Top 25 common coding errors that brought down websites

The United States National Security Agency (NSA) has released a list of the top 25 coding errors that have landed coders and webmasters into hot water.

The SANS institute located in Maryland reported that "1.5 million websites were breached" because of two types of coding errors that are on the list. These errors are so malicious and commonly made that the NSA, the Department of Homeland Security, Microsoft, Symantec and many more published a list, a first of its kind, to help out developers as they are coding.

The list is hoped to help those coders and upcoming coders from making the mistakes that veteran coders learned the hard way. With more awareness of common, but serious, coding errors everyone will benefit from the knowledge and consumer's data will remain safe.

    CWE-20:Improper Input Validation
    CWE-116:Improper Encoding or Escaping of Output
    CWE-89:Failure to Preserve SQL Query Structure
    CWE-79:Failure to Preserve Web Page Structure
    CWE-78:Failure to Preserve OS Command Structure
    CWE-319:Cleartext Transmission of Sensitive Information
    CWE-352:Cross-Site Request Forgery
    CWE-362:Race Condition
    CWE-209:Error Message Information Leak
    CWE-119:Failure to Constrain Operations within the Bounds of a Memory Buffer
    CWE-642:External Control of Critical State Data
    CWE-73:External Control of File Name or Path
    CWE-426:Untrusted Search Path
    CWE-94:Failure to Control Generation of Code
    CWE-494:Download of Code Without Integrity Check
    CWE-404:Improper Resource Shutdown or Release
    CWE-665:Improper Initialization
    CWE-682:Incorrect Calculation
    CWE-285:Improper Access Control
    CWE-327:Use of a Broken or Risky Cryptographic Algorithm
    CWE-259:Hard-Coded Password
    CWE-732:Insecure Permission Assignment for Critical Resource
    CWE-330:Use of Insufficiently Random Values
    CWE-250:Execution with Unnecessary Privileges
    CWE-602:Client-Side Enforcement of Server-Side Security

Report a problem with article
Previous Story

Windows 7: Vista Upgrade & Anytime Upgrade overview

Next Story

IBM Creates 3D MRI With 100 Million Times Finer Resolution

18 Comments

Commenting is disabled on this article.

Most of these more than likely occur due to companies outsourcing for code. The agreed upon contract more than likely never mentions these issues and no coder will will bother to look at it (or even care) since it's not in the contract and they have to code it within a set time frame to make a profit.

Since I work for a company that does development for other businesses, the responsibility falls upon the customer to identify security measurements needed, request it, and understand the additional manhours needed. Since cost/time are always the issue, they never bother...so neither do I.

Rohdekill said,
Most of these more than likely occur due to companies outsourcing for code. The agreed upon contract more than likely never mentions these issues and no coder will will bother to look at it (or even care) since it's not in the contract and they have to code it within a set time frame to make a profit.

Since I work for a company that does development for other businesses, the responsibility falls upon the customer to identify security measurements needed, request it, and understand the additional manhours needed. Since cost/time are always the issue, they never bother...so neither do I.


Wow. Way to represent your company.

The responsibility to point out obvious flaws before coming to an agreement also goes to whoever is working out contract details before any work gets done. Sounds like your company's method of operating is to use any valid scapegoat to cover its own ass.

I now dare you to let us know your company's name.

CWE-362:Race Condition
CWE-209:Error Message Information Leak
CWE-319:Cleartext Transmission of Sensitive Information

Those three, I'd say, aren't exactly "big problems". Depends on what they mean by them though.

"Error Message Information Leak". The problem is, as a software developer, it's impossible to catch and stop every single error from displaying. Sometimes there is absolutely no way to "prevent" errors. Fatal PHP errors for example are only controllable from the php.ini and can't be routed differently from the application itself.

If on the other hand they mean displaying the data of a supposedly private file with sensitive information (i.e. a config.php) through a traceback for debugging information for the developer, then yeh. I can see their point.

