Cross-site scripting tops the list

Feb 17, 2010 15:19 GMT  ·  By
Cross-site scripting and SQL injection among the most dangerous programming errors
   Cross-site scripting and SQL injection among the most dangerous programming errors

A group of renowned security researchers led by the MITRE Corporation, also including the National Cyber Security Division (US Department of Homeland Security) and the SANS Institute, have updated their one-year-old findings, and republished the list of the top 25 most dangerous programming errors.

The list is broken down into three major categories as follows: Insecure interaction between components, Risky resource management and Porous Defenses. The entire list of programming errors is comprised of:

1. Failure to Preserve Web Page Structure ('Cross-site Scripting') 2. Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') 3. Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') 4. Cross-Site Request Forgery (CSRF) 5. Improper Access Control (Authorization) 6. Reliance on Untrusted Inputs in a Security Decision 7. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 8. Unrestricted Upload of File with Dangerous Type 9. Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') 10. Missing Encryption of Sensitive Data 11. Use of Hard-coded Credentials 12. Buffer Access with Incorrect Length Value 13. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') 14. Improper Validation of Array Index 15. Improper Check for Unusual or Exceptional Conditions 16. Information Exposure Through an Error Message 17. Integer Overflow or Wraparound 18. Incorrect Calculation of Buffer Size 19. Missing Authentication for Critical Function 20. Download of Code Without Integrity Check 21. Incorrect Permission Assignment for Critical Resource 22. Allocation of Resources Without Limits or Throttling 23. URL Redirection to Untrusted Site ('Open Redirect') 24. Use of a Broken or Risky Cryptographic Algorithm 25. Race Condition.

The list was voted during a period of ten days by representatives of various organizations, the votes being cast for a vast category of metrics, the most important being critical importance and widespread prevalence. To avoid organizations being biased to one or more errors, only one vote per organization was allowed. The nominees list was then sorted based on the aggregate scores received by each error.

The authors didn't limit themselves to only listing these errors but went on record and encouraged customers to insert special security and application anti-hacking protection clauses in future contracts, providing a draft for those interested. The researchers' conclusions tend to blame in equal part the developers and IT educational institutes.

While few IT and programming courses really tackle the subject of product and code security, the main problem to the recent recorded hacks remains the programmer's reduced security knowledge base. The MITRE report tries to offer a solution by encouraging customers to contractually force either employees and freelancers into foul-proofing their code.

“As a customer, you have the power to influence vendors to provide more secure products by letting them know that security is important to you,” says the MITRE report. “Use the Top 25 to help set minimum expectations for due care by software vendors. Consider using the Top 25 as part of contract language during the software acquisition process.”

The complete report, with technical details, code samples, detection methods, references and interpretation guidance can be found on the MITRE page or the SANS Institute page.