The 2011 CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most widespread and critical errors that can lead to serious vulnerabilities in software. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.
The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe. It leverages experiences in the development of the SANS Top 20 attack vectors (http://www.sans.org/top20/) and MITRE’s Common Weakness Enumeration (CWE) (http://cwe.mitre.org/). MITRE maintains the CWE web site, with the support of the US Department of Homeland Security’s National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them. The CWE site contains data on more than 800 programming errors, design errors, and architecture errors that can lead to exploitable vulnerabilities.
| Rank | Score | ID | Name |
|---|---|---|---|
| [1] | 93.8 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| [2] | 83.3 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
| [3] | 79.0 | CWE-120 | Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) |
| [4] | 77.7 | CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| [5] | 76.9 | CWE-306 | Missing Authentication for Critical Function |
| [6] | 76.8 | CWE-862 | Missing Authorization |
| [7] | 75.0 | CWE-798 | Use of Hard-coded Credentials |
| [8] | 75.0 | CWE-311 | Missing Encryption of Sensitive Data |
| [9] | 74.0 | CWE-434 | Unrestricted Upload of File with Dangerous Type |
| [10] | 73.8 | CWE-807 | Reliance on Untrusted Inputs in a Security Decision |
| [11] | 73.1 | CWE-250 | Execution with Unnecessary Privileges |
| [12] | 70.1 | CWE-352 | Cross-Site Request Forgery (CSRF) |
| [13] | 69.3 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
| [14] | 68.5 | CWE-494 | Download of Code Without Integrity Check |
| [15] | 67.8 | CWE-863 | Incorrect Authorization |
| [16] | 66.0 | CWE-829 | Inclusion of Functionality from Untrusted Control Sphere |
| [17] | 65.5 | CWE-732 | Incorrect Permission Assignment for Critical Resource |
| [18] | 64.6 | CWE-676 | Use of Potentially Dangerous Function |
| [19] | 64.1 | CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
| [20] | 62.4 | CWE-131 | Incorrect Calculation of Buffer Size |
| [21] | 61.5 | CWE-307 | Improper Restriction of Excessive Authentication Attempts |
| [22] | 61.1 | CWE-601 | URL Redirection to Untrusted Site (‘Open Redirect’) |
| [23] | 61.0 | CWE-134 | Uncontrolled Format String |
| [24] | 60.3 | CWE-190 | Integer Overflow or Wraparound |
| [25] | 59.9 | CWE-759 | Use of a One-Way Hash without a Salt |