• Gabriela Marcos

SANS Top 20 Vulnerabilities in Software Applications

SANS is not just simply an ordinary dictionary word, it rather stands for SysAdmin, Audit, Network, and Security. Further in this post, we will talk about the SANS top 20 security weaknesses that can be found in software programs and what can be done to mitigate them.


SANS Impact on the cybersecurity community

The SANS Institute was established as a research and education organization, and its various security programs are very comprehensive and are having a positive impact on over 165 thousand security professionals worldwide. It’s safe to say that this amount of coverage coming from SANS, plus the positive reviews they get, makes them the most trusted and the largest organization for Info Security training and various security certifications in the world.


In this post, we will focus on the SANS top 20 errors that could make your software vulnerable to cyber-attacks and some of the security controls that you can apply to mitigate against these errors. Before discussing each of the top 20 vulnerabilities:


  1. CWE-119 — Memory Buffer Error

  2. CWE-79 — Cross-site Scripting

  3. CWE-20 — Unvalidated Input Error

  4. CWE-200 — Sensitive Information Exposure Error

  5. CWE-125 — Out-of-Bounds Read Error

  6. CWE-89 — SQL Injection

  7. CWE-416 — Free Memory Error

  8. CWE-190 — Integer Overflow Error

  9. CWE-352 — Cross-Site Request Forgery

  10. CWE-22 — Directory Traversal

  11. CWE-78 — OS Command Injection

  12. CWE-787 — Out-of-Bounds Write Error

  13. CWE-287 — Improper Authentication Error

  14. CWE-476 — Dereferencing NULL Pointer

  15. CWE-732 — Incorrect Permission Assignment

  16. CWE-434 — Unrestricted File Upload

  17. CWE-611 — Information Exposure through XML Entities

  18. CWE-94 — Code Injection

  19. CWE-798 — Hard-coded Access Key

  20. CWE-400 — Uncontrolled Resource Consumption


*CWE means “Common Weakness Enumeration”, a list accepted by the community of hardware and software vulnerabilities with identification code assigned for each weakness. The goal is to identify vulnerabilities and flaws in software and hardware to be able to mitigate and fix them.


1. CWE-119 — Memory Buffer Error


This flaw is commonly introduced during the Architecture and Design, Implementation, and Operation stages of the SDLC. This buffer happens when an application process strains to store more data than it can hold in its memory. Since the buffers can only store a certain level of data and when that level is reached and exceeded, the data flows to another memory location which can corrupt the data that’s already contained in that buffer.


This incident sometimes happens unintentionally through some error in programming, but the aftereffect could be disastrous as it can steal confidential information, erase data and even the whole application could crash because of the buffer overflow.


2. CWE-79 — Cross-site Scripting


Also known as XSS, is an injection attack that commonly happens when a malicious actor or a hacker injects harmful or malicious script into a web application that can be executed through the web browsers. Once this script finds its way into the endangered system, it can be used for different malignant activities.


Some malicious activities can be in the form of transferring private information like stored cookies from the victim’s computer to the attacker's computer.


Some Cross-Site Scripting occurs when:

  • Un-trusted and unvalidated data are inputted into a web application through its form request.

  • The web application outputs a web page that contains this malicious data instantly.

  • The software fails to validate against the data during the process of generating a page, which houses the content that can be executed by a web browser, like JavaScript, or HTML.

  • The victim unknowingly visits the page generated through a web browser that houses the malicious script that was injected through the use of untrusted data.

3. CWE-20 — Unvalidated Input Error


The application receives the input but fails to validate it, even if it has all the necessary details needed for it to be accepted into the system for processing.


Input sanitization can be used to check for any possibly dangerous inputs to make sure that the inputs are safe to be processed with the source code, or if it’s an input that is needed to communicate with other factors.

When such inputs are not properly validated or sanitized, then this will make way for an attacker to send malicious input that will be processed by the main application, this will lead to changes in the control flow, arbitrary code execution, or arbitrary control of a resource.


4. CWE-200 — Sensitive Information Exposure Error


This happens when the application both knowingly and unknowingly exposes information that is sensitive and confidential to an attacker who does not have the authorization to access this information. There are different errors that lead to the information being exposed to an attacker. The severity of this error varies depending on the context in which the application operates, the type of sensitive information that is revealed, and what the hacker can gain from the exposed information.


