🛡️ CWE/SANS Top 25 Most Dangerous Software Weaknesses
The definitive list of the most critical software weaknesses that lead to serious vulnerabilities. Maintained by MITRE with input from the SANS Institute, this list covers memory safety, injection, access control, and web security. Each CWE maps directly to real-world CVEs in NIST's National Vulnerability Database (NVD) — essential knowledge for secure development and interview preparation.
Understanding CWE (Common Weakness Enumeration)
CWE is a community-developed dictionary of software and hardware weakness types. Maintained by MITRE and funded by CISA, it provides a common language for describing security weaknesses in architecture, design, code, or implementation.
🏗️ CWE Hierarchy & Structure
CWE is organized in a tree-like hierarchy — from abstract Pillars to specific Variants.
📊 CWE Categories & Examples
CWEs are grouped into major weakness categories. Each category contains dozens of related weaknesses.
| Category | Description | Key CWEs | Languages |
|---|---|---|---|
| Memory Safety | Buffer overflows, use-after-free, out-of-bounds read/write — the root cause of ~70% of security bugs in C/C++ | CWE-787, CWE-125, CWE-416, CWE-476, CWE-190 | C, C++, Assembly |
| Injection | Untrusted data interpreted as code or commands — SQL, OS command, LDAP, XPath, template injection | CWE-89, CWE-78, CWE-77, CWE-94, CWE-917 | All (web, backend) |
| Web Security | Client-side attacks via web browsers — XSS, CSRF, open redirect, clickjacking | CWE-79, CWE-352, CWE-601 | JavaScript, HTML |
| Auth & Access | Broken authentication, missing/incorrect authorization, privilege escalation | CWE-862, CWE-863, CWE-306, CWE-269, CWE-287 | All |
| Cryptographic | Weak algorithms, hardcoded keys, missing encryption, insufficient entropy | CWE-798, CWE-327, CWE-916, CWE-330 | All |
| File & Path | Path traversal, unrestricted upload, symlink attacks, race conditions in file operations | CWE-22, CWE-434, CWE-59 | All (server-side) |
| Data Handling | Deserialization attacks, improper input validation, type confusion, integer overflow | CWE-502, CWE-20, CWE-843, CWE-190 | Java, .NET, PHP, Python |
| Resource Mgmt | NULL pointer dereference, double-free, memory leaks, race conditions, deadlocks | CWE-476, CWE-415, CWE-362, CWE-401 | C, C++, concurrent langs |
🔗 CWE Ecosystem — How It All Connects
CWE sits at the center of the vulnerability ecosystem, connecting weaknesses to real-world exploits.
🔄 Relationship Chain
- CWE defines the weakness type (e.g., CWE-89 = SQL Injection)
- CVE identifies a specific vulnerability (e.g., CVE-2024-12345)
- NVD enriches CVEs with CVSS scores, CWE mapping, and CPE (affected products)
- CVSS rates severity (0-10) — Base, Temporal, Environmental scores
- EPSS predicts exploit probability (0.0-1.0) within 30 days
- KEV (CISA) flags CVEs actively exploited in the wild
📈 Key Numbers
- 930+ CWE entries in the current dictionary
- 200K+ CVEs published in the NVD database
- 25K+ new CVEs published per year (growing annually)
- 1,100+ CVEs on CISA's KEV catalog
- Top 25 CWEs account for a disproportionate % of CVEs
- CWE is used by SAST/DAST tools, NVD, and OWASP for classification
💡 Example Flow
- Developer writes code vulnerable to SQL Injection (CWE-89)
- Vulnerability discovered → assigned CVE-2024-XXXXX
- NVD rates it CVSS 9.8 Critical and maps to CWE-89
- EPSS gives it 0.87 probability of exploitation
- CISA adds to KEV after active exploitation confirmed
- Organizations must remediate within 14 days per BOD 22-01
⚡ CWE vs OWASP — Quick Comparison
| Aspect | CWE (Common Weakness Enumeration) | OWASP Top 10 |
|---|---|---|
| Maintained by | MITRE (funded by CISA/DHS) | OWASP Foundation (community) |
| Focus | All software weaknesses — web, mobile, desktop, embedded, IoT, hardware | Web application security risks only |
| Granularity | Individual weakness types (e.g., CWE-89 = SQL Injection specifically) | Broad risk categories (e.g., A03 = all Injection types grouped) |
| Scope | 930+ entries covering code, design, and architecture weaknesses | 10 categories (2021 edition), separate lists for API, LLM, Mobile |
| Used by | NVD (CVE→CWE mapping), SAST/DAST tools, secure coding standards | Web app pentesting, compliance (PCI-DSS 6.5), developer training |
| Ranking basis | Prevalence × impact across NVD CVE data — data-driven | Community survey + data analysis — consensus-driven |
| Relationship | OWASP categories MAP to multiple CWEs (e.g., A03:Injection → CWE-79, CWE-89, CWE-78, CWE-94) | |
🔺 OWASP vs CWE vs CVE — The Big Picture
Three different systems that work together to classify, identify, and track software security issues.
