Most Dangerous Software Weaknesses list (CWE Top 25)
- 2022 Common Weakness Enumeration – CWE Top 25 Most Dangerous Software Weaknesses list (CWE Top 25). This list demonstrates the currently most common and impactful software weaknesses. Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working. Many professionals who deal with software will find the CWE Top 25 a practical and convenient resource to help mitigate risk. This may include software architects, designers, developers, testers, users, project managers, security researchers, educators, and contributors to standards developing organizations (SDOs). To create the list, the CWE Team leveraged Common Vulnerabilities and Exposures (CVE) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS) scores associated with each CVE Record, including a focus on CVE Records from the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog. A formula was applied to the data to score each weakness based on prevalence and severity. The dataset analysed to calculate the 2022 Top 25 contained a total of 37,899 CVE Records from the previous two calendar years.
List of the weaknesses in the 2022 CWE Top 25
- CWE-787 Out-of-bounds Write
- CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
- CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
- CWE-20Improper Input Validation
- CWE-125 Out-of-bounds Read
- CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
- CWE-416 Use After Free
- CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
- CWE-352 Cross-Site Request Forgery (CSRF)
- CWE-434 Unrestricted Upload of File with Dangerous Type
- CWE-476 NULL Pointer Dereference
- CWE-502 Deserialization of Untrusted Data
- CWE-190 Integer Overflow or Wraparound
- CWE-287 Improper Authentication
- CWE-798 Use of Hard-coded Credentials
- CWE-862 Missing Authorization
- CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
- CWE-306 Missing Authentication for Critical Function
- CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-276 Incorrect Default Permissions
- CWE-918 Server-Side Request Forgery (SSRF)
- CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)
- CWE-400 Uncontrolled Resource Consumption
- CWE-611 Improper Restriction of XML External Entity Reference
- CWE-94 Improper Control of Generation of Code (‘Code Injection’)
The 2022 CWE Top 25 Methodology
- The 2022 CWE Top 25 was developed by obtaining and analysing public vulnerability data from the NVD. For the 2022 list, data was used from the Known Exploited Vulnerabilities (KEV) Catalog, established in accordance with “Binding Operational Directive 22-01- Reducing the Significant Risk of Known Exploited Vulnerabilities” by CISA in November 2021. The KEV is an authoritative source of vulnerabilities that are known to have been exploited in the wild.
- This year’s analysis created a mixture of class and base-level weaknesses to move up and down from the Top 25. This is expected because some of these classes are generally well-known with easy to identifiable keywords such as ‘race conditions’, ‘command injections’, etc. The CWE Program’s goal remains to iteratively provide more specificity through Base-level weakness types in the Top 25. As can be observed, each year gets closer to that goal. The program’s goal is that this trend will benefit users attempting to better understand and address the issues that threaten today’s systems at a more operational level, as Base-level weaknesses are more informative and conducive to practical mitigation than higher, Class-level weaknesses.
In order to undergo TOP 25 Penetration Testing, let’s first understand what penetration testing is.
A penetration test is a method of evaluating a computer system or network to identify vulnerabilities that a malicious attacker could exploit. Security experts carry out penetration testing to identify vulnerabilities in the target software or system. Penetration testing is an integral part of a more extensive information security process to ensure proper risk management, compliance, and systems administration. A penetration test is an excellent way to determine the extent of the damage a hacker can cause. Penetration testing can be done at any point in time to find vulnerabilities in the system.
TOP 25 Penetration Testing is a specialized type of security testing that focuses on attack vectors and vulnerabilities listed in SANS Top 25. An organization’s security landscape is complex, and thus it is essential to test the organization’s security measures to ensure that they are working correctly. Penetration testing can help to ensure that an organization’s security measures are working correctly.