2011 CWE/SANS Top 25 Most Dangerous Software Errors
The MITRE Corporation Copyright © 2011
cwe.mitre.org/top25/
|
|
Document version: 1.0.3 (pdf) |
Date: September 13, 2011 |
Project Coordinators:
Bob Martin (MITRE) Mason Brown (SANS) Alan Paller (SANS) Dennis Kirby (SANS)
|
Document Editor:
Steve Christey (MITRE)
|
Introduction
Introduction
The 2011 CWE/SANS Top 25 Most Dangerous Software Errors is a list of
the most widespread and critical errors that can lead to serious
vulnerabilities in software. They are often easy to find, and easy to
exploit. They are dangerous because they will frequently allow
attackers to completely take over the software, steal data, or prevent
the software from working at all.
The Top 25 list is a tool for education and awareness to help
programmers to prevent the kinds of vulnerabilities that plague the
software industry, by identifying and avoiding all-too-common mistakes
that occur before software is even shipped. Software customers can
use the same list to help them to ask for more secure software.
Researchers in software security can use the Top 25 to focus on a
narrow but important subset of all known security weaknesses.
Finally, software managers and CIOs can use the Top 25 list as a
measuring stick of progress in their efforts to secure their software.
The list is the result of collaboration between the SANS Institute,
MITRE, and many top software security experts in the US and Europe.
It leverages experiences in the development of the SANS Top 20 attack
vectors (www.sans.org/top20/) and MITRE's Common Weakness
Enumeration (CWE) (cwe.mitre.org/). MITRE maintains the CWE
web site, with the support of the US Department of Homeland Security's
National Cyber Security Division, presenting detailed descriptions of
the top 25 programming errors along with authoritative guidance for
mitigating and avoiding them. The CWE site contains data on more than
800 programming errors, design errors, and architecture errors that
can lead to exploitable vulnerabilities.
The 2011 Top 25 makes improvements to the 2010
list, but the spirit and goals remain the same. This year's Top 25
entries are prioritized using inputs from over 20
different organizations, who evaluated each weakness based on
prevalence, importance, and likelihood of exploit. It uses
the Common Weakness Scoring System (CWSS) to score and
rank the final results. The Top 25 list covers a small set of the
most effective "Monster Mitigations," which help
developers to reduce or eliminate entire groups of the Top 25
weaknesses, as well as many of the hundreds of weaknesses that are
documented by CWE.
Table of Contents
Table of Contents
- Guidance for Using the Top 25
- Brief Listing of the Top 25
- Category-Based View of the Top 25
- Organization of the Top 25
- Detailed CWE Descriptions
- Monster Mitigations
- Appendix A: Selection Criteria and Supporting Fields
- Appendix B: What Changed in the 2011 Top 25
- Appendix C: Construction, Selection, and Scoring of the Top 25
- Appendix D: Comparison to OWASP Top Ten 2010
- Appendix E: Other Resources for the Top 25
- Changes to This Document
Guidance for Using the Top 25
Guidance for Using the Top 25
Here is some guidance for different types of users of the Top 25.
User | Activity |
Programmers new to security
|
Read the brief listing, then examine the
Monster Mitigations section to see how a small
number of changes in your practices can have a big impact on the Top
25.
Pick a small number of weaknesses to work with first, and see the
Detailed CWE Descriptions for more information on the
weakness, which includes code examples and specific mitigations.
| Programmers who are experienced in security
|
Use the general Top 25 as a checklist of reminders, and note the
issues that have only recently become more common. Consult the See
the On the Cusp page for other weaknesses that did
not make the final Top 25; this includes weaknesses that are only
starting to grow in prevalence or importance.
If you are already familiar with a particular weakness, then consult
the Detailed CWE Descriptions and see the "Related
CWEs" links for variants that you may not have fully considered.
Build your own Monster Mitigations section so
that you have a clear understanding of which of your own mitigation
practices are the most effective - and where your gaps may lie.
