SANS Top 25 is the CWE (Common Weakness Enumeration) list which contains critical errors of security vulnerabilities. SANS(Sysadmin, Audit, Network and Security) is an organisation that provides security policies to be followed.
| Rank | Name |
| 1 | Out-of-bounds Write This happens due to memory corruption which is caused by index out of bound exception error |
| 2 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)’ This happens when untrusted user input is executed as part of the HTML or when users are influenced to interact with malicious links through which attackers execute scripts in the victim’s browser which can hijack user sessions or redirect the user to malicious sites |
| 3 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) This happens when untrusted source inject code into the user input which tricks the query interpreter to run malicious command |
| 4 | Improper Input Validation Input validation is a frequently-used technique for checking potentially dangerous inputs in order to ensure that the inputs are safe for processing within the code, or when communicating with other components. When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. |
| 5 | Out-of-bounds Read The software reads data past the end, or before the beginning, of the intended buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. |
| 6 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) The software constructs all or part of an OS command using externally-influenced input from an upstream component, this could allow attackers to execute unexpected, dangerous commands directly on the operating system. |
| 7 | Use After Free Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. The simplest way data corruption may occur involves the system’s reuse of the freed memory. |
| 8 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) Application uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the application doesn’t properly neutralize special elements (“..”,”/” separators) within the pathname that can cause the pathname to resolve that is outside of the restricted directory. Attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system |
| 9 | Cross-Site Request Forgery (CSRF) When web application is designed to receive a request from a client without verifying that it was intentionally sent, attacker tricks unintentional request to the web server which will be treated as an authentic request, this can be done via a URL, image load, XMLHttpRequest etc and can result in exposure of data or unintended code execution |
| 10 | Unrestricted Upload of File with Dangerous Type Application allows attacker to upload or transfer files of dangerous types that can be automatically processed which can cause resource consumption issue |
| 11 | NULL Pointer Dereference NULL pointer deference happens when the application deferences a pointer that it expects to be valid but is NULL which causing a crash or exit |
| 12 | Deserialization of Untrusted Data Application deserializes untrusted data without verifying that the resulting data will be valid. In this case, attackers to leverage them to perform unauthorized actions, like generating a shell |
| 13 | Integer Overflow or Wraparound Application performs a calculation which causes an integer overflow when the logic assumes that the value will be larger than the original value. It will have security consequences when calculation is used for resource management or execution control |
| 14 | Improper Authentication Application doesn’t prove that claim is correct when the actor claims to have a given identity |
| 15 | Use of Hard-coded Credentials Application contains hard-coded credentials, such as a password which will allow an attacker to bypass the authentication. |
| 16 | Missing Authorization Application doesn’t perform an authorization check when user attempts to access a resource or perform an action which is not allowed to perform. This will lead to information exposure, denial of service and code execution. |
| 17 | Improper Neutralization of Special Elements used in a Command (‘Command Injection’) Application constructs all or part of a command input from an upstream component, but it doesn’t neutralize special elements that could modify the intended command sent to a downstream component |
| 18 | Missing Authentication for Critical Function Application can be easier for attackers to access the data from anywhere if data access doesn’t require authentication |
| 19 | Improper Restriction of Operations within the Bounds of a Memory Buffer Application performs operation on a memory buffer and it may allow access to read from or write to memory location which is outside of the intended boundary of the buffer without validating will enable attackers to execute arbitrary code, cause system to crash or read sensitive information |
| 20 | Incorrect Default Permissions Permission for file should be ensured that it doesn’t allow anyone to modify the file otherwise attackers will access & modify it. |
| 21 | Server-Side Request Forgery (SSRF) Webserver receives URL from upstream component but not ensuring that request is being sent to expected destination which enables attackers bypass access controls such as firewalls and make it appear as though server is sending the request. Attackers can use “file://”,”ftp://” which provide greater control over the contents of requests |
| 22 | Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) Code sequence that can run parallelly with other code and it requires temporary, exclusive access to a shared resource and race condition will occur when the shared resource can be modified by another code sequence |
| 23 | Uncontrolled Resource Consumption Application doesn’t correctly control the allocation and maintenance of a limited resource (memory, file system storage), attackers can trigger the allocation of these limited resources & cause a denial of service that consume all available resources. This would prevent valid users from accessing the software |
| 24 | Improper Restriction of XML External Entity Reference Application processes an XML document that can contain XML entities with URIs that resolve the documents which enables attackers to use URI to read contents from the server & embed that information into its output. This may cause information is exposed to attackers |
| 25 | Improper Control of Generation of Code (‘Code Injection’) Application constructs all or part of a code segment(syntax) as input from an upstream component and doesn’t neutralize the special elements that could modify the syntax or behaviour of the intended code segment . This will lead to arbitrary code execution |