28 Апреля, 2010

WASC WSTCv2 Mapping Proposal

Dmitriy Evteev
Внося последние штришки в статистику уязвимостей web-приложений за 2009 год (дата публикации которого в этом году как-то слишком затянулась), неожиданно для себя обнаружил отсутствие сопоставления названий уязвимостей WASC WSTCv2 к SANS/CWE Top 25 2010 . За неимением подобного сопоставления на официальном ресурсе [ 1 ], предлагаю свою версию. name='more'> RankScoreCWE IDCWE/SANS NAMEWASC NAMEWASC ID[1]346 CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')Cross-Site Scripting WASC-08 [2]330 CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')SQL Injection WASC-19 [3]273 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')Buffer Overflow WASC-07 [4]261 CWE-352 Cross-Site Request Forgery (CSRF)Cross-site Request Forgery WASC-09 [5]219 CWE-285 Improper Access Control (Authorization)Insufficient Authorization WASC-02 [6]202 CWE-807 Reliance on Untrusted Inputs in a Security DecisionInsufficient Authorization WASC-02 [7]197 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')Path Traversal WASC-33 [8]194 CWE-434 Unrestricted Upload of File with Dangerous Type[9]188 CWE-78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')OS Commanding WASC-31 [10]188 CWE-311 Missing Encryption of Sensitive DataInsufficient Transport Layer Protection WASC-04 [11]176 CWE-798 Use of Hard-coded Credentials[12]158 CWE-805 Buffer Access with Incorrect Length ValueBuffer Overflow WASC-07 [13]157 CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')Path Traversal WASC-33 [14]156 CWE-129 Improper Validation of Array Index[15]155 CWE-754 Improper Check for Unusual or Exceptional Conditions[16]154 CWE-209 Information Exposure Through an Error MessageInformation Leakage WASC-13 [17]154 CWE-190 Integer Overflow or WraparoundInteger Overflows WASC-03 [18]153 CWE-131 Incorrect Calculation of Buffer SizeBuffer Overflow WASC-07 [19]147 CWE-306 Missing Authentication for Critical FunctionInsufficient Authentication WASC-01 [20]146 CWE-494 Download of Code Without Integrity CheckRemote File Inclusion WASC-05 [21]145 CWE-732 Incorrect Permission Assignment for Critical ResourceImproper Filesystem Permissions WASC-17 [22]145 CWE-770 Allocation of Resources Without Limits or ThrottlingDenial of Service WASC-10 [23]142 CWE-601 URL Redirection to Untrusted Site ('Open Redirect')URl Redirector Abuse WASC-38 [24]141 CWE-327 Use of a Broken or Risky Cryptographic AlgorithmCredential/Session Prediction WASC-18 [25]138 CWE-362 Race ConditionInsufficient Process Validation WASC-40