Consider building a custom "Top n" list that fits your needs and
practices. Consult the Common Weakness Risk
Analysis Framework (CWRAF) page for a general framework for building
top-N lists, and see Appendix C for a description
of how it was done for this year's Top 25. Develop your own nominee
list of weaknesses, with your own prevalence and importance factors -
and other factors that you may wish - then build a metric and compare
the results with your colleagues, which may produce some fruitful
discussions.
| Software project managers
|
Treat the Top 25 as an early step in a larger effort towards achieving
software security. Strategic possibilities are covered in efforts
such as
Building Security In Maturity Model (BSIMM),
SAFECode,
OpenSAMM,
Microsoft SDL, and
OWASP ASVS.
Examine the
Monster Mitigations section to determine which
approaches may be most suitable to adopt, or establish your own
monster mitigations and map out which of the Top 25 are addressed by
them.
Consider building a custom "Top n" list that fits your needs and
practices. Consult the Common Weakness Risk
Analysis Framework (CWRAF) page for a general framework for building
top-N lists, and see Appendix C for a description
of how it was done for this year's Top 25. Develop your own nominee
list of weaknesses, with your own prevalence and importance factors -
and other factors that you may wish - then build a metric and compare
the results with your colleagues, which may produce some fruitful
discussions.
| Software Testers
|
Read the brief listing and consider how you would
integrate knowledge of these weaknesses into your tests. If you are
in a friendly competition with the developers, you may find some
surprises in the On the Cusp entries, or even the
rest of CWE.
For each indvidual CWE entry in the Details section,
you can get more information on detection methods from the "technical
details" link. Review the CAPEC IDs for ideas on the types of attacks
that can be launched against the weakness.
| Software customers
|
Recognize that market pressures often drive vendors to provide
software that is rich in features, and security may not be a serious
consideration. As a customer,
you
have the power to influence vendors to provide more secure products
by letting them know that security is important to you. Use the Top
25 to help set minimum expectations for due care by software vendors.
Consider using the Top 25 as part of contract language during the
software acquisition process. The
SANS Application Security
Procurement Language site offers customer-centric language that is
derived from the
OWASP
Secure Software Contract Annex, which offers a "framework for
discussing expectations and negotiating responsibilities" between the
customer and the vendor. Other information is available from the DHS
Acquisition
and Outsourcing Working Group.
Consult the Common Weakness Risk Analysis
Framework (CWRAF) page for a general framework for building a top-N
list that suits your own needs.
For the software products that you use, pay close attention to
publicly reported vulnerabilities in those products. See if they
reflect any of the associated weaknesses on the Top 25 (or your own
custom list), and if so,
contact your vendor to determine what processes the vendor is
undertaking to minimize the risk that these weaknesses will continue
to be introduced into the code.
See the On the Cusp summary for other weaknesses
that did not make the final Top 25; this will include weaknesses that
are only starting to grow in prevalence or importance, so they may
become your problem in the future.
| Educators
|
Start with the brief listing. Some
training materials are also available.
| Users of the 2010 Top 25
|
See the What Changed section; while a lot has
changed on the surface, this year's effort is more well-structured.
|
Brief Listing of the Top 25
Brief Listing of the Top 25
This is a brief listing of the Top 25 items, using the general ranking.
NOTE: 16 other weaknesses were considered for inclusion in the Top 25, but their general scores were not high enough. They are listed in
a separate "On the Cusp" page.
