specific formats for storage or communication. Deserialization reverses the process and turns the data back into an object. Attackers may be able to modify serialized data. If untrusted data is deserialized without sufficient verification, then attackers may be able to generate shells and perform other unauthorized acts.
16. CWE-77 Improper neutralization of special elements used in a command ('command injection')15. CWE-502 Deserialization of untrusted data
Command injection occurs when an attacker inputs a string of executable data into an application. The string is executed, which then gives the attacker unauthorized privileges or capabilities. It generally occurs because of insufficient neutralization of special elements.
17. CWE-199 Improper restriction of operations within the bounds of a memory buffer
If it’s possible to directly address memory locations that are outside the intended memory buffer, it can cause a range of problems. These range from system crashes to allowing attackers to execute arbitrary code.
18. CWE-798 Use of hard-coded credentials
If credentials such as keys or passwords are hard coded into a product, attackers may be able to use them to bypass authentication.
19. CWE-918 Server-side request forgery (SSRF)
This vulnerability allows attackers to leverage the server to make requests to unexpected locations. An example involves an attacker using the server to make requests to an organization’s internal services.
20. CWE-306 Missing authentication for critical function
When authentication is missing, an attacker may be able to use a function in an unauthorized manner, allowing them to access sensitive systems or data.
21. CWE-362 Concurrent execution using shared resource with improper Synchronization ('race condition')
When requests are processed concurrently without adequate protections it can cause unintended behavior in an application. These race conditions allow attackers to perform a range of malicious actions.
22. CWE-269 Improper privilege management
If user privileges aren’t assigned, monitored or checked appropriately, users may be able to perform unintended actions.
23. CWE-94 Improper control of generation of code ('code injection')
Code injection occurs when a user is able to craft code into an input that results in changing the intended flow of an app. It may allow arbitrary code injection.
24. CWE-863 Incorrect authorization
If authorization isn’t conducted appropriately, users may be able to access resources that they should not be authorized to view or use.
25. CWE-276 Incorrect default permissions
If default permissions are set incorrectly, anyone may be able to modify files.