"CWE-319:Cleartext Transmission of Sensitive Information"
To transmit sensitive data privately you also need something like ssl which many hosts may or may not provide and then direct support in the software for the 'https' extension. Unless of course they mean storing things like passwords in cleartext in the database, then yes, that's an obvious.

As for Race Conditions, I've never seen those lead to anything that could be escalated to a break in actual security. Usually Race Conditions only happen to bypass mechanisms like having to wait x minutes after a search so the server doesn't "overload" if the person was attempting a DoS attack.

The rest seem pretty obvious for a decently seasoned web developer.

Fatal PHP errors for example are only controllable from the php.ini and can't be routed differently from the application itself

There's no way in Apache to handle HTTP 500-100 errors like IIS can? Or does the PHP engine not return correct headers when a process fails?

mrbester said,
There's no way in Apache to handle HTTP 500-100 errors like IIS can? Or does the PHP engine not return correct headers when a process fails?

I'm sure PHP can do it but this is beside the point, this is not specific to web programming, this is about all software programming.

I think explaining them fully would be slightly overkill, and anyone that develops should know what they mean (or be looking for a new career path!).

Honestly though, from consulting on web projects and security in my day to day work, it never fails to surprise me the poor standards of coding out there. I've worked with major household names that have SQL injection hacks in their admin panels!

I think it's simply a case of too many agencies out there providing 'web pages' and 'software', and the markup just isn't there anymore in a lot of cases to take security seriously.

tiddlie said,
I think explaining them fully would be slightly overkill, and anyone that develops should know what they mean (or be looking for a new career path!).

Honestly though, from consulting on web projects and security in my day to day work, it never fails to surprise me the poor standards of coding out there. I've worked with major household names that have SQL injection hacks in their admin panels!

I think it's simply a case of too many agencies out there providing 'web pages' and 'software', and the markup just isn't there anymore in a lot of cases to take security seriously.

Security is time consuming and cost money. I don't think it's a matter of taking security seriously. It's a matter of wanting to pay for security or not.

Doing a non secure form from the ground takes few time for an experienced programmer. Doing a full fledged secure form from the ground cost more money.

Of course you can re-use code. But creating an infrastructure to re-use your code is also time consuming and also cost money.

Lot of companies i worked for don't want to invest the time and money to implement version control, libraries of code, coding practice and such.

Programmers work on their project not knowing what others programmers did for others projects. You often see the same functions doing exactly he same thing in 2 different project and coded twice. Duplication of code. Bad coding practice or coding practice that are not universal accros the company. Mutiple versions of the same program implemented in different workspaces.

Few companies want to invest the time and money necessary to have a efficient and secure infrastructre.

I dont really understand what those mean but from the way you people are talking, it sounds like some of these are no-brainers.

I feel dumb, I would like a further explanation as the wording there just confuses me!

I am sure I probably cover most, if not all of those, for those i could understand were ticked!

If everyone who designs web pages would consider The World Wide Web Consortium or W3C then these types of errors could be eliminated. Their is a reason why this is important. Standards have been developed because at one point in time were discovered or can become an issue later. As I read this article here on Neowin.net I find that errors exist on this page.

HTML Validation errors in no way create a security risk to the website, or the data stored on it. Equally, a website that is fully HTML valid may be completely insecure on the backend, storing passwords in cleartext, or not blocking SQL injection attacks. HTML has nothing whatsoever to do with the security of a website.

Opinions vary! I have yet to find information on your belief and until you cite your information, and not your opinion, I disagree.

To be honest, I feel they're all pretty obvious. I did my work experience placement for my degree for the English National Health Service, and if I did something as dumb as any of them, I'd be shouted at!

Additionally, some of them should be removed by the time testing is complete. Input validation should be tested extremely thoroughly, SQL injection should be impossible if you've used good practice techniques (i.e. using the SqlCommand class properly in .NET).

If these are cropping up in NSA applications, then they need new programmers.