Rank | Score | ID | Name |
[1] | 93.8 | CWE-89 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
[2] | 83.3 | CWE-78 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
[3] | 79.0 | CWE-120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
[4] | 77.7 | CWE-79 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
[5] | 76.9 | CWE-306 |
Missing Authentication for Critical Function |
[6] | 76.8 | CWE-862 |
Missing Authorization |
[7] | 75.0 | CWE-798 |
Use of Hard-coded Credentials |
[8] | 75.0 | CWE-311 |
Missing Encryption of Sensitive Data |
[9] | 74.0 | CWE-434 |
Unrestricted Upload of File with Dangerous Type |
[10] | 73.8 | CWE-807 |
Reliance on Untrusted Inputs in a Security Decision |
[11] | 73.1 | CWE-250 |
Execution with Unnecessary Privileges |
[12] | 70.1 | CWE-352 |
Cross-Site Request Forgery (CSRF) |
[13] | 69.3 | CWE-22 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
[14] | 68.5 | CWE-494 |
Download of Code Without Integrity Check |
[15] | 67.8 | CWE-863 |
Incorrect Authorization |
[16] | 66.0 | CWE-829 |
Inclusion of Functionality from Untrusted Control Sphere |
[17] | 65.5 | CWE-732 |
Incorrect Permission Assignment for Critical Resource |
[18] | 64.6 | CWE-676 |
Use of Potentially Dangerous Function |
[19] | 64.1 | CWE-327 |
Use of a Broken or Risky Cryptographic Algorithm |
[20] | 62.4 | CWE-131 |
Incorrect Calculation of Buffer Size |
[21] | 61.5 | CWE-307 |
Improper Restriction of Excessive Authentication Attempts |
[22] | 61.1 | CWE-601 |
URL Redirection to Untrusted Site ('Open Redirect') |
[23] | 61.0 | CWE-134 |
Uncontrolled Format String |
[24] | 60.3 | CWE-190 |
Integer Overflow or Wraparound |
[25] | 59.9 | CWE-759 |
Use of a One-Way Hash without a Salt |
CWE-89 - SQL injection - delivers the knockout punch of security weaknesses in 2011. For data-rich software applications, SQL
injection is the means to steal the keys to the kingdom. CWE-78, OS
command injection, is where the application interacts with the
operating system. The classic buffer overflow (CWE-120) comes in
third, still pernicious after all these decades. Cross-site scripting
(CWE-79) is the bane of web applications everywhere. Rounding out the
top 5 is Missing Authentication (CWE-306) for critical functionality.
Category-Based View of the Top 25
Category-Based View of the Top 25
This section sorts the entries into the three high-level categories that were used in the 2009 Top 25:
- Insecure Interaction Between Components
- Risky Resource Management
- Porous Defenses
Insecure Interaction Between Components
These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs,
processes, threads, or systems.
For each weakness, its ranking in the general list is provided in square brackets.
Rank | CWE ID | Name |
[1]
|
CWE-89
|
Improper Neutralization of Special Elements used in an SQL Command
('SQL Injection')
|
[2]
|
CWE-78
|
Improper Neutralization of Special Elements used in an OS Command ('OS
Command Injection')
|
[4]
|
CWE-79
|
Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')
|
[9]
|
CWE-434
|
Unrestricted Upload of File with Dangerous Type
|
[12]
|
CWE-352
|
Cross-Site Request Forgery (CSRF)
|
[22]
|
CWE-601
|
URL Redirection to Untrusted Site ('Open Redirect')
|
Risky Resource Management
The weaknesses in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction
of important system resources.
Rank | CWE ID | Name |
[3]
|
CWE-120
|
Buffer Copy without Checking Size of Input ('Classic Buffer
Overflow')
|
[13]
|
CWE-22
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|
[14]
|
CWE-494
|
Download of Code Without Integrity Check
|
[16]
|
CWE-829
|
Inclusion of Functionality from Untrusted Control Sphere
|
[18]
|
CWE-676
|
Use of Potentially Dangerous Function
|
[20]
|
CWE-131
|
Incorrect Calculation of Buffer Size
|
[23]
|
CWE-134
|
Uncontrolled Format String
|
[24]
|
CWE-190
|
Integer Overflow or Wraparound
|
Porous Defenses
The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored.
Rank | CWE ID | Name |
[5]
|
CWE-306
|
Missing Authentication for Critical Function
|
[6]
|
CWE-862
|
Missing Authorization
|
[7]
|
CWE-798
|
Use of Hard-coded Credentials
|
[8]
|
CWE-311
|
Missing Encryption of Sensitive Data
|
[10]
|
CWE-807
|
Reliance on Untrusted Inputs in a Security Decision
|
[11]
|
CWE-250
|
Execution with Unnecessary Privileges
|
[15]
|
CWE-863
|
Incorrect Authorization
|
[17]
|
CWE-732
|
Incorrect Permission Assignment for Critical Resource
|
[19]
|
CWE-327
|
Use of a Broken or Risky Cryptographic Algorithm
|
[21]
|
CWE-307
|
Improper Restriction of Excessive Authentication Attempts
|
[25]
|
CWE-759
|
Use of a One-Way Hash without a Salt
|
Organization of the Top 25
Organization of the Top 25
For each individual weakness entry, additional information is provided. The primary audience is intended to be software programmers
and designers.
