Top 10 Web Application Vulnerabilities

The SANS Top 25 Software errors mapped to Top 10 OWASP vulnerabilities in 2020.

1. Injection

• CWE-78: Improper Neutralization of Special Elements Used in an OS Command (’OS Command Injection’)
• CWE-89: Improper Neutralization of Special Elements Used in an SQL Command (’SQL Injection’)
• CWE-434: Unrestricted Upload of File with Dangerous Type
• CWE-494: Download of Code without Integrity Check
• CWE-829: Inclusion of Functionality from Untrusted Control Sphere

2. Broken Authentication

• CWE-306: Missing Authentication for Critical Function
• CWE-307: Improper Restriction of Excessive Authentication Attempts
• CWE-798: Use of Hard-Coded Credentials
• CWE-807: Reliance on Untrusted Inputs in a Security Decision
• CWE-862: Missing Authorization
• CWE-863: Incorrect Authorization

3. Sensitive Data Exposure

• CWE-311: Missing Encryption of Sensitive Data
• CWE-327: Use of a Broken or Risky Cryptographic Algorithm

4. XML External Entities (XXE)

• No SANS Top 25 mapped to this OWASP

5. Broken Access control

• CWE-22: Improper Limitation of a Pathname to a Restricted Directory (’Path Traversal’)

6. Security misconfigurations

• CWE-250: Execution with Unnecessary Privileges
• CWE-676: Use of Potentially Dangerous Function
• CWE-732: Incorrect Permission Assignment for Critical Resource

7. Cross Site Scripting (XSS)

• CWE-79: Improper Neutralization of Input During Webpage Generation ('Cross-Site Scripting')

8. Insecure Deserialization

• CWE-134: Use of Externally-Controlled Format String

9. Using Components with known vulnerabilities

• CWE-190: Integer Overflow or Wraparound
• CWE-327: Use of a Broken or Risky Cryptographic Algorithm
• CWE-759: Use of a One-Way Hash without a Salt

10. Insufficient logging and monitoring

• No SANS Top 25 mapped to this OWASP

Reference

1. Open Web Application Security Project (OWASP)
2. https://www.sans.org/top25-software-errors
3. Common Weakness Enumeration (CWE™)