February 8, 2018

OWASP Top 10 compared to SANS CWE 25

The Common Weakness Enumeration (CWE) is a list of software security vulnerabilities found all throughout the software development industry. It’s a community-driven project maintained by MITRE, a non-profit research and development group. For each entry, the CWE provides a description of the vulnerability and steps for mitigating it.

MITRE partnered with the SANS Institute to develop the CWE/25, a list of the 25 most critical software vulnerabilities. A similar list is provided in the Open Web Application Security Project (OWASP) Top 10 Project, which is also a community-driven compilation of software vulnerabilities. Although the CWE/25 and OWASP Top 10 are different, they share many of the same vulnerabilities. Here is a list of the OWASP Top 10 entries for 2017 and their corresponding CWEs.

Overview

OWASP Top 10 SANS CWE 25
A1: Injection
  • CWE-78: Improper Neutralization of Special Elements Used in an OS Command (‘OS Command Injection’)
  • CWE-89: SQL Injection
  • CWE-94: Code Injection
  • CWE-434: Unrestricted Upload of File with Dangerous Type
  • CWE-494: Download of Code Without Integrity Check
  • CWE-829: Inclusion of Functionality from Untrusted Control Sphere
A2: Broken Authentication
  • CWE-306: Missing Authentication for Critical Function
  • CWE-307: Improper Restriction of Excessive Authentication Attempts
  • CWE-798: Use of Hard-coded Credentials
  • CWE-807: Reliance on Untrusted Inputs in a Security Decision
  • CWE-862: Missing Authorization
  • CWE-863: Incorrect Authorization
A3: Sensitive Data Exposure
  • CWE-311: Missing Encryption of Sensitive Data
  • CWE-319: Cleartext Transmission of Sensitive Information
A4: XML External Entities
  • None
A5: Broken Access Control
  • CWE-73: External Control of File Name or Path
  • CWE-285: Improper Authorization
A6: Security Misconfiguration
  • CWE-250: Execution with Unnecessary Privileges
  • CWE-676: Use of Potentially Dangerous Function
  • CWE-732: Incorrect Permission Assignment for Critical Resource
A7: Cross-Site Scripting (XSS)
  • CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-Site Scripting’)
A8: Insecure Deserialization
  • CWE-134: Use of Externally-Controlled Format String
A9: Using Components with Known Vulnerabilities
  • CWE-190: Integer Overflow or Wraparound
  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm
  • CWE-759: Use of a One-way Hash Without a Salt
A10: Insufficient Logging and Monitoring
  • None

Details

A1: Injection

CWE-78: Improper Neutralization of Special Elements Used in an OS Command (‘OS Command Injection’)

Applications are vulnerable to command injection if they use any form of outside input when running a command on the host system. Malicious input could cause the command to run in unexpected ways, potentially compromising the entire OS.

CWE-89: SQL Injection

SQL injection occurs when an application uses outside input as part of a SQL query. An attacker can use this to run any number of SQL commands on the database, resulting in data retrieval or manipulation.

CWE-94: Code Injection

Applications that execute user input as code are susceptible to code injection. An attacker can embed code as part of their input and the application will execute it.

CWE-343: Unrestricted Upload of File with Dangerous Type

Certain file types can be interpreted by the server as executable files. For example, a PHP server that accepts and runs .php files is open to an attacker uploading and running arbitrary PHP code.

CWE-494: Download of Code Without Integrity Check

Software that uses code from outside sources (such as a third-party library) without verifying its integrity is susceptible to code injection. For instance, if the server hosting the library suddenly starts delivering a different library instead, the application has no way of knowing that this change has occurred until the library has already been integrated.

CWE-829: Inclusion of Functionality from Untrusted Control Sphere

Similar to CWE-494, this involves using code from outside sources. However, in this case, the code can’t be trusted to perform the actions it claims to perform. For instance, if your website uses a script from an untrusted website, your entire website is exposed to any malicious activity that the external script may perform.

A2: Broken Authentication

CWE-306: Missing Authentication for Critical Function

Commands that perform privileged actions or interact with sensitive data should always require authentication. If the software ignores the authentication step, attackers can run privileged actions without having to verify their identity.

CWE-307: Improper Restriction of Excessive Authentication Attempts

If a user fails to authenticate multiple times in a short period, the application should prevent the user from retrying until a certain amount of time has passed. If not, an attacker can continuously try different credentials, resulting in a brute force attack.

CWE-798: Use of Hard-coded Credentials

Hard-coded credentials are often used during testing or when authenticating the application with another service. An attacker who finds these credentials can use them to log in to the service, access sensitive data, or impersonate the application.

CWE-807: Reliance on Untrusted Inputs in a Security Decision

Certain “hidden” fields (such as cookies, environment variables, and hidden form fields) can be modified to contain values other than those expected by the application. Attackers can change these fields to fool or bypass security steps such as authentication or session management.

CWE-862: Missing Authorization

When performing any privileged action, the application should always perform an authorization check on the user that requested the action. Failing to do so can allow unprivileged users to access secure data or perform dangerous actions.

CWE-863: Incorrect Authorization

Authorization checks that aren’t properly implemented can be tricked or bypass by attackers.

A3: Sensitive Data Exposure

CWE-311: Missing Encryption of Sensitive Data

Sensitive data should be encrypted while in transit and while at rest. This way, anyone who accesses it won’t be able to see sensitive data without the decryption key.

CWE-319: Cleartext Transmission of Sensitive Information

Expanding on CWE-311, data should also be encrypted while being sent over a communication channel such as a network. Data sent over a network can be read by a third-party, meaning any unencrypted data can be read by an attacker.

A5: Broken Access Control

CWE-73: External Control of File Name or Path

User input should not be used to locate files on the server. Allowing user input to determine the path can result in the user accessing sensitive files.

CWE-285: Improper Authorization

Similar to CWE-863, improper authorization allows users to run commands without confirming the user’s identity. This occurs when an attacker performs an action that should require an authorization check, but doesn’t.

A6: Security Misconfiguration

CWE-250: Execution with Unnecessary Privileges

Applications should perform operations with the minimum necessary permissions. For example, writing to a file as an administrator instead of a normal user makes it possible to overwrite critical application and system files.

CWE-676: Use of Potentially Dangerous Function

Some functions can have negative effects when used incorrectly, allowing attackers to access system resources or cause errors.

CWE-732: Incorrect Permission Assignment for Critical Resource

Operations that create and manage resources (such as files) must assign the correct permissions to those resources. Failing to do so could allow unintentional access by other users.

A7: Cross-Site Scripting (XSS)

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-Site Scripting’)

Cross-site scripting (XSS) occurs when an attacker submits input that the application then renders as output. If the input contains code (such as JavaScript), that code will be executed in the browser that the page renders in.

A8: Insecure Deserialization

CWE-134: Use of Externally-Controlled Format String

Externally-controlled format strings can allow attackers to cause runtime errors or even write to the stack. Programs should only use static format strings.

A9: Using Components with Known Vulnerabilities

CWE-190: Integer Overflow or Wraparound

An integer overflow occurs when the value of a variable is too large for its type, causing it to “wrap around” to the type’s lower limit. This can have unexpected consequences in several operations including basic arithmetic, control looping, and memory operations.

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

Cryptographic algorithms that are known to be insecure have several possible attack vectors. Using an insecure algorithm opens your application to these attacks, whereas more secure algorithms are less likely to be vulnerable.

CWE-759: Use of a One-way Hash Without a Salt

A salt is a random string used to improve security when hashing data such as a password. Without a salt, hashes can be reverse engineered more easily using brute force or rainbow tables.