| Aspect | OWASP Top 10 | CWE (SANS Top 25) | CVE (CISA / NVD) | How They Connect |
|---|---|---|---|---|
| What is it? | Top 10 risk categories for web applications | Dictionary of weakness types in software/hardware | Registry of specific vulnerabilities found in real products | OWASP groups → CWEs classify → CVEs identify |
| Analogy | 🗂️ Folder labels — broad categories | 📋 Disease classification — types of illness | 🏥 Patient records — specific cases | Folder → Disease type → Patient case |
| Maintained by | OWASP Foundation (community) | MITRE Corporation (CISA/DHS) | MITRE (CNAs) + NIST NVD | Three orgs maintain complementary systems |
| Scope | Web apps only (+ API, LLM, Mobile lists) | All software — web, desktop, mobile, IoT, HW (930+) | All products — OS, apps, firmware, libs (200K+) | Narrow → Broad → Broadest |
| Granularity | High-level categories (A01-A10) | Individual weakness types (CWE-89, CWE-787) | Single specific instances (CVE-2021-44228) | Category → Type → Instance |
| Example | A03:2021 — Injection | CWE-89 — SQL Injection | CVE-2024-12345 — SQLi in Product X | A03 contains CWE-89 maps to CVE-2024-12345 |
| Rated by | Risk (likelihood × impact) | Prevalence × impact across NVD data | CVSS (0-10) + EPSS + KEV status | Risk → Prevalence → Severity + Exploitability |
| Updated | Every 3-4 years (2021, ~2025) | Annually (Top 25); dictionary continuous | Continuously — 25K+ new CVEs/year | Slow → Annual → Real-time |
| Used for | Awareness, compliance, training | SAST/DAST classification, coding standards | Scanning, patching, threat intel, KEV | Strategic → Tactical → Operational |
| Actionability | "Focus your security program here" | "Prevent this type of bug in code" | "Patch this specific product now" | Program → Code → Patch |
At a Glance
| # | CWE | Weakness | Category | Severity | NVD |
|---|---|---|---|---|---|
| 1 | CWE-787 | Out-of-bounds Write | Memory Safety | Critical | 🔗 |
| 2 | CWE-79 | Cross-site Scripting (XSS) | Web Security | High | 🔗 |
| 3 | CWE-89 | SQL Injection | Injection | Critical | 🔗 |
| 4 | CWE-416 | Use After Free | Memory Safety | Critical | 🔗 |
| 5 | CWE-78 | OS Command Injection | Injection | Critical | 🔗 |
| 6 | CWE-20 | Improper Input Validation | Input Handling | High | 🔗 |
| 7 | CWE-125 | Out-of-bounds Read | Memory Safety | High | 🔗 |
| 8 | CWE-22 | Path Traversal | File Handling | High | 🔗 |
| 9 | CWE-352 | Cross-Site Request Forgery (CSRF) | Web Security | High | 🔗 |
| 10 | CWE-434 | Unrestricted Upload of Dangerous File | File Handling | Critical | 🔗 |
| 11 | CWE-862 | Missing Authorization | Access Control | Critical | 🔗 |
| 12 | CWE-476 | NULL Pointer Dereference | Memory Safety | Medium | 🔗 |
| 13 | CWE-863 | Incorrect Authorization | Access Control | High | 🔗 |
| 14 | CWE-190 | Integer Overflow or Wraparound | Memory Safety | High | 🔗 |
| 15 | CWE-77 | Command Injection | Injection | Critical | 🔗 |
| 16 | CWE-119 | Improper Restriction of Operations within Memory Buffer | Memory Safety | Critical | 🔗 |
| 17 | CWE-798 | Use of Hard-coded Credentials | Authentication | Critical | 🔗 |
| 18 | CWE-918 | Server-Side Request Forgery (SSRF) | Web Security | High | 🔗 |
| 19 | CWE-306 | Missing Authentication for Critical Function | Authentication | Critical | 🔗 |
| 20 | CWE-362 | Race Condition (TOCTOU) | Concurrency | Medium | 🔗 |
| 21 | CWE-502 | Deserialization of Untrusted Data | Input Handling | Critical | 🔗 |
| 22 | CWE-269 | Improper Privilege Management | Access Control | High | 🔗 |
| 23 | CWE-200 | Exposure of Sensitive Information | Information Disclosure | Medium | 🔗 |
| 24 | CWE-400 | Uncontrolled Resource Consumption | Availability | Medium | 🔗 |
| 25 | CWE-276 | Incorrect Default Permissions | Access Control | Medium | 🔗 |
Detailed Weakness Analysis
Software writes data past the end, or before the beginning, of the intended buffer. Can lead to code execution, crashes, or data corruption.
