25 most dangerous software errors
A few days ago, computer experts, including the non-profit organization MITER, the Sans Institute, the US National Security Agency and the National Cyber Defense Division of the US Department of Homeland Security, unveiled an updated list of the 25 most dangerous software errors. As in the past year, the list is headed by XSS, SQL injections and problems with buffer overflows. These and other software errors have caused hacking of millions of systems, including the recent attack on Google, so the check-list above should always be kept at hand not only for beginners.
I advise you to read the original article , which, in addition to a detailed description of all errors, provides tips for eliminating them, as well as examples.
Last year's discussion - mamba.habrahabr.ru/blog/50046/
UPD: minus karma, leave at least brief comments, otherwise I will not correct it and I will continue to write such nonsense;).
[1] 346 CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
[2] 330 CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
[3] 273 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
[4] 261 CWE-352 Cross-Site Request Forgery (CSRF)
[5] 219 CWE-285 Improper Access Control (Authorization)
[6] 202 CWE-807 Reliance on Untrusted Inputs in a Security Decision
[7] 197 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
[8] 194 CWE-434 Unrestricted Upload of File with Dangerous Type
[9] 188 CWE-78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')
[10] 188 CWE-311 Missing Encryption of Sensitive Data
[11] 176 CWE-798 Use of Hard-coded Credentials
[12] 158 CWE-805 Buffer Access with Incorrect Length Value
[13] 157 CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
[14] 156 CWE-129 Improper Validation of Array Index
[15] 155 CWE-754 Improper Check for Unusual or Exceptional Conditions
[16] 154 CWE-209 Information Exposure Through an Error Message
[17] 154 CWE-190 Integer Overflow or Wraparound
[18] 153 CWE-131 Incorrect Calculation of Buffer Size
[19] 147 CWE-306 Missing Authentication for Critical Function
[20] 146 CWE-494 Download of Code Without Integrity Check
[21] 145 CWE-732 Incorrect Permission Assignment for Critical Resource
[22] 145 CWE-770 Allocation of Resources Without Limits or Throttling
[23] 142 CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
[24] 141 CWE-327 Use of a Broken or Risky Cryptographic Algorithm
[25] 138 CWE-362 Race Condition
I advise you to read the original article , which, in addition to a detailed description of all errors, provides tips for eliminating them, as well as examples.
Last year's discussion - mamba.habrahabr.ru/blog/50046/
UPD: minus karma, leave at least brief comments, otherwise I will not correct it and I will continue to write such nonsense;).
')
Source: https://habr.com/ru/post/84655/
All Articles