Ranking
|
The ranking of the weakness in the general list.
|
Score Summary
|
A summary of the individual ratings and scores that were given to this
weakness, including Prevalence, Importance, and Adjusted Score.
|
CWE ID and name
|
CWE identifier and short name of the weakness
|
Supporting Information
|
Supplementary information about the weakness that may be useful for
decision-makers to further prioritize the entries.
|
Discussion
|
Short, informal discussion of the nature of the weakness and its
consequences. The discussion avoids digging too deeply into technical
detail.
|
Prevention and Mitigations
|
Steps that developers can take to
mitigate or eliminate the weakness. Developers may choose one or
more of these mitigations to fit their own needs. Note that the
effectiveness of these techniques vary, and multiple techniques may
be combined for greater defense-in-depth.
|
Related CWEs
|
Other CWE entries that are related to the Top 25
weakness. Note: This list is illustrative, not comprehensive.
|
General Parent
|
One or more pointers to more general CWE entries, so you can see the
breadth and depth of the problem.
|
Related Attack Patterns
|
CAPEC entries for attacks that may be
successfully conducted against the weakness. Note: the list is not
necessarily complete.
|
Other pointers
|
Links to more details including source code examples that demonstrate
the weakness, methods for detection, etc.
|
Supporting Information
Each Top 25 entry includes supporting data fields for weakness prevalence, technical impact, and other information. Each entry also
includes the following data fields.
Field | Description |
Attack Frequency
|
How often the weakness occurs in vulnerabilities
that are exploited by an attacker.
|
Ease of Detection
|
How easy it is for an attacker to find this weakness.
|
Remediation Cost
|
The amount of effort required to fix the weakness.
|
Attacker Awareness
|
The likelihood that an attacker is going to be aware of this
particular weakness, methods for detection, and methods for
exploitation.
|
See Appendix A for more details.
Detailed CWE Descriptions
Detailed CWE Descriptions
This section provides details for each individual CWE entry, along with links to additional information. See the
Organization of the Top 25 section for an
explanation of the various fields.
1 | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
Summary
Weakness Prevalence |
High | | Consequences |
Data loss, Security bypass | Remediation Cost |
Low | | Ease of Detection |
Easy | Attack Frequency |
Often | | Attacker Awareness |
High |
Discussion
These days, it seems as if software is all about the data: getting it
into the database, pulling it from the database, massaging it into
information, and sending it elsewhere for fun and profit. If
attackers can influence the SQL that you use to communicate with your
database, then suddenly all your fun and profit belongs to them. If
you use SQL queries in security controls such as authentication,
attackers could alter the logic of those queries to bypass security.
They could modify the queries to steal, corrupt, or otherwise change
your underlying data. They'll even steal data one byte at a time if
they have to, and they have the patience and know-how to do so.
In 2011, SQL injection was responsible for the compromises of many
high-profile organizations, including Sony Pictures, PBS, MySQL.com,
security company HBGary Federal, and many others.
Technical Details | Code Examples | Detection Methods | References |
Prevention and Mitigations
Architecture and Design
Use a vetted library or framework that does not allow this weakness to occur
or provides constructs that make this weakness easier to avoid.
For example, consider using persistence layers such as Hibernate or
Enterprise Java Beans, which can provide significant protection against SQL
injection if used properly. |
Architecture and Design
If available, use structured mechanisms that automatically enforce the
separation between data and code. These mechanisms may be able to provide the
relevant quoting, encoding, and validation automatically, instead of relying
on the developer to provide this capability at every point where output is
generated.