💥 Impact
Remote Code Execution (RCE), system compromise, denial of service
🌍 Real-World Examples
CVE-2021-21220 (Chrome V8), CVE-2021-34527 (PrintNightmare), numerous IoT firmware vulnerabilities
🛡️ Prevention
- Use memory-safe languages (Rust, Go, Java)
- Bounds checking on all buffer operations
- ASLR + DEP/NX enabled
- Use safe string functions (strncpy vs strcpy)
- Compiler hardening flags (-fstack-protector, -D_FORTIFY_SOURCE)
🔎 Detection
- AddressSanitizer (ASan) in testing
- Fuzzing (AFL, libFuzzer)
- SAST tools (Coverity, CodeQL)
- Runtime memory error detection
Application includes untrusted data in web output without proper validation or escaping, allowing attackers to execute scripts in victims' browsers.
💥 Impact
Session hijacking, credential theft, defacement, malware distribution, phishing
🌍 Real-World Examples
CVE-2020-11022 (jQuery), persistent XSS in WordPress plugins, Stored XSS in Jira (CVE-2022-36804)
🛡️ Prevention
- Output encoding for the correct context (HTML, JS, URL, CSS)
- Content Security Policy (CSP) headers
- Use frameworks with auto-escaping (React, Angular)
- DOM-based XSS prevention with safe APIs
- HTTPOnly and Secure cookie flags
🔎 Detection
- DAST scanners (Burp Suite, OWASP ZAP)
- Browser security testing
- WAF rules for XSS patterns
- Code review for raw HTML output
SQL commands are constructed using untrusted input without proper sanitization, allowing attackers to read, modify, or delete database data.
💥 Impact
Full database compromise, data exfiltration, authentication bypass, remote code execution via xp_cmdshell
🌍 Real-World Examples
CVE-2019-3396 (Confluence), MOVEit Transfer (CVE-2023-34362), countless web application breaches
🛡️ Prevention
- Parameterized queries / prepared statements (ALWAYS)
- ORM frameworks (Hibernate, SQLAlchemy, Prisma)
- Input validation with allowlists
- Least privilege database accounts
- Stored procedures with parameterized inputs
🔎 Detection
- SAST for concatenated SQL strings
- DAST/SQLMap testing
- WAF with SQL injection signatures
- Database activity monitoring (DAM)
- Anomalous query pattern detection
Program references memory after it has been freed, potentially leading to arbitrary code execution when the memory is reallocated and contains attacker-controlled data.
💥 Impact
Remote code execution, privilege escalation, system compromise
🌍 Real-World Examples
CVE-2022-22047 (Windows CSRSS), CVE-2021-21224 (Chrome V8), numerous browser and kernel exploits
🛡️ Prevention
- Use memory-safe languages (Rust ownership model)
- Smart pointers (unique_ptr, shared_ptr in C++)
- Set pointers to NULL after free
- RAII pattern for resource management
- Memory tagging (MTE on ARM)
🔎 Detection
- ASan (AddressSanitizer)
- Valgrind memcheck
- Fuzzing with sanitizers
- Static analysis for dangling pointer patterns
Application constructs OS commands using untrusted input without proper neutralization, allowing attackers to execute arbitrary commands on the host.
