2010 CWE/SANS Top 25 Most Dangerous Software Errors

@ Brief Listing of the Top 25

1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

2. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

3. Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') 

4. Cross-Site Request Forgery (CSRF)

5. Improper Access Control (Authorization)

6. Reliance on Untrusted Inputs in a Security Decision

7. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

8. Unrestricted Upload of File with Dangerous Type

9. OS Command ('OS Command Injection')

10. Missing Encryption of Sensitive Data

11. Use of Hard-coded Credentials

12. Buffer Access with Incorrect Length Value

13. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')

14. Improper Validation of Array Index

15. Improper Check for Unusual or Exceptional Conditions

16. Information Exposure Through an Error Message

17. Integer Overflow or Wraparound

18. Incorrect Calculation of Buffer Size

19. Missing Authentication for Critical Function

20. Download of Code Without Integrity Check

21. Incorrect Permission Assignment for Critical Resource

22. Allocation of Resources Without Limits or Throttling

23. URL Redirection to Untrusted Site ('Open Redirect')

24. Use of a Broken or Risky Cryptographic Algorithm

25. Race Condition


* 자세한 내용은 첨부파일 참고

2010_cwe_sans_top25.pdf