Penetration TestJan Kahmen9 min read

CWE Top 25 - (2023)

The CWE Top 25 Most Dangerous Software Weaknesses 2023 is a list of the most dangerous software weaknesses compiled by the Common Weakness Enumeration (CWE) for the year 2023.

The CWE Top 25 Most Dangerous Software Weaknesses 2023 is a ranking of the most critical software weaknesses published by the Common Weakness Enumeration (CWE). It helps developers and security researchers identify and understand the most prevalent and dangerous vulnerability classes. The list is updated annually to reflect current trends in software security.

The ranking covers weaknesses such as injection attacks, cross-site scripting, insecure authentication, insecure data storage, misconfigurations, and insecure communication. Each entry includes a detailed description and practical examples to aid in understanding and prevention.

The CWE Top 25 is a valuable resource for building secure and robust software products. It is compiled each year by MITRE Corporation and builds on the CWE Top 25 of 2022.

CWE TOP 25 - 2023

  1. CWE-787 Out-of-Bounds Write: This vulnerability occurs when a program writes data beyond its allocated memory buffer. It can lead to program crashes or exploitable conditions such as buffer overflows.

  2. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): This vulnerability occurs when user input is embedded into HTML without proper sanitization or encoding of special characters. Attackers can exploit this to execute malicious scripts in the victim's browser (XSS).

  3. CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): This vulnerability occurs when applications fail to properly sanitize SQL queries, leaving special characters unescaped. Attackers can manipulate queries to access or modify database contents or escalate privileges.

  4. CWE-416 Use After Free: This vulnerability occurs when a program accesses a memory region that has already been freed. This can lead to crashes, data corruption, or exploitable conditions.

  5. CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): This vulnerability occurs when an application passes unsanitized user input into operating system commands. Attackers can execute arbitrary commands, exfiltrate data, or compromise system resources.

  6. CWE-20 Improper Input Validation: This vulnerability occurs when an application fails to properly validate incoming data. Malformed or malicious input can then trigger unexpected behavior.

  7. CWE-125 Out-of-Bounds Read: This vulnerability occurs when a program reads data beyond its allocated memory buffer. This can cause crashes or leak sensitive information from memory.

  8. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): This vulnerability occurs when an application fails to properly restrict file access to an intended directory. Attackers can traverse the file system to access sensitive data.

  9. CWE-352 Cross-Site Request Forgery (CSRF): This vulnerability allows attackers to trick authenticated users into performing unintended actions on a web application by submitting forged requests in the context of the user's active session.

  10. CWE-434 Unrestricted Upload of File with Dangerous Type: This vulnerability occurs when file uploads are not properly validated for permitted file types. Attackers can upload malicious files and execute them on the server.

  11. CWE-862 Missing Authorization: This vulnerability occurs when an application does not verify whether a user is authorized to perform a given action. Attackers can bypass access controls to reach protected data or functionality.

  12. CWE-476 NULL Pointer Dereference: This vulnerability occurs when a program attempts to dereference a NULL pointer. It typically causes crashes and may be exploitable under certain conditions.

  13. CWE-287 Improper Authentication: This vulnerability occurs when an application's authentication mechanism is flawed. Attackers can impersonate other users or gain access to protected areas.

  14. CWE-190 Integer Overflow or Wraparound: This vulnerability occurs when an integer value exceeds its permissible range. The resulting incorrect arithmetic can lead to further program errors or exploitable conditions.

  15. CWE-502 Deserialization of Untrusted Data: This vulnerability occurs when an application deserializes data without validation. Attackers can inject crafted objects to execute arbitrary code.

  16. CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection'): This vulnerability allows attackers to inject commands into an application that is not designed to process them, potentially gaining full control of the affected system.

  17. CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer: This vulnerability allows access to memory beyond the intended buffer boundaries. Attackers can read sensitive data or execute malicious code.

  18. CWE-798 Use of Hard-coded Credentials: This vulnerability occurs when credentials are embedded directly in source code or configuration files. Attackers can extract these credentials to gain unauthorized access to the system.

  19. CWE-918 Server-Side Request Forgery (SSRF): This vulnerability allows attackers to make the server send requests to internal or external systems that would normally be inaccessible to them. This can lead to data disclosure or further attacks.

  20. CWE-306 Missing Authentication for Critical Function: This vulnerability occurs when critical application functions are accessible without authentication. Attackers can access sensitive data or perform protected operations.

  21. CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'): This vulnerability occurs when concurrent access to shared resources is not properly synchronized. Attackers can exploit the time gap between check and use to cause unintended states.

  22. CWE-269 Improper Privilege Management: This vulnerability occurs when an application manages permissions incorrectly. Attackers can escalate privileges and gain access to sensitive data or functionality.

  23. CWE-94 Improper Control of Generation of Code ('Code Injection'): This vulnerability allows attackers to inject and execute arbitrary code within an application, potentially gaining full control of the affected system.

  24. CWE-863 Incorrect Authorization: This vulnerability occurs when a system implements authorization checks incorrectly. Users may be able to access resources they are not authorized to reach.

  25. CWE-276 Incorrect Default Permissions: This vulnerability occurs when default permissions are set too permissively. Unauthorized users may gain access to resources, or sensitive data may be inadvertently exposed.

Conclusion

The CWE Top 25 Most Dangerous Software Weaknesses 2023 is an essential resource for developers and security researchers. Updated annually, the list provides detailed descriptions and practical examples for each weakness, helping teams build more secure and robust software products.