💥 Impact
Full system compromise, data exfiltration, lateral movement, ransomware deployment
🌍 Real-World Examples
CVE-2021-44228 (Log4Shell enabled command injection), Fortinet FortiOS (CVE-2022-42475), network device RCE vulnerabilities
🛡️ Prevention
- Avoid OS commands — use language-native APIs
- If unavoidable, use allowlisted parameters only
- Never pass user input to shell functions
- Sandboxing / containerization
- Remove shell metacharacter interpretation
🔎 Detection
- SAST for system(), exec(), popen() with user input
- Runtime application self-protection (RASP)
- Command-line auditing on servers
- WAF rules for command injection patterns
Application does not validate or incorrectly validates input, which can allow attackers to craft inputs that cause unexpected behavior.
💥 Impact
Enables many other vulnerability classes — injection, buffer overflow, logic bypasses
🌍 Real-World Examples
Underpins most OWASP Top 10 vulnerabilities, API abuse scenarios, business logic flaws
🛡️ Prevention
- Validate all inputs server-side (never trust client)
- Allowlist validation over denylist
- Validate data type, length, range, and format
- Reject unexpected input rather than sanitizing
- Schema validation for API inputs (JSON Schema, OpenAPI)
🔎 Detection
- SAST for missing validation patterns
- Fuzzing to discover edge cases
- API testing with malformed inputs
- Runtime monitoring for anomalous input patterns
Software reads data beyond the intended buffer boundaries, potentially exposing sensitive information from memory.
💥 Impact
Information disclosure (memory contents, keys, credentials), crash/DoS, bypass of ASLR
🌍 Real-World Examples
CVE-2014-0160 (Heartbleed — OpenSSL), CVE-2020-0601 (CurveBall), numerous image parser vulnerabilities
🛡️ Prevention
- Bounds checking on all array/buffer access
- Memory-safe languages
- Safe standard library functions
- Compiler-based bounds checking
- Fuzzing with ASan
🔎 Detection
- ASan/MSan in testing
- Fuzzing (especially protocol and file parsers)
- SAST for unchecked buffer access
- Valgrind
Application uses external input to construct a pathname for a restricted directory, but fails to neutralize "../" sequences that can resolve outside that directory.
💥 Impact
Read/write arbitrary files, source code disclosure, credential theft, remote code execution
🌍 Real-World Examples
CVE-2021-41773 (Apache HTTP Server), CVE-2023-22527 (Confluence), Zip Slip vulnerabilities
🛡️ Prevention
- Use a chroot/jail or sandbox for file operations
- Canonicalize paths then verify against allowlist
- Never use raw user input in file paths
- Restrict file access to designated directories
- Use platform-specific path APIs (Path.normalize())
🔎 Detection
- SAST for file operations with user input
- DAST with path traversal payloads
- WAF rules for ../ sequences
- File access monitoring for unexpected locations
Web application does not verify that a request was intentionally made by the authenticated user, allowing attackers to trick users into performing unwanted actions.
💥 Impact
Unauthorized state changes — password changes, fund transfers, account modifications
🌍 Real-World Examples
CVE-2019-11869 (WordPress plugins), banking CSRF attacks, social media account takeover
🛡️ Prevention
- Anti-CSRF tokens (synchronizer token pattern)
- SameSite cookie attribute (Strict or Lax)
- Double-submit cookie pattern
- Verify Origin/Referer headers
- Re-authentication for sensitive actions
🔎 Detection
- DAST scanners (check for missing CSRF tokens)
- Code review for state-changing GET requests
- Penetration testing
- Monitor for unexpected cross-origin requests
Application allows uploading files without properly validating file type, content, or size — attackers can upload web shells, malware, or executable files.
💥 Impact
Remote code execution via web shell, server compromise, malware distribution
🌍 Real-World Examples
CVE-2023-27997 (FortiGate), web shell deployment in IIS/Apache, ransomware delivery via upload forms
🛡️ Prevention
- Validate file type by content (magic bytes), not just extension
- Store uploads outside web root or in object storage
- Rename uploaded files with random names
- Set Content-Disposition: attachment for downloads
- Scan uploads with antivirus/sandbox
- Restrict file size and allowed extensions
🔎 Detection
- File integrity monitoring on upload directories
- Antivirus/sandbox scanning of uploads
- WAF rules for web shell patterns
- Monitor for new executable files in web directories
Application does not perform authorization checks when a user attempts to access a resource or perform an action, relying solely on authentication.
