CWE TOP 25

Summary

Common Weakness Enumeration Top 25 (CWE Top 25) is a demonstrative list and valuable community resource of the most common and impactful issues experienced over the previous two calendar years. It can help developers, testers and users to provide insight into the most severe and current security weaknesses. The version used in this section is CWE Top 25 2023.

Definitions

Definition	Requirements
CWE25-20. Improper input validation	164. Use optimized structures 173. Discard unsafe inputs 342. Validate request parameters
CWE25-22. Improper limitation of a pathname to a restricted directory (path traversal)	173. Discard unsafe inputs 280. Restrict service root directory 320. Avoid client-side control enforcement 342. Validate request parameters 381. Use of absolute paths
CWE25-77. Improper neutralization of special elements used in a command (command injection)	172. Encrypt connection strings 173. Discard unsafe inputs 265. Restrict access to critical processes 344. Avoid dynamic code execution
CWE25-78. Improper neutralization of special elements used in an OS command (OS command injection)	158. Use a secure programming language 173. Discard unsafe inputs 265. Restrict access to critical processes 266. Disable insecure functionalities 342. Validate request parameters
CWE25-79. Improper neutralization of input during web page generation (cross-site scripting)	160. Encode system outputs 173. Discard unsafe inputs 029. Cookies with security attributes
CWE25-89. Improper neutralization of special elements used in an SQL command (SQL injection)	157. Use the strict mode 169. Use parameterized queries 173. Discard unsafe inputs 029. Cookies with security attributes
CWE25-94. Improper Control of Generation of Code ('Code Injection')	155. Application free of malicious code 159. Obfuscate code 164. Use optimized structures 173. Discard unsafe inputs 050. Control calls to interpreted code
CWE25-119. Improper restriction of operations within the bounds of a memory buffer	157. Use the strict mode 158. Use a secure programming language 164. Use optimized structures 266. Disable insecure functionalities 345. Establish protections against overflows
CWE25-125. Out-of-bounds read	157. Use the strict mode 158. Use a secure programming language 345. Establish protections against overflows
CWE25-190. Integer overflow or wraparound	345. Establish protections against overflows
CWE25-269. Improper Privilege Management	176. Restrict system objects 228. Authenticate using standard protocols 033. Restrict administrative access 095. Define users with privileges 096. Set user's required privileges
CWE25-276. Incorrect Default Permissions	142. Change system default credentials 161. Define secure default options
CWE25-287. Improper authentication	114. Deny access with inactive credentials 122. Validate credential ownership 130. Limit password lifespan 138. Define lifespan for temporary passwords 140. Define OTP lifespan 153. Out of band transactions 227. Display access notification 229. Request access credentials 232. Require equipment identity 237. Ascertain human interaction 264. Request authentication 319. Make authentication options equally secure 335. Define out of band token lifespan 347. Invalidate previous OTPs 362. Assign MFA mechanisms to a single account 030. Avoid object reutilization
CWE25-306. Missing authentication for critical function	229. Request access credentials 264. Request authentication 265. Restrict access to critical processes 328. Request MFA for critical systems
CWE25-352. Cross-site request forgery (CSRF)	174. Transactions without a distinguishable pattern 349. Include HTTP security headers 029. Cookies with security attributes
CWE25-362. Concurrent execution using shared resource with improper synchronization (Race condition)	264. Request authentication 337. Make critical logic flows thread safe 037. Parameters without sensitive data
CWE25-416. User after free	157. Use the strict mode 158. Use a secure programming language 266. Disable insecure functionalities
CWE25-434. Unrestricted upload of file with dangerous type	039. Define maximum file size 040. Compare file format and extension 041. Scan files for malicious code
CWE25-476. NULL pointer dereference	161. Define secure default options 266. Disable insecure functionalities 345. Establish protections against overflows 359. Avoid using generic exceptions 366. Associate type to variables 381. Use of absolute paths
CWE25-502. Deserialization of untrusted data	229. Request access credentials 321. Avoid deserializing untrusted data
CWE25-787. Out-of-bounds Write	157. Use the strict mode 345. Establish protections against overflows
CWE25-798. Use of hard-coded credentials	126. Set a password regeneration mechanism 127. Store hashed passwords 134. Store passwords with salt 145. Protect system cryptographic keys 146. Remove cryptographic keys from RAM 181. Transmit data using secure protocols 185. Encrypt sensitive information 206. Configure communication protocols 224. Use secure cryptographic mechanisms 264. Request authentication 321. Avoid deserializing untrusted data 351. Assign unique keys to each device
CWE25-862. Missing authorization	341. Use the principle of deny by default 034. Manage user accounts 035. Manage privilege modifications 095. Define users with privileges 096. Set user's required privileges
CWE25-863. Incorrect Authorization	176. Restrict system objects 228. Authenticate using standard protocols 033. Restrict administrative access 095. Define users with privileges 096. Set user's required privileges
CWE25-918. Server-side request forgery (SSRF)	173. Discard unsafe inputs 324. Control redirects 348. Use consistent encoding

Last updated

2024/02/02