The Common Weakness Enumeration (CWE) is a list of software security vulnerabilities found all throughout the software development industry. It’s a community-driven project maintained by MITRE, a non-profit research and development group. For each entry, the CWE provides a description of the vulnerability and steps for mitigating it.
MITRE partnered with the SANS Institute to develop the CWE/25, a list of the 25 most critical software vulnerabilities. A similar list is provided in the Open Web Application Security Project (OWASP) Top 10 Project, which is also a community-driven compilation of software vulnerabilities. Although the CWE/25 and OWASP Top 10 are different, they share many of the same vulnerabilities. Here is a list of the OWASP Top 10 entries for 2017 and their corresponding CWEs.
Overview
| OWASP Top 10 | SANS CWE 25 |
|---|---|
| A1: Injection |
|
| A2: Broken Authentication |
|
| A3: Sensitive Data Exposure |
|
| A4: XML External Entities |
|
| A5: Broken Access Control |
|
| A6: Security Misconfiguration |
|
| A7: Cross-Site Scripting (XSS) |
|
| A8: Insecure Deserialization |
|
| A9: Using Components with Known Vulnerabilities |
|
| A10: Insufficient Logging and Monitoring |
|
Details
A1: Injection
CWE-78: Improper Neutralization of Special Elements Used in an OS Command (‘OS Command Injection’)
Applications are vulnerable to command injection if they use any form of outside input when running a command on the host system. Malicious input could cause the command to run in unexpected ways, potentially compromising the entire OS.
CWE-89: SQL Injection
SQL injection occurs when an application uses outside input as part of a SQL query. An attacker can use this to run any number of SQL commands on the database, resulting in data retrieval or manipulation.
CWE-94: Code Injection
Applications that execute user input as code are susceptible to code injection. An attacker can embed code as part of their input and the application will execute it.
CWE-434: Unrestricted Upload of File with Dangerous Type
Certain file types can be interpreted by the server as executable files. For example, a PHP server that accepts and runs .php files is open to an attacker uploading and running arbitrary PHP code.
CWE-494: Download of Code Without Integrity Check
Software that uses code from outside sources (such as a third-party library) without verifying its integrity is susceptible to code injection. For instance, if the server hosting the library suddenly starts delivering a different library instead, the application has no way of knowing that this change has occurred until the library has already been integrated.
CWE-829: Inclusion of Functionality from Untrusted Control Sphere
Similar to CWE-494, this involves using code from outside sources. However, in this case, the code can’t be trusted to perform the actions it claims to perform. For instance, if your website uses a script from an untrusted website, your entire website is exposed to any malicious activity that the external script may perform.
A2: Broken Authentication
CWE-306: Missing Authentication for Critical Function
Commands that perform privileged actions or interact with sensitive data should always require authentication. If the software ignores the authentication step, attackers can run privileged actions without having to verify their identity.
CWE-307: Improper Restriction of Excessive Authentication Attempts
If a user fails to authenticate multiple times in a short period, the application should prevent the user from retrying until a certain amount of time has passed. If not, an attacker can continuously try different credentials, resulting in a brute force attack.
CWE-798: Use of Hard-coded Credentials
Hard-coded credentials are often used during testing or when authenticating the application with another service. An attacker who finds these credentials can use them to log in to the service, access sensitive data, or impersonate the application.
CWE-807: Reliance on Untrusted Inputs in a Security Decision
Certain “hidden” fields (such as cookies, environment variables, and hidden form fields) can be modified to contain values other than those expected by the application. Attackers can change these fields to fool or bypass security steps such as authentication or session management.
CWE-862: Missing Authorization
When performing any privileged action, the application should always perform an authorization check on the user that requested the action. Failing to do so can allow unprivileged users to access secure data or perform dangerous actions.
CWE-863: Incorrect Authorization
Authorization checks that aren’t properly implemented can be tricked or bypass by attackers.
A3: Sensitive Data Exposure
CWE-311: Missing Encryption of Sensitive Data
Sensitive data should be encrypted while in transit and while at rest. This way, anyone who accesses it won’t be able to see sensitive data without the decryption key.
CWE-319: Cleartext Transmission of Sensitive Information
Expanding on CWE-311, data should also be encrypted while being sent over a communication channel such as a network. Data sent over a network can be read by a third-party, meaning any unencrypted data can be read by an attacker.
A5: Broken Access Control
CWE-73: External Control of File Name or Path
User input should not be used to locate files on the server. Allowing user input to determine the path can result in the user accessing sensitive files.
CWE-285: Improper Authorization
Similar to CWE-863, improper authorization allows users to run commands without confirming the user’s identity. This occurs when an attacker performs an action that should require an authorization check, but doesn’t.
A6: Security Misconfiguration
CWE-250: Execution with Unnecessary Privileges
Applications should perform operations with the minimum necessary permissions. For example, writing to a file as an administrator instead of a normal user makes it possible to overwrite critical application and system files.
CWE-676: Use of Potentially Dangerous Function
Some functions can have negative effects when used incorrectly, allowing attackers to access system resources or cause errors.
CWE-732: Incorrect Permission Assignment for Critical Resource
Operations that create and manage resources (such as files) must assign the correct permissions to those resources. Failing to do so could allow unintentional access by other users.
A7: Cross-Site Scripting (XSS)
CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-Site Scripting’)
Cross-site scripting (XSS) occurs when an attacker submits input that the application then renders as output. If the input contains code (such as JavaScript), that code will be executed in the browser that the page renders in.
A8: Insecure Deserialization
CWE-134: Use of Externally-Controlled Format String
Externally-controlled format strings can allow attackers to cause runtime errors or even write to the stack. Programs should only use static format strings.
A9: Using Components with Known Vulnerabilities
CWE-190: Integer Overflow or Wraparound
An integer overflow occurs when the value of a variable is too large for its type, causing it to “wrap around” to the type’s lower limit. This can have unexpected consequences in several operations including basic arithmetic, control looping, and memory operations.
CWE-327: Use of a Broken or Risky Cryptographic Algorithm
Cryptographic algorithms that are known to be insecure have several possible attack vectors. Using an insecure algorithm opens your application to these attacks, whereas more secure algorithms are less likely to be vulnerable.
CWE-759: Use of a One-way Hash Without a Salt
A salt is a random string used to improve security when hashing data such as a password. Without a salt, hashes can be reverse engineered more easily using brute force or rainbow tables.