💥 Impact
Horizontal/vertical privilege escalation, unauthorized data access, IDOR vulnerabilities
🌍 Real-World Examples
Broken Object Level Authorization (BOLA) — OWASP API #1, numerous API data breaches, IDOR in social media platforms
🛡️ Prevention
- Enforce authorization on every request server-side
- Use RBAC or ABAC frameworks
- Deny by default — require explicit grants
- Centralized authorization middleware
- Never expose internal IDs — use UUIDs or indirection
🔎 Detection
- Automated API testing for IDOR
- Access log analysis for privilege escalation patterns
- Forced browsing tests
- Penetration testing with different privilege levels
Application dereferences a pointer that it expects to be valid but is NULL, typically causing a crash. In some cases, can be exploited for code execution.
💥 Impact
Denial of service (crash), potential code execution in kernel mode
🌍 Real-World Examples
CVE-2021-3156 (Sudo Baron Samedit), numerous kernel NULL deref vulnerabilities, embedded system crashes
🛡️ Prevention
- Check pointers before use
- Use Option/Maybe types (Rust, Haskell, Kotlin)
- Enable compiler warnings for NULL usage
- Static analysis for NULL paths
- Defensive programming patterns
🔎 Detection
- SAST for unchecked NULL returns
- Fuzzing
- Code review focusing on error paths
- Runtime crash monitoring
Application performs authorization checks, but the logic is flawed — allowing users to access resources or actions they should not.
💥 Impact
Privilege escalation, unauthorized data access, business logic bypass
🌍 Real-World Examples
Broken Function Level Authorization (OWASP API #5), admin panel access, role confusion bugs
🛡️ Prevention
- Centralized, well-tested authorization logic
- Unit test all authorization paths
- Principle of least privilege
- Separate admin and user APIs/routes
- Regular authorization audits
🔎 Detection
- Penetration testing with role-based scenarios
- Automated RBAC testing frameworks
- Code review of authorization logic
- Access log analysis for anomalous patterns
Arithmetic on integers produces a result that exceeds the maximum (or goes below minimum) value, wrapping around and causing unexpected behavior.
💥 Impact
Buffer overflow, incorrect calculations, bypass of security checks, denial of service
🌍 Real-World Examples
CVE-2021-3156 (Sudo heap overflow via integer overflow), CVE-2014-1266 (Apple goto fail), embedded system vulnerabilities
🛡️ Prevention
- Use safe integer arithmetic libraries
- Check for overflow before operations
- Use types with guaranteed sizes
- Compiler flags for integer overflow detection
- Language-level overflow protection (Rust panics on overflow in debug)
🔎 Detection
- SAST for unchecked arithmetic
- UBSan (UndefinedBehaviorSanitizer)
- Fuzzing with boundary values
- Code review for size calculations
Application constructs a command using externally-influenced input without properly neutralizing special elements, allowing injection of additional commands.
💥 Impact
Arbitrary command execution, full system compromise, data exfiltration
🌍 Real-World Examples
CVE-2021-25296 (Nagios XI), IoT device command injection, CI/CD pipeline injection
🛡️ Prevention
- Use parameterized interfaces instead of shell commands
- Strict allowlist validation
- Avoid command interpreters (shell=false)
- Input encoding/escaping
- Principle of least privilege for application processes
🔎 Detection
- SAST for command construction with user input
- DAST with command injection payloads
- Command-line audit logging
- Behavioral monitoring for unexpected child processes
Operations on memory buffers without proper bounds checking — the parent class of buffer overflow, over-read, and other memory corruption vulnerabilities.
💥 Impact
Code execution, information disclosure, denial of service
🌍 Real-World Examples
Parent category — encompasses CWE-787, CWE-125, CWE-120, and many CVEs targeting C/C++ applications
🛡️ Prevention
- Memory-safe languages for new development
- Bounds-checking wrappers for C/C++
- Stack canaries and ASLR
- Safe coding standards (CERT C, MISRA)
- Compiler hardening options
🔎 Detection
- ASan/MSan/TSan sanitizers
- Fuzzing
- Static analysis suites
- Binary analysis tools (IDA Pro, Ghidra)
Software contains hard-coded passwords, API keys, cryptographic keys, or other credentials — providing a backdoor for attackers who reverse-engineer the code.
