Skip to content

Top 25 Software Errors

SANS has produced the list of top 25 software errors:

Insecure Interaction Between Components

CWE IDName
CWE-89Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
CWE-78Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
CWE-79Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CWE-434Unrestricted Upload of File with Dangerous Type
CWE-352Cross-Site Request Forgery (CSRF)
CWE-601URL Redirection to Untrusted Site (‘Open Redirect’)

Risky Resource Management

CWE IDName
CWE-120Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
CWE-22Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CWE-494Download of Code Without Integrity Check
CWE-829Inclusion of Functionality from Untrusted Control Sphere
CWE-676Use of Potentially Dangerous Function
CWE-131Incorrect Calculation of Buffer Size
CWE-134Uncontrolled Format String
CWE-190Integer Overflow or Wraparound

Porous Defenses

CWE IDName
CWE-306Missing Authentication for Critical Function
CWE-862Missing Authorization
CWE-798Use of Hard-coded Credentials
CWE-311Missing Encryption of Sensitive Data
CWE-807Reliance on Untrusted Inputs in a Security Decision
CWE-250Execution with Unnecessary Privileges
CWE-863Incorrect Authorization
CWE-732Incorrect Permission Assignment for Critical Resource
CWE-327Use of a Broken or Risky Cryptographic Algorithm
CWE-307Improper Restriction of Excessive Authentication Attempts
CWE-759Use of a One-Way Hash without a Salt