May 29, 2019

CWE/SANS TOP 25 Most Dangerous Software Errors

Below are the list of CWE released by SANS (Jun 27, 2011) to help eliminate the top 25 software errors.

The CWE Top 25 


Rank ID Name
1 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
2 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
3 CWE-20 Improper Input Validation
4 CWE-200 Information Exposure
5 CWE-125 Out-of-bounds Read
6 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
7 CWE-416 Use After Free
8 CWE-190 Integer Overflow or Wraparound
9 CWE-352 Cross-Site Request Forgery (CSRF)
10 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
11 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
12 CWE-787 Out-of-bounds Write
13 CWE-287 Improper Authentication
14 CWE-476 NULL Pointer Dereference
15 CWE-732 Incorrect Permission Assignment for Critical Resource
16 CWE-434 Unrestricted Upload of File with Dangerous Type
17 CWE-611 Improper Restriction of XML External Entity Reference
18 CWE-94 Improper Control of Generation of Code ('Code Injection')
19 CWE-798 Use of Hard-coded Credentials
20 CWE-400 Uncontrolled Resource Consumption
21 CWE-772 Missing Release of Resource after Effective Lifetime
22 CWE-426 Untrusted Search Path
23 CWE-502 Deserialization of Untrusted Data
24 CWE-269 Improper Privilege Management
25 CWE-295 Improper Certificate Validation

Links:



May 20, 2019

Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques

Completed my training on SEC642 today.

This onDemand training begin by exploring some advanced techniques and attacks to which all modern applications' vulnerabilities, such as new web frameworks, encryption and cryptography, alternate web front ends on mobile apps, HTTP/2 and websocket.

Syllabus:

  1. SEC642.1: Advanced Attacks
  2. SEC642.2: Web Cryptography
  3. SEC642.3: Alternative Interfaces and XML
  4. SEC642.4: Modern Web Frameworks, Part 1
  5. SEC642.5: Modern Web Frameworks, Part II 
Link: Advanced Web Application Penetration Testing and Exploitation | SANS SEC642