Skip to main content

CWE TOP 25

logo

Summary

Common Weakness Enumeration Top 25 (CWE Top 25) is a demonstrative list and valuable community resource of the most common and impactful issues experienced over the previous two calendar years. It can help developers, testers and users to provide insight into the most severe and current security weaknesses. The version used in this section is CWE Top 25 2023.

Definitions

DefinitionRequirements
787. Out-of-bounds Write
157. Use the strict mode
345. Establish protections against overflows
79. Improper neutralization of input during web page generation (cross-site scripting)
029. Cookies with security attributes
160. Encode system outputs
173. Discard unsafe inputs
89. Improper neutralization of special elements used in an SQL command (SQL injection)
029. Cookies with security attributes
157. Use the strict mode
169. Use parameterized queries
173. Discard unsafe inputs
416. User after free
157. Use the strict mode
158. Use a secure programming language
266. Disable insecure functionalities
78. Improper neutralization of special elements used in an OS command (OS command injection)
158. Use a secure programming language
173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
342. Validate request parameters
20. Improper input validation
164. Use optimized structures
173. Discard unsafe inputs
342. Validate request parameters
125. Out-of-bounds read
157. Use the strict mode
158. Use a secure programming language
345. Establish protections against overflows
22. Improper limitation of a pathname to a restricted directory (path traversal)
173. Discard unsafe inputs
280. Restrict service root directory
320. Avoid client-side control enforcement
342. Validate request parameters
381. Use of absolute paths
352. Cross-site request forgery (CSRF)
029. Cookies with security attributes
174. Transactions without a distinguishable pattern
349. Include HTTP security headers
434. Unrestricted upload of file with dangerous type
039. Define maximum file size
040. Compare file format and extension
041. Scan files for malicious code
862. Missing authorization
034. Manage user accounts
035. Manage privilege modifications
095. Define users with privileges
096. Set user's required privileges
341. Use the principle of deny by default
476. NULL pointer dereference
161. Define secure default options
266. Disable insecure functionalities
345. Establish protections against overflows
359. Avoid using generic exceptions
366. Associate type to variables
381. Use of absolute paths
287. Improper authentication
030. Avoid object reutilization
114. Deny access with inactive credentials
122. Validate credential ownership
130. Limit password lifespan
138. Define lifespan for temporary passwords
140. Define OTP lifespan
153. Out of band transactions
227. Display access notification
229. Request access credentials
232. Require equipment identity
237. Ascertain human interaction
264. Request authentication
319. Make authentication options equally secure
335. Define out of band token lifespan
347. Invalidate previous OTPs
362. Assign MFA mechanisms to a single account
190. Integer overflow or wraparound
345. Establish protections against overflows
502. Deserialization of untrusted data
229. Request access credentials
321. Avoid deserializing untrusted data
77. Improper neutralization of special elements used in a command (command injection)
172. Encrypt connection strings
173. Discard unsafe inputs
265. Restrict access to critical processes
344. Avoid dynamic code execution
119. Improper restriction of operations within the bounds of a memory buffer
157. Use the strict mode
158. Use a secure programming language
164. Use optimized structures
266. Disable insecure functionalities
345. Establish protections against overflows
798. Use of hard-coded credentials
126. Set a password regeneration mechanism
127. Store hashed passwords
134. Store passwords with salt
145. Protect system cryptographic keys
146. Remove cryptographic keys from RAM
181. Transmit data using secure protocols
185. Encrypt sensitive information
206. Configure communication protocols
224. Use secure cryptographic mechanisms
264. Request authentication
321. Avoid deserializing untrusted data
351. Assign unique keys to each device
918. Server-side request forgery (SSRF)
173. Discard unsafe inputs
324. Control redirects
348. Use consistent encoding
306. Missing authentication for critical function
229. Request access credentials
264. Request authentication
265. Restrict access to critical processes
328. Request MFA for critical systems
362. Concurrent execution using shared resource with improper synchronization (Race condition)
037. Parameters without sensitive data
264. Request authentication
337. Make critical logic flows thread safe
269. Improper Privilege Management
033. Restrict administrative access
095. Define users with privileges
096. Set user's required privileges
176. Restrict system objects
228. Authenticate using standard protocols
94. Improper Control of Generation of Code ('Code Injection')
050. Control calls to interpreted code
155. Application free of malicious code
159. Obfuscate code
164. Use optimized structures
173. Discard unsafe inputs
863. Incorrect Authorization
033. Restrict administrative access
095. Define users with privileges
096. Set user's required privileges
176. Restrict system objects
228. Authenticate using standard protocols
276. Incorrect Default Permissions
142. Change system default credentials
161. Define secure default options
free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.