The 25 most dangerous programming errors

1. Cross-site scripting attacks (4)

2. SQL Injection (3)

3. Classic buffer overflow (1)

4. Cross-site request forgery (7)

5. Is not the correct access control (authorization)

6. In security decision-making rely on untrusted input

7. Is not properly limited to the path name of the path-constrained

8. Upload dangerous types of files are not restricted

9. Operating system commands in the handling of special factors, is not correct (the operating system command injection) (5)

10. Unencrypted sensitive information (6)

11. The use of hard-coded credentials (21)

12. In the length of the value of an incorrect access to the buffer

13. PHP program, Include / Require file name control statement is incorrect (PHP file intrusion)

14. Array subscript is not properly verified

15. Abnormal condition check is incorrect

16. Error Message disclosure of information (9)

17. Integer Overflow

18. Buffer size calculation error

19. The key function of the lack of authentication

20. Download without the integrity check code (15)

21. For the error distribution of competencies critical resources (22)

22. There is no limit resource allocation

23. URL re-directed to the letter from the resources of

24. Use the risk of being cracked or encryption algorithm (20)

25. There is competition (Race condition) (8)

Which added a number in parentheses is last year's ranking of the wrong. Clearly, the error for two consecutive years are selected, do not make again.

In addition, we compared last year's top 25 list of this year's exam and the error is as follows, I believe that these errors are still considerable risks.

2. Is not the correct code or escape output

10. Limited buffer operation failed

11. External control of important state data

12. External control file name or path

13. Untrusted search path

14. Control the code generation error (code injection)

15. Wrong to close or release resources

17. Is not initialized correctly

18. Error Calculation

19. Permeable protective

23. Random errors in the value of the use of

24. Abuse of privileged operating

25. Client-side implementation of the server-side security
  • del.icio.us
  • StumbleUpon
  • Digg
  • TwitThis
  • Mixx
  • Technorati
  • Facebook
  • NewsVine
  • Reddit
  • Google
  • LinkedIn
  • YahooMyWeb

Related Posts of The 25 most dangerous programming errors

  • Read directly with js of two methods Rss News

    Here, I mainly used two methods: The first one is the direct use of js to access, this method has the advantages of simplicity, but are not at disadvantage on the use of firefox The second is to carry out prototype implementation, of course, ie and f ...

  • Development of my SSH configuration database

    Recently used at Struts1.x + Spring2.5 + Hibernate3.2 the development of an online examination system, a lot of feel! One of configuration are dependent on at a time when packet is not good hands, because the habit of using IDE, anything can be automatica

  • hibernate-memcached - memcached at Hibernate to use as a secondary sub --

    http://www.blogjava.net/xmatthew/archive/2008/08/20/223293.html Today use the Internet to see a two memcached distributed cache as Hibernate, feeling quite interesting in that try, and feel good, they recommend to everyone to look at. Official Website: ht

  • hibernate extends mapping

    1. Table pre class hierarachy (a total of mapping a table inside) (discriminator, <subclass name="Pig" discriminator-value="P">) Inheritance tree for each mapping into a table () t_animal id name sex weight height type 1 Pig true

  • Rails 2.0 step by step [translated statement Translate]

    Rails 2.0 step by step Rails core team in the December 7 release of the Ruby on Rails 2.0. At this version includes a lot of changes, including Rails scaffold code generation approach. This change may be under the old version will make use of the curricul

  • nginx 502 Bad Gateway error collection problem

    Since, nginx and lighttpd documentation rarely true, not to mention the Chinese documents, and so the collection of some of the mistakes on the 502 here, to retain the source address, source address of the proposed look of the content. 502 are FastCG ...

  • No: secret given to the # protect_from_forgery

    According to "web development agile Road" (second edition) study ror, encountered this problem. I rails version 2.0, ruby 1.8.6 Solution: Open the / app / controllers / application.rb documents, code is as follows: class ApplicationControll ...

  • For prime numbers ruby version

    Just writing to be a Record $ arr = [] # set up a global array $ arr $ arr [0] = 2 def add_prime (n) # define methods within n odd prime add $ arr 3.step (n, 2) (| num | $ arr <<num if is_prime? Num) end def is_prime? (number) # define methods ...

  • Web safety test of cross-site request forgery (CSRF) articles (Figure)

    Cross-site request forgery (ie, CSRF) has been referred to as Web security sector number of loopholes in the "sleeping giant", and its level of threat which "reputation" will be shown. This article will briefly explain the loopholes, a

  • RoR explained

    ROR is Ruby on Rails. Ruby is a well-known has been very good dynamic language It's dynamic language. Simple and easy. Dynamic languages are interpreted, but the performance may make a discount, but not absolute, because the application is complex, th

blog comments powered by Disqus
Recent
Recent Entries
Tag Cloud
Random Entries