Fluid Attacks Database

CWE TOP 25

Last updated: 2024/02/02

Common Weakness Enumeration Top 25 (CWE Top 25) is a demonstrative list and valuable community resource of the most common and impactful issues experienced over the previous two calendar years. It can help developers, testers and users to provide insight into the most severe and current security weaknesses. The version used in this section is CWE Top 25 2023.

Control-Requirement Mapping

Definition	Requirements
20. Improper input validation	164. Use optimized structures 173. Discard unsafe inputs 342. Validate request parameters
22. Improper limitation of a pathname to a restricted directory (path traversal)	173. Discard unsafe inputs 280. Restrict service root directory 320. Avoid client-side control enforcement 342. Validate request parameters 381. Use of absolute paths
77. Improper neutralization of special elements used in a command (command injection)	172. Encrypt connection strings 173. Discard unsafe inputs 265. Restrict access to critical processes 344. Avoid dynamic code execution
78. Improper neutralization of special elements used in an OS command (OS command injection)	158. Use a secure programming language 173. Discard unsafe inputs 265. Restrict access to critical processes 266. Disable insecure functionalities 342. Validate request parameters
79. Improper neutralization of input during web page generation (cross-site scripting)	160. Encode system outputs 173. Discard unsafe inputs 029. Cookies with security attributes
89. Improper neutralization of special elements used in an SQL command (SQL injection)	157. Use the strict mode 169. Use parameterized queries 173. Discard unsafe inputs 029. Cookies with security attributes
94. Improper Control of Generation of Code ('Code Injection')	155. Application free of malicious code 159. Obfuscate code 164. Use optimized structures 173. Discard unsafe inputs 050. Control calls to interpreted code
119. Improper restriction of operations within the bounds of a memory buffer	157. Use the strict mode 158. Use a secure programming language 164. Use optimized structures 266. Disable insecure functionalities 345. Establish protections against overflows
125. Out-of-bounds read	157. Use the strict mode 158. Use a secure programming language 345. Establish protections against overflows
190. Integer overflow or wraparound	345. Establish protections against overflows
269. Improper Privilege Management	176. Restrict system objects 228. Authenticate using standard protocols 033. Restrict administrative access 095. Define users with privileges 096. Set user's required privileges
276. Incorrect Default Permissions	142. Change system default credentials 161. Define secure default options
287. Improper authentication	114. Deny access with inactive credentials 122. Validate credential ownership 130. Limit password lifespan 138. Define lifespan for temporary passwords 140. Define OTP lifespan 153. Out of band transactions 227. Display access notification 229. Request access credentials 232. Require equipment identity 237. Ascertain human interaction 264. Request authentication 319. Make authentication options equally secure 335. Define out of band token lifespan 347. Invalidate previous OTPs 362. Assign MFA mechanisms to a single account 030. Avoid object reutilization
306. Missing authentication for critical function	229. Request access credentials 264. Request authentication 265. Restrict access to critical processes 328. Request MFA for critical systems
352. Cross-site request forgery (CSRF)	174. Transactions without a distinguishable pattern 349. Include HTTP security headers 029. Cookies with security attributes
362. Concurrent execution using shared resource with improper synchronization (Race condition)	264. Request authentication 337. Make critical logic flows thread safe 037. Parameters without sensitive data
416. User after free	157. Use the strict mode 158. Use a secure programming language 266. Disable insecure functionalities
434. Unrestricted upload of file with dangerous type	039. Define maximum file size 040. Compare file format and extension 041. Scan files for malicious code
476. NULL pointer dereference	161. Define secure default options 266. Disable insecure functionalities 345. Establish protections against overflows 359. Avoid using generic exceptions 366. Associate type to variables 381. Use of absolute paths
502. Deserialization of untrusted data	229. Request access credentials 321. Avoid deserializing untrusted data
787. Out-of-bounds Write	157. Use the strict mode 345. Establish protections against overflows
798. Use of hard-coded credentials	126. Set a password regeneration mechanism 127. Store hashed passwords 134. Store passwords with salt 145. Protect system cryptographic keys 146. Remove cryptographic keys from RAM 181. Transmit data using secure protocols 185. Encrypt sensitive information 206. Configure communication protocols 224. Use secure cryptographic mechanisms 264. Request authentication 321. Avoid deserializing untrusted data 351. Assign unique keys to each device
862. Missing authorization	341. Use the principle of deny by default 034. Manage user accounts 035. Manage privilege modifications 095. Define users with privileges 096. Set user's required privileges
863. Incorrect Authorization	176. Restrict system objects 228. Authenticate using standard protocols 033. Restrict administrative access 095. Define users with privileges 096. Set user's required privileges
918. Server-side request forgery (SSRF)	173. Discard unsafe inputs 324. Control redirects 348. Use consistent encoding

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.