{"id":1088,"date":"2010-02-18T22:41:19","date_gmt":"2010-02-18T21:41:19","guid":{"rendered":"http:\/\/www.mitternachtshacking.de\/blog\/1088-top-25-most-dangerous-programming-errors-2010"},"modified":"2010-03-01T22:53:18","modified_gmt":"2010-03-01T21:53:18","slug":"top-25-most-dangerous-programming-errors-2010","status":"publish","type":"post","link":"https:\/\/www.mitternachtshacking.de\/blog\/1088-top-25-most-dangerous-programming-errors-2010","title":{"rendered":"Top 25 Most Dangerous Programming Errors 2010"},"content":{"rendered":"<p>Mir sind zuf\u00e4llig zwei Links sehr zeitnah in die H\u00e4nde gefallen: <a href=\"http:\/\/cwe.mitre.org\/top25\/\">die Top 25 Programmierfehler<\/a> und die <a href=\"http:\/\/programminghumor.blogspot.com\/2009\/04\/top-25-explanations-by-programmers.html\">Top 25 Ausreden der Programmierer<\/a>. Da lag es irgendwie nahe, aus diesen beiden Tabellen eine gemeinsame zu machen \ud83d\ude09<\/p>\n<table>\n<tr>\n<th>Rank<\/th>\n<th>Score<\/th>\n<th>ID<\/th>\n<th>Name<\/th>\n<th>Excuse<\/th>\n<\/tr>\n<tr>\n<td>[1]<\/td>\n<td>346<\/td>\n<td>CWE-79<\/td>\n<td>Failure to Preserve Web Page Structure (&#8218;Cross-site Scripting&#8216;)<\/td>\n<td>Of course, I just have to do these small fixes.<\/td>\n<\/tr>\n<tr>\n<td>[2]<\/td>\n<td>330<\/td>\n<td>CWE-89<\/td>\n<td>Improper Sanitization of Special Elements used in an SQL Command (&#8218;SQL Injection&#8216;)<\/td>\n<td>It will be done in no time at all.<\/td>\n<\/tr>\n<tr>\n<td>[3]<\/td>\n<td>273<\/td>\n<td>CWE-120<\/td>\n<td>Buffer Copy without Checking Size of Input (&#8218;Classic Buffer Overflow&#8216;)<\/td>\n<td>Didn&#8217;t I fix it already?<\/td>\n<\/tr>\n<tr>\n<td>[4]<\/td>\n<td>261<\/td>\n<td>CWE-352<\/td>\n<td>Cross-Site Request Forgery (CSRF)<\/td>\n<td>How is this possible?<\/td>\n<\/tr>\n<tr>\n<td>[5]<\/td>\n<td>219<\/td>\n<td>CWE-285<\/td>\n<td>Improper Access Control (Authorization)<\/td>\n<td>Well, the program needs some fixing.<\/td>\n<\/tr>\n<tr>\n<td>[6]<\/td>\n<td>202<\/td>\n<td>CWE-807<\/td>\n<td>Reliance on Untrusted Inputs in a Security Decision<\/td>\n<td>It&#8217;s already there, but it has not been tested.<\/td>\n<\/tr>\n<tr>\n<td>[7]<\/td>\n<td>197<\/td>\n<td>CWE-22<\/td>\n<td>Improper Limitation of a Pathname to a Restricted Directory (&#8218;Path Traversal&#8216;)<\/td>\n<td>I&#8217;m almost ready.<\/td>\n<\/tr>\n<tr>\n<td>[8]<\/td>\n<td>194<\/td>\n<td>CWE-434<\/td>\n<td>Unrestricted Upload of File with Dangerous Type<\/td>\n<td>The user has made an error again.<\/td>\n<\/tr>\n<tr>\n<td>[9]<\/td>\n<td>188<\/td>\n<td>CWE-78<\/td>\n<td>Improper Sanitization of Special Elements used in an OS Command (&#8218;OS Command Injection&#8216;)<\/td>\n<td>There is something wrong in your test data.<\/td>\n<\/tr>\n<tr>\n<td>[10]<\/td>\n<td>188<\/td>\n<td>CWE-311<\/td>\n<td>Missing Encryption of Sensitive Data<\/td>\n<td>Yes yes, it will be ready in time.<\/td>\n<\/tr>\n<tr>\n<td>[11]<\/td>\n<td>176<\/td>\n<td>CWE-798<\/td>\n<td>Use of Hard-coded Credentials<\/td>\n<td>You must have the wrong executable.<\/td>\n<\/tr>\n<tr>\n<td>[12]<\/td>\n<td>158<\/td>\n<td>CWE-805<\/td>\n<td>Buffer Access with Incorrect Length Value<\/td>\n<td>I can&#8217;t test everything!