The Common Weakness Enumeration (CWE) has released its 2020 “Top 25 Most Dangerous Software Weakness” report, which found improper neutralization of input during web page generation, also known as cross-site scripting (XSS), and out-of-bounds write, where the most dangerous weakness.
With cross-site scripting, software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output, used as a web page, and served to other users. Once the malicious script is injected, the attacker can perform a variety of malicious activities.
In the out-of-bounds write vulnerability, the software writes data past the end, or before the beginning, of the intended buffer, which can result in the corruption of data, a crash, or code execution.
“These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working,” CWE wrote in a post that contains the whole list.
Improper input validation, out-of-bounds read, and the improper restriction of operations within the bounds of the memory buffer followed as the 3rd through 5th greatest vulnerabilities.
The biggest changes since last year was that CWE moved up more specific weaknesses and moved down abstract class-level weaknesses, saying that this will greatly benefit users that are attempting to understand the actual issues that threaten today’s systems.
The biggest shifts in the list had to do with four weaknesses related to authentication and authorization such as: insufficiently protected credentials moved from number 27 to 18, missing authentication for critical functions moved from spot 36 to 24, and missing authorization moved from 34 to 25.
“One theory about this movement is that the community has improved its education, tooling, and analysis capabilities related to some of the more implementation specific weaknesses identified in previous editions of the CWE Top 25 and have reduced the occurrence of those, thus lowering their ranking, and in turn raising the ranking of these more difficult weaknesses,” CWE stated.
Data on the vulnerabilities was gathered from three major security vulnerability databases (the National Institute of Standards and Technology, the National Vulnerability Database, and the Common Vulnerability Scoring System) and scored based on prevalence and severity