💥 Impact
Authentication bypass, full system access, supply chain compromise when credentials shared across deployments
🌍 Real-World Examples
CVE-2021-36260 (Hikvision cameras), CVE-2020-29583 (Zyxel firewalls), numerous IoT device backdoors
🛡️ Prevention
- Never hard-code credentials in source code
- Use secrets management (Vault, AWS Secrets Manager, Azure Key Vault)
- Environment variables or config files outside repo
- Pre-commit hooks to detect secrets (git-secrets, truffleHog)
- Rotate credentials regularly
🔎 Detection
- Secret scanning in CI/CD (GitHub secret scanning, GitLeaks)
- SAST rules for credential patterns
- Binary analysis for embedded strings
- Pre-commit hooks
Application fetches a remote resource using a user-supplied URL without validating the destination, allowing attackers to access internal services.
💥 Impact
Internal network scanning, cloud metadata theft (IMDS), access to internal APIs, RCE via internal services
🌍 Real-World Examples
Capital One breach (2019, AWS IMDS via SSRF), CVE-2021-26855 (Exchange ProxyLogon chain), Jira/Confluence SSRF
🛡️ Prevention
- Allowlist permitted domains/IPs/protocols
- Block requests to private IP ranges (10.x, 172.16.x, 169.254.x)
- Disable URL redirects in HTTP clients
- Use IMDSv2 (requires token for cloud metadata)
- Network-level egress filtering from application tier
🔎 Detection
- WAF rules for internal IP patterns in URL parameters
- Monitor outbound connections from web servers
- DAST with SSRF payloads
- Cloud metadata access logging
Application does not perform authentication for functionality that requires a verified identity — exposing critical functions to unauthenticated access.
💥 Impact
Unauthorized access to admin functions, data manipulation, system compromise
🌍 Real-World Examples
CVE-2021-26084 (Confluence unauthenticated RCE), exposed admin panels, unprotected API endpoints
🛡️ Prevention
- Authentication required for all non-public endpoints
- Centralized authentication middleware
- Default-deny authentication policy
- Regular endpoint auditing
- API gateway enforcement
🔎 Detection
- Endpoint inventory and authentication audit
- Forced browsing/directory enumeration testing
- Penetration testing for unauthenticated access
- API specification review
Time-of-check to time-of-use race condition — the program checks a condition, then uses the result, but the condition can change between the check and use.
💥 Impact
Privilege escalation, authentication bypass, file system manipulation, double-spend in financial applications
🌍 Real-World Examples
CVE-2016-5195 (Dirty COW — Linux kernel), symlink race attacks, financial double-spend bugs
🛡️ Prevention
- Atomic operations for check-then-use patterns
- File locking and mutex/semaphore usage
- Use file descriptors instead of filenames after check
- Database transactions with proper isolation levels
- Avoid shared mutable state
🔎 Detection
- Thread sanitizer (TSan)
- Concurrency-aware static analysis
- Race condition fuzzing
- Code review focused on shared state
Application deserializes data from untrusted sources without verification, allowing attackers to inject malicious objects leading to code execution.
💥 Impact
Remote code execution, denial of service, authentication bypass, object manipulation
🌍 Real-World Examples
CVE-2017-9805 (Apache Struts), CVE-2019-2725 (Oracle WebLogic), Java deserialization attacks (ysoserial)
🛡️ Prevention
- Avoid deserializing untrusted data entirely
- Use safe formats (JSON, protobuf) instead of native serialization
- Implement integrity checks (HMAC) on serialized data
- Allowlist permitted classes for deserialization
- Use look-ahead deserialization with ObjectInputFilter (Java)
🔎 Detection
- SAST for deserialization of external input
- Runtime monitoring for deserialization gadget chains
- WAF rules for serialized object patterns
- DAST with deserialization payloads (ysoserial)
Application does not properly manage privileges — running with excessive permissions, failing to drop privileges, or improperly granting elevated rights.