<\/td>\n<\/tr>\n<tr>\n<td>[13]<\/td>\n<td>157<\/td>\n<td>CWE-98<\/td>\n<td>Improper Control of Filename for Include\/Require Statement in PHP Program (&#8218;PHP File Inclusion&#8216;)<\/td>\n<td>I have not touched that module!<\/td>\n<\/tr>\n<tr>\n<td>[14]<\/td>\n<td>156<\/td>\n<td>CWE-129<\/td>\n<td>Improper Validation of Array Index<\/td>\n<td>I&#8217;ve never heard about that.<\/td>\n<\/tr>\n<tr>\n<td>[15]<\/td>\n<td>155<\/td>\n<td>CWE-754<\/td>\n<td>Improper Check for Unusual or Exceptional Conditions<\/td>\n<td>It did work yesterday.<\/td>\n<\/tr>\n<tr>\n<td>[16]<\/td>\n<td>154<\/td>\n<td>CWE-209<\/td>\n<td>Information Exposure Through an Error Message<\/td>\n<td>Strange&#8230;<\/td>\n<\/tr>\n<tr>\n<td>[17]<\/td>\n<td>154<\/td>\n<td>CWE-190<\/td>\n<td>Integer Overflow or Wraparound<\/td>\n<td>The machine seems to be broken.<\/td>\n<\/tr>\n<tr>\n<td>[18]<\/td>\n<td>153<\/td>\n<td>CWE-131<\/td>\n<td>Incorrect Calculation of Buffer Size<\/td>\n<td>Somebody must have changed my code.<\/td>\n<\/tr>\n<tr>\n<td>[19]<\/td>\n<td>147<\/td>\n<td>CWE-306<\/td>\n<td>Missing Authentication for Critical Function<\/td>\n<td>It works, but it&#8217;s not been tested.<\/td>\n<\/tr>\n<tr>\n<td>[20]<\/td>\n<td>146<\/td>\n<td>CWE-494<\/td>\n<td>Download of Code Without Integrity Check<\/td>\n<td>There must be a virus in the application software.<\/td>\n<\/tr>\n<tr>\n<td>[21]<\/td>\n<td>145<\/td>\n<td>CWE-732<\/td>\n<td>Incorrect Permission Assignment for Critical Resource<\/td>\n<td>Has the operating system been updated?<\/td>\n<\/tr>\n<tr>\n<td>[22]<\/td>\n<td>145<\/td>\n<td>CWE-770<\/td>\n<td>Allocation of Resources Without Limits or Throttling<\/td>\n<td>Even though it does not work, how does it feel?<\/td>\n<\/tr>\n<tr>\n<td>[23]<\/td>\n<td>142<\/td>\n<td>CWE-601<\/td>\n<td>URL Redirection to Untrusted Site (&#8218;Open Redirect&#8216;)<\/td>\n<td>THIS can&#8217;t do THAT.<\/td>\n<\/tr>\n<tr>\n<td>[24]<\/td>\n<td>141<\/td>\n<td>CWE-327<\/td>\n<td>Use of a Broken or Risky Cryptographic Algorithm<\/td>\n<td>Oh, it&#8217;s just a feature.<\/td>\n<\/tr>\n<tr>\n<td>[25]<\/td>\n<td>138<\/td>\n<td>CWE-362<\/td>\n<td>Race Condition<\/td>\n<td>It&#8217;s just some unlucky coincidense.<\/td>\n<\/tr>\n<\/table>\n<p>Und meine Vorhersage f\u00fcr 2010, 2011 und 2012: das wird sich nicht bessern!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mir sind zuf\u00e4llig zwei Links sehr zeitnah in die H\u00e4nde gefallen: die Top 25 Programmierfehler und die Top 25 Ausreden der Programmierer. Da lag es irgendwie nahe, aus diesen beiden Tabellen eine gemeinsame zu machen \ud83d\ude09 Rank Score ID Name Excuse [1] 346 CWE-79 Failure to Preserve Web Page Structure (&#8218;Cross-site Scripting&#8216;) Of course, I [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,6],"tags":[],"_links":{"self":[{"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/posts\/1088"}],"collection":[{"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/comments?post=1088"}],"version-history":[{"count":0,"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/posts\/1088\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/media?parent=1088"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/categories?post=1088"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/tags?post=1088"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}