Cross site scripting has become the single most popular hack, beating even the ever popular buffer overflow. I’m reposting the MITRE report here, in a slightly modified format, for my own purposes.
| Rank | Flaw | TOTAL | 2001 | 2002 | 2003 | 2004 | 2005 | 2006 | |
|---|---|---|---|---|---|---|---|---|---|
| Total | 16192 | 1434 | 2138 | 1173 | 2534 | 4538 | 4375 | ||
| [ 1] | XSS | 13.9% | 02.2% (11) | 08.7% ( 2) | 07.5% ( 2) | 10.9% ( 2) | 16.0% ( 1) | 21.5% ( 1) | |
| [ 2] | buf | 13.3% | 19.5% ( 1) | 20.3% ( 1) | 22.5% ( 1) | 15.4% ( 1) | 09.8% ( 3) | 07.9% ( 4) | |
| [ 3] | sql-inject | 08.7% | 00.4% (28) | 01.8% (12) | 03.0% ( 4) | 05.5% ( 3) | 12.9% ( 2) | 14.0% ( 2) | |
| [ 4] | dot | 04.7% | 08.9% ( 2) | 05.1% ( 3) | 02.9% ( 5) | 04.1% ( 4) | 04.3% ( 4) | 04.4% ( 5) | |
| [ 5] | php-include | 03.5% | 00.1% (32) | 00.3% (30) | 00.8% (16) | 01.4% (10) | 02.1% ( 6) | 09.5% ( 3) | |
| [ 6] | infoleak | 03.3% | 02.6% ( 9) | 04.2% ( 5) | 02.6% ( 7) | 03.7% ( 5) | 03.9% ( 5) | 02.6% ( 6) | |
| [ 7] | dos-malform | 02.9% | 04.8% ( 3) | 05.1% ( 4) | 02.5% ( 8) | 03.4% ( 6) | 01.8% ( 8) | 02.0% ( 7) | |
| [ 8] | link | 02.0% | 04.5% ( 4) | 02.1% ( 9) | 03.5% ( 3) | 02.8% ( 7) | 01.9% ( 7) | 00.5% (16) | |
| [ 9] | format-string | 01.8% | 03.2% ( 7) | 01.8% (10) | 02.7% ( 6) | 02.4% ( 8) | 01.7% ( 9) | 01.0% (10) | |
| [10] | crypt | 01.6% | 03.8% ( 5) | 02.7% ( 6) | 01.5% ( 9) | 00.9% (16) | 01.5% (10) | 00.9% (13) | |
| [11] | priv | 01.4% | 02.5% (10) | 02.2% ( 8) | 01.0% (12) | 01.3% (11) | 01.5% (11) | 00.9% (12) | |
| [12] | metachar | 01.3% | 03.8% ( 6) | 02.6% ( 7) | 00.7% (17) | 01.0% (14) | 01.3% (12) | 00.3% (21) | |
| [13] | perm | 01.3% | 02.7% ( 8) | 01.8% (11) | 01.3% (11) | 00.9% (15) | 01.1% (13) | 01.1% ( 9) | |
| [14] | int-overflow | 01.0% | 00.1% (30) | 00.4% (26) | 01.4% (10) | 01.9% ( 9) | 00.8% (14) | 01.2% ( 8) | |
| [15] | dos-flood | 00.8% | 02.0% (12) | 01.7% (13) | 00.5% (19) | 01.2% (12) | 00.2% (27) | 00.4% (17) | |
| [16] | pass | 00.8% | 01.1% (17) | 01.3% (15) | 00.2% (26) | 01.1% (13) | 00.8% (15) | 00.4% (18) | |
| [17] | auth | 00.8% | 01.5% (13) | 01.3% (14) | 00.5% (20) | 00.7% (17) | 00.5% (19) | 00.7% (14) | |
| [18] | webroot | 00.5% | 00.1% (29) | 00.2% (31) | 00.3% (25) | 00.2% (29) | 00.7% (16) | 00.9% (11) | |
| [19] | form