💥 Impact
Privilege escalation, unauthorized system access, blast radius amplification
🌍 Real-World Examples
CVE-2021-1732 (Windows Win32k privilege escalation), overprivileged cloud IAM roles, container breakout via excessive capabilities
🛡️ Prevention
- Principle of least privilege — always
- Drop privileges after initialization
- Separate privileged and unprivileged components
- Regular privilege audits
- Use capability-based security (Linux capabilities vs full root)
🔎 Detection
- IAM policy analysis (AWS Access Analyzer, Azure Advisor)
- Monitor for privilege escalation events
- Container security scanning for excessive capabilities
- Regular access rights review
Application exposes sensitive information to unauthorized actors — via error messages, logs, API responses, or debugging output.
💥 Impact
Credential exposure, PII disclosure, system architecture revelation aiding further attacks
🌍 Real-World Examples
Stack traces in production, verbose API error messages, exposed .env files, debug endpoints left enabled
🛡️ Prevention
- Generic error messages in production
- Structured logging without sensitive data
- Remove debug endpoints before deployment
- Redact PII/credentials in logs
- Proper HTTP response headers (no Server, X-Powered-By)
🔎 Detection
- DAST for information disclosure
- Log review for sensitive data exposure
- Configuration auditing
- Secret scanning in logs and responses
Application does not properly limit resource allocation (CPU, memory, disk, network), allowing attackers to cause denial of service through resource exhaustion.
💥 Impact
Denial of service, resource starvation affecting other applications, increased cloud costs
🌍 Real-World Examples
ReDoS (Regular Expression DoS), CVE-2018-6389 (WordPress DoS), ZIP bomb attacks, billion laughs (XML)
🛡️ Prevention
- Rate limiting and throttling
- Set resource limits (memory, CPU, file descriptors)
- Limit request sizes and timeouts
- Use non-backtracking reget engines
- Resource quotas in cloud/container environments
🔎 Detection
- Performance monitoring and alerting
- Rate limit monitoring
- Resource usage anomaly detection
- Load testing and stress testing
Software sets insecure default permissions during installation or file creation, granting excessive access to resources.
💥 Impact
Local privilege escalation, unauthorized data access, credential exposure via world-readable config files
🌍 Real-World Examples
Docker socket world-readable (container escape), cloud storage buckets publicly accessible, /etc/shadow permissions misconfigured
🛡️ Prevention
- Set restrictive default permissions (umask 077)
- Follow principle of least privilege for files
- Audit permissions during CI/CD
- Infrastructure as Code with explicit permissions
- CIS Benchmarks for OS hardening
🔎 Detection
- File permission auditing tools
- CIS benchmark scanning
- Cloud posture management (CSPM)
- Configuration compliance monitoring
Interview Preparation
What is the CWE/SANS Top 25 and why is it important?
The CWE/SANS Top 25 is a list of the most dangerous software weaknesses ranked by prevalence and impact. Published by MITRE with input from the SANS Institute, it identifies vulnerability classes (not specific CVEs) that are most commonly exploited. It's important because:
1It provides a prioritized remediation roadmap — fixing these 25 weakness classes addresses the root cause of most vulnerabilities.
2It complements OWASP Top 10 (which focuses on web apps) by covering all software types including embedded, mobile, and desktop.
3It uses CWE identifiers which map to real CVEs, SAST/DAST findings, and security training.
4Many compliance frameworks reference CWE for secure coding requirements.
How do you prevent SQL Injection (CWE-89) in a modern application?
The #1 defense is parameterized queries (prepared statements) — NEVER concatenate user input into SQL strings. In practice:
1Use an ORM (Hibernate, SQLAlchemy, Prisma) which parameterizes by default.
2For raw queries, use parameter binding (?/@ placeholders).
3Apply input validation with allowlists (reject unexpected characters).
4Use least-privilege database accounts — web app should never use sa/root.
5Enable WAF rules as defense-in-depth.
6SAST in CI/CD to catch concatenated queries during code review.
7Stored procedures with parameterized inputs for critical operations.
8Database activity monitoring (DAM) for anomalous queries in production.
Explain the difference between CWE-862 (Missing Authorization) and CWE-863 (Incorrect Authorization).
CWE-862 means NO authorization check exists — the code never verifies if the user has permission. This is common in APIs where developers focus on authentication but forget authorization. Example: any authenticated user can access /api/admin/users because no role check exists. CWE-863 means an authorization check EXISTS but is FLAWED — the logic is wrong. Example: checking user.role !== 'guest' instead of user.role === 'admin', allowing regular users to access admin functions. Both lead to privilege escalation but require different fixes: CWE-862 needs adding authorization middleware/decorators; CWE-863 needs fixing the existing logic and adding comprehensive test cases. OWASP API Security maps these to Broken Object-Level Authorization (#
1and Broken Function-Level Authorization (#5).
What are the top strategies for preventing memory safety vulnerabilities?
Memory safety issues (CWE-787, CWE-416, CWE-125, CWE-
4
7
6dominate the Top 25. Key strategies:
1Use memory-safe languages for new development — Rust (ownership model prevents UAF/buffer overflows), Go, Java, C#.
2For C/C++ code: enable compiler hardening (-fstack-protector, -D_FORTIFY_SOURCE, ASLR, DEP/NX), use smart pointers (unique_ptr/shared_ptr), and follow CERT C/C++ secure coding standards.
3Testing: AddressSanitizer (ASan) and MemorySanitizer (MSan) in CI/CD, continuous fuzzing (OSS-Fuzz), and regular SAST scans.
4Runtime: memory tagging (ARM MTE), Control Flow Integrity (CFI), and KASLR for kernel code.
5Code review focus on manual memory management, pointer arithmetic, and error handling paths.
How do you provide guidance on OWASP Top 10 and SANS/CWE Top 25 vulnerabilities — how they arise, how they are exploited, and how to prevent them?
Understanding the full lifecycle of each vulnerability class — root cause, exploitation, and defense — is essential for any AppSec professional.
1INJECTION FLAWS (OWASP A03, CWE-89 and CWE-78): How they arise — user input concatenated directly into SQL queries, OS commands, or LDAP queries without sanitization. Exploitation — attacker submits crafted input like OR 1=1-- in login fields to bypass authentication or extract data. Prevention — parameterized queries and prepared statements (never string concatenation), stored procedures, input validation with allowlists, ORM frameworks.
2BROKEN ACCESS CONTROL (OWASP A01, CWE-862 and CWE-639): How they arise — missing authorization checks on API endpoints, IDOR (Insecure Direct Object References) where user IDs are guessable, privilege escalation via role manipulation. Exploitation — change /api/user/123 to /api/user/456 to access another users data, modify hidden form fields or JWT claims to elevate privileges. Prevention — deny by default, enforce server-side authorization on every request, use indirect references (UUIDs), implement RBAC/ABAC, log all access failures.
3CROSS-SITE SCRIPTING (OWASP A03, CWE-79): How they arise — user-supplied data rendered in HTML without encoding. Stored XSS persists in database, Reflected XSS via URL parameters, DOM XSS via client-side JavaScript. Exploitation — inject script tags to steal session tokens via document.cookie. Prevention — context-aware output encoding (HTML, JS, URL, CSS contexts), Content Security Policy headers, DOMPurify for rich text, HttpOnly cookies.
4CRYPTOGRAPHIC FAILURES (OWASP A02, CWE-327 and CWE-328): How they arise — weak algorithms (MD5, SHA1 for passwords), hardcoded keys, missing encryption at rest or in transit. Exploitation — rainbow table attacks on unsalted hashes, MITM on unencrypted channels. Prevention — bcrypt/Argon2 for passwords, AES-256-GCM for data at rest, TLS 1.2+ everywhere, proper key management (HSM/KMS), never roll your own crypto.
5SECURITY MISCONFIGURATION (OWASP A05, CWE-16): How they arise — default credentials left unchanged, unnecessary services enabled, verbose error messages in production, missing security headers. Exploitation — access admin panels with admin/admin, read stack traces to map internal architecture. Prevention — hardening checklists per platform, automated configuration scanning (CIS Benchmarks), infrastructure-as-code with security baselines, remove unused features/frameworks.
- OWASP Top 10 groups vulnerability categories by risk (frequency x impact)
- SANS/CWE Top 25 lists specific weakness types by prevalence in real-world CVEs
- They overlap — e.g., OWASP A03 Injection maps to CWE-89 (SQLi), CWE-78 (OS Command Injection)
- Use OWASP for risk-based prioritization and developer training, use CWE for precise SAST rule mapping and vulnerability classification