Process SQL queries using prepared statements, parameterized queries, or
stored procedures. These features should accept parameters or variables and
support strong typing. Do not dynamically construct and execute query strings
within these features using "exec" or similar functionality, since you may
re-introduce the possibility of SQL injection. |
Architecture and Design, Operation
Run your code using the lowest privileges that are required to accomplish the
necessary tasks. If possible, create isolated accounts with limited
privileges that are only used for a single task. That way, a successful
attack will not immediately give the attacker access to the rest of the
software or its environment. For example, database applications rarely need
to run as the database administrator, especially in day-to-day operations.
Specifically, follow the principle of least privilege when creating user
accounts to a SQL database. The database users should only have the minimum
privileges necessary to use their account. If the requirements of the system
indicate that a user can read and modify their own data, then limit their
privileges so they cannot read/write others' data. Use the strictest
permissions possible on all database objects, such as execute-only for stored
procedures. |
Architecture and Design
For any security checks that are performed on the client side, ensure that
these checks are duplicated on the server side, in order to avoid CWE-602.
Attackers can bypass the client-side checks by modifying values after the
checks have been performed, or by changing the client to remove the
client-side checks entirely. Then, these modified values would be submitted
to the server. |
Implementation
If you need to use dynamically-generated query strings or commands in spite
of the risk, properly quote arguments and escape any special characters
within those arguments. The most conservative approach is to escape or filter
all characters that do not pass an extremely strict whitelist (such as
everything that is not alphanumeric or white space). If some special
characters are still needed, such as white space, wrap each argument in
quotes after the escaping/filtering step. Be careful of argument injection
(CWE-88).
Instead of building your own implementation, such features may be available
in the database or programming language. For example, the Oracle DBMS_ASSERT
package can check or enforce that parameters have certain properties that
make them less vulnerable to SQL injection. For MySQL, the
mysql_real_escape_string() API function is available in both C and PHP. |
Implementation
Assume all input is malicious. Use an "accept known good" input validation
strategy, i.e., use a whitelist of acceptable inputs that strictly conform to
specifications. Reject any input that does not strictly conform to
specifications, or transform it into something that does. Do not rely
exclusively on looking for malicious or malformed inputs (i.e., do not rely
on a blacklist). However, blacklists can be useful for detecting potential
attacks or determining which inputs are so malformed that they should be
rejected outright.
When performing input validation, consider all potentially relevant
properties, including length, type of input, the full range of acceptable
values, missing or extra inputs, syntax, consistency across related fields,
and conformance to business rules. As an example of business rule logic,
"boat" may be syntactically valid because it only contains alphanumeric
characters, but it is not valid if you are expecting colors such as "red" or
"blue."
When constructing SQL query strings, use stringent whitelists that limit the
character set based on the expected value of the parameter in the request.
This will indirectly limit the scope of an attack, but this technique is less
important than proper output encoding and escaping.
Note that proper output encoding, escaping, and quoting is the most effective
solution for preventing SQL injection, although input validation may provide
some defense-in-depth. This is because it effectively limits what will appear
in output. Input validation will not always prevent SQL injection, especially
if you are required to support free-form text fields that could contain
arbitrary characters. For example, the name "O'Reilly" would likely pass the
validation step, since it is a common last name in the English language.
However, it cannot be directly inserted into the database because it contains
the "'" apostrophe character, which would need to be escaped or otherwise
handled. In this case, stripping the apostrophe might reduce the risk of SQL
injection, but it would produce incorrect behavior because the wrong name
would be recorded.
When feasible, it may be safest to disallow meta-characters entirely, instead
of escaping them. This will provide some defense in depth. After the data is
entered into the database, later processes may neglect to escape
meta-characters before use, and you may not have control over those
processes. |
Architecture and Design
When the set of acceptable objects, such as filenames or URLs, is limited or
known, create a mapping from a set of fixed input values (such as numeric
IDs) to the actual filenames or URLs, and reject all other inputs. |
Implementation
Ensure that error messages only contain minimal details that are useful to
the intended audience, and nobody else. The messages need to strike the
balance between being too cryptic and not being cryptic enough. They should
not necessarily reveal the methods that were used to determine the error.
Such detailed information can be u
| |