Some information that could be exposed:

  • Personal information (like financial data, personal messages, health status records, geographic location, contact details, etc).

  • System configuration details and environment, like the operating system and installed packages..

  • Intellectual property and business record.

  • Network configuration details.

  • Internal application state

  • Metadata like the message headers.


If errors are not properly handled during the development (when the application displays the error message) it could display your information to the public which an attacker may be able to use for malicious purposes.


5. CWE-125 — Out-of-bounds Read Error


This commonly occurs when the application reads data past the normal level, either before the beginning or to the end of the buffer. This gives unprivileged access to the attacker to read sensitive data from not all memory locations, which can lead to an application or system crash as well.


A crash will surely happen when the code interprets the data and thinks there is an indicator that stops the reading operation like a NULL applied to a string.


6. CWE-89 — SQL Injection


This is a form of security vulnerability by which the attacker can inject a Structured Query Language (SQL) code to the Webform input box in order to gain access to assets or even change the data that is not authorized to access.


This vulnerability can be introduced to the application during the implementation, design, and operation stages. This SQL query is to make an unauthorized request to the database for information, and when a user enters their name and password into the text box, these values are inserted into a query. If the values inputted are correct, the user is granted access to the application or request, but if the values are not correct, the access will be denied.


Some Web forms today don’t have mechanisms in place to block malicious input, and attackers can use the input boxes to send malicious requests to the database. The single request can grant the attacker access to the entire database containing sensitive information.


7. CWE-416 — Previously Freed Money


This concern is caused by the referencing of memory after it has been released, which can lead to a serious program crash. When you use a formerly freed memory, this can have adverse consequences, like corrupting valid data, arbitrary code execution which is dependent on the timing of the flag.


Two common causes to this issue are:

  • Error circumstances within the software and in some other exceptional cases.

  • No explanation as to what part of the program caused the free memory.


8. CWE-190 — Integer Overflow Error


When an application processes a calculation and there is a logical assumption that the resulting value will be greater than the exact value, then integer overflow happens. In this case, an integer value increases to one that cannot be stored in a location.


When this happens, the value will mostly wrap to become a very small or negative value. If the wrapping is expected, then it’s fine, but it can bring security consequences if it’s unexpected. In these conditions, it could be critical as the result is used to manage looping, security decisions, used to allocate memory, and many more.


This is a weakness that will typically lead to erratic behavior and can lead to crashes. If the value is important to the data rather than a flow, simple data corruption could occur. But if the wrap-around leads to further conditions like buffer overflows, which can be used to implement erratic code by a hacker. The integer overflow is commonly introduced to the system during the design and implementation stages of the SDLC.


9. CWE-352 — Cross-Site Request Forgery


This is what happens when a web application does not adequately verify the request of the HTTP, whether the request was really from the right user or not. The servers of the web are designed to accept all requests and to give them a response.


Let’s guess a client sends several HTTP requests in one or several sessions, this makes it difficult for the webserver to know whether all those requests were authentic or fake, and it’s usually processed. An attacker may have its way of forcing a client to visit a specially crafted webpage and be able to perform some requests like changing their email address, fund transfer, and many more.


As soon as an attacker has access, they will be able to steal and even destroy data. They can always maintain access and when they are done they can compromise the audit log to prevent any future polemics that could expose their exploit.


10. CWE-22 — Directory Traversal


File path traversal or directory traversal is a security vulnerability of the web that allows an attacker to read inconsistent files on the server that is currently running the application. These files could be the code for an application, operating system files, and credentials for back-end systems. In some scenarios, an attacker might be able to write these arbitrary files on the server which could allow them to modify application data or behavior, which would give them total control over the server.


11. CWE-78 — OS Command Injection


This is about the improper sanitization of special elements that may lead to modifying the intended OS command sent to a downstream application. An attacker can execute these malicious commands on a target operating system and can enter an environment to which they were not supposed to read or modify.


This would constantly allow an attacker to execute dangerous commands straight into the operating system. Whenever this vulnerability happens in a powerful program, it allows the attacker to use commands that are allowed in the environment or to call other commands with privileges that the attacker doesn’t have, which could increase the amount of damage that could occur.


12. CWE-787 — Out-of-bounds Write Error


This happens when the application writes data before the beginning, or after the end of the designated buffer. When this happens, the end result is a common system or application crashes, and data corruption. What the application does is some sort of pointer calculation that is used in associating a memory location outside the buffer boundaries.


13. CWE-287 — Improper Authentication Error


When an attacker claims to have a valid identity, the software fails to verify or prove that the claim is correct.


The software validates a user’s login credentials wrongly and as a result, an attacker could gain certain privileges within the application or disclose sensitive information that allows them to access even more sensitive data and execute arbitrary code.


14. CWE-476 — Dereferencing a NULL pointer


This happens when the application dereferences a pointer that was supposed to return a valid result instead returns NULL and this leads to a crash. Dereferencing a NULL pointer can happen through many defects like race conditions and some programming errors.


The processes performed with the help of the NULL pointer usually lead to failure, and the possibility of carrying out the process is very slim. This allows attackers to execute malicious code.


15. CWE-732 — Incorrect Permission Assignment

This weakness happens when an application assigns permissions to a critical and important resource in such a way that exposes the resource to be accessed by a malicious user.


When plenty of people have permission to access a resource, this could lead to sensitive information being leaked or modified by an attacker. If there are no checks in place against this kind of access to permission assignment to resources, it can lead to a disastrous end if the configuration of a program or some sensitive data get into the wrong hands.


16. CWE-434 — Unrestricted File Upload


This susceptibility occurs when the application doesn’t validate the file types before uploading them to the application. This is language-independent but usually occurs in applications written in ASP and PHP language.


There are dangerous types of files that can be automatically processed within the application environment.


17. CWE-611 — Information Exposure Through XML Entities


When an XML document is uploaded into an application to process, it contains XML entities with a uniform resource identifier that will resolve to another document in another location different from the intended location. This deviation can make the application attach documents into the incorrect output.


The XML documents sometimes contain a DTD (Document Type Definition), which is used to define the XML entities and other features. Through the DTD, the uniform resource identifier serves as a form of substitution string. The XML parser will access what is contained in the uniform resource identifier and input these contents back into the XML document for execution.


18. CWE-94 — Code Injection


The existence of code syntax in the data of the user increases the attacker’s possibility to change the planned control behavior and execute arbitrary code. This vulnerability is called “injection weaknesses” and this weakness could make a data control become user-controlled.


This susceptibility depicts a scenario where software allows untrusted data into the code and does not complete validation of special characters which can negatively affect both the behavior of the code and the syntax. In short, an attacker would be able to inject some sort of arbitrary code and execute them in the application.


19. CWE-798 — Hard-Coded Access Key


When the access key and the password are hardcoded directly into the application for inbound authentication purposes and outbound communication to some external components and for encryption of internal data. Hard-coded login details usually cause vulnerability that makes way for an attacker to bypass the authentication that has been configured by the software administrator.


The system administrator administration will always find it very difficult to identify this vulnerability and fix it.


There are two main streams to this weakness:

  1. Inbound: The application consists of an authentication system that validates the input credentials against the hard-coded details.

  2. Outbound: The application connects to another system, the details for connecting to this other system are hard-coded into the system.

The hard-coded details are usually the same thing across every installation of the application, and this cannot be disabled or changed by anyone, even the system administrators don’t have the right unless they manually modify the application. If the password is ever leaked to the public, then an attacker can have access to the full application and can manipulate it for their own gain.


Since all installations of the application have the same password, even when installed in separate organizations, this can cause very massive attacks across all boundaries of the organization.


20. CWE-400 — Uncontrolled Resource Consumption


This happens when the application doesn’t control quota properly and maintenance of a limited resource, this allows an attacker to be able to influence the number of assets consumed, which can eventually lead to the exhaustion of the available assets. The limited resources include memory, database connection pool entries, CPU, and file system storage.


Assuming an attacker can trigger the quota of the limited resources and the size or the number of the resources is not controlled, then they could cause chaos through denial of service that can consume all available resources.


When this happens, it would prevent valid users from accessing the application, which can definitely have a negative impact on the environment. For example, when the application memory goes through an exhaustion attack, this could slow down the entire application as well as the host operating the system.


There are three instances that can lead to resource exhaustion, these are:

  • Shortage of suffocating for the number of allocated resources.

  • Losing out all the references to a source before reaching the shutdown stage.

  • Failure to return/close a resource after processing.

Resource exhaustion is commonly a result of incorrect implementation of these scenarios:

  • Error conditions and other exceptional circumstances.

  • There are mixed reactions over which part of the program releases the source.