Skip to main content

CWE: XSS and out-of-bounds write the most dangerous software weaknesses of 2020

The Common Weakness Enumeration (CWE) has released its 2020 “Top 25 Most Dangerous Software Weakness” report, which found improper neutralization of input during web page generation, also known as cross-site scripting (XSS), and out-of-bounds write, where the most dangerous weakness.

With cross-site scripting, software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output, used as a web page, and served to other users. Once the malicious script is injected, the attacker can perform a variety of malicious activities.

In the out-of-bounds write vulnerability, the software writes data past the end, or before the beginning, of the intended buffer, which can result in the corruption of data, a crash, or code execution.

“These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working,” CWE wrote in a post that contains the whole list.

Improper input validation, out-of-bounds read, and the improper restriction of operations within the bounds of the memory buffer followed as the 3rd through 5th greatest vulnerabilities.

The biggest changes since last year was that CWE moved up more specific weaknesses and moved down abstract class-level weaknesses, saying that this will greatly benefit users that are attempting to understand the actual issues that threaten today’s systems.

The biggest shifts in the list had to do with four weaknesses related to authentication and authorization such as: insufficiently protected credentials moved from number 27 to 18, missing authentication for critical functions moved from spot 36 to 24, and missing authorization moved from 34 to 25.

“One theory about this movement is that the community has improved its education, tooling, and analysis capabilities related to some of the more implementation specific weaknesses identified in previous editions of the CWE Top 25 and have reduced the occurrence of those, thus lowering their ranking, and in turn raising the ranking of these more difficult weaknesses,” CWE stated.

Data on the vulnerabilities was gathered from three major security vulnerability databases (the National Institute of Standards and Technology, the National Vulnerability Database, and the Common Vulnerability Scoring System) and scored based on prevalence and severity

The post CWE: XSS and out-of-bounds write the most dangerous software weaknesses of 2020 appeared first on SD Times.



from SD Times https://ift.tt/32gIe1t
Labels:

Comments

Post a Comment

Popular posts from this blog

Difference between Web Designer and Web Developer Neeraj Mishra The Crazy Programmer

Have you ever wondered about the distinctions between web developers’ and web designers’ duties and obligations? You’re not alone! Many people have trouble distinguishing between these two. Although they collaborate to publish new websites on the internet, web developers and web designers play very different roles. To put these job possibilities into perspective, consider the construction of a house. To create a vision for the house, including the visual components, the space planning and layout, the materials, and the overall appearance and sense of the space, you need an architect. That said, to translate an idea into a building, you need construction professionals to take those architectural drawings and put them into practice. Image Source In a similar vein, web development and design work together to create websites. Let’s examine the major responsibilities and distinctions between web developers and web designers. Let’s get going, shall we? What Does a Web Designer Do?
Post a Comment
Read more

A guide to data integration tools

CData Software is a leader in data access and connectivity solutions. It specializes in the development of data drivers and data access technologies for real-time access to online or on-premise applications, databases and web APIs. The company is focused on bringing data connectivity capabilities natively into tools organizations already use. It also features ETL/ELT solutions, enterprise connectors, and data visualization. Matillion ’s data transformation software empowers customers to extract data from a wide number of sources, load it into their chosen cloud data warehouse (CDW) and transform that data from its siloed source state, into analytics-ready insights – prepared for advanced analytics, machine learning, and artificial intelligence use cases. Only Matillion is purpose-built for Snowflake, Amazon Redshift, Google BigQuery, and Microsoft Azure, enabling businesses to achieve new levels of simplicity, speed, scale, and savings. Trusted by companies of all sizes to meet
Post a Comment
Read more

2022: The year of hybrid work

Remote work was once considered a luxury to many, but in 2020, it became a necessity for a large portion of the workforce, as the scary and unknown COVID-19 virus sickened and even took the lives of so many people around the world.  Some workers were able to thrive in a remote setting, while others felt isolated and struggled to keep up a balance between their work and home lives. Last year saw the availability of life-saving vaccines, so companies were able to start having the conversation about what to do next. Should they keep everyone remote? Should they go back to working in the office full time? Or should they do something in between? Enter hybrid work, which offers a mix of the two. A Fall 2021 study conducted by Google revealed that over 75% of survey respondents expect hybrid work to become a standard practice within their organization within the next three years.  Thus, two years after the world abruptly shifted to widespread adoption of remote work, we are declaring 20
Post a Comment
Read more