| Rank | Score | CWE ID | CWE/SANS NAME | WASC NAME | WASC ID |
| [1] | 346 | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') | Cross-Site Scripting | WASC-08 |
| [2] | 330 | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') | SQL Injection | WASC-19 |
| [3] | 273 | CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | Buffer Overflow | WASC-07 |
| [4] | 261 | CWE-352 | Cross-Site Request Forgery (CSRF) | Cross-site Request Forgery | WASC-09 |
| [5] | 219 | CWE-285 | Improper Access Control (Authorization) | Insufficient Authorization | WASC-02 |
| [6] | 202 | CWE-807 | Reliance on Untrusted Inputs in a Security Decision | Insufficient Authorization | WASC-02 |
| [7] | 197 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | Path Traversal | WASC-33 |
| [8] | 194 | CWE-434 | Unrestricted Upload of File with Dangerous Type | ||
| [9] | 188 | CWE-78 | Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') | OS Commanding | WASC-31 |
| [10] | 188 | CWE-311 | Missing Encryption of Sensitive Data | Insufficient Transport Layer Protection | WASC-04 |
| [11] | 176 | CWE-798 | Use of Hard-coded Credentials | ||
| [12] | 158 | CWE-805 | Buffer Access with Incorrect Length Value | Buffer Overflow | WASC-07 |
| [13] | 157 | CWE-98 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') | Path Traversal | WASC-33 |
| [14] | 156 | CWE-129 | Improper Validation of Array Index | ||
| [15] | 155 | CWE-754 | Improper Check for Unusual or Exceptional Conditions | ||
| [16] | 154 | CWE-209 | Information Exposure Through an Error Message | Information Leakage | WASC-13 |
| [17] | 154 | CWE-190 | Integer Overflow or Wraparound | Integer Overflows | WASC-03 |
| [18] | 153 | CWE-131 | Incorrect Calculation of Buffer Size | Buffer Overflow | WASC-07 |
| [19] | 147 | CWE-306 | Missing Authentication for Critical Function | Insufficient Authentication | WASC-01 |
| [20] | 146 | CWE-494 | Download of Code Without Integrity Check | Remote File Inclusion | WASC-05 |
| [21] | 145 | CWE-732 | Incorrect Permission Assignment for Critical Resource | Improper Filesystem Permissions | WASC-17 |
| [22] | 145 | CWE-770 | Allocation of Resources Without Limits or Throttling | Denial of Service | WASC-10 |
| [23] | 142 | CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | URl Redirector Abuse | WASC-38 |
| [24] | 141 | CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | Credential/Session Prediction | WASC-18 |
| [25] | 138 | CWE-362 | Race Condition | Insufficient Process Validation | WASC-40 |
April 29, 2010
WASC WSTCv2 Mapping Proposal
While completing vulnerability statistics about Russian web applications in 2009 (it's issued date is too late this year) [1,2,3 in Russian], I suddenly realize that there's no comparison between WASC WSTCv2 and SANS/CWE Top 25 2010 vulnerability titles. As there's No such comparison on the official resource [4], I suggest my own version.
Subscribe to:
Post Comments (Atom)
This comment has been removed by a blog administrator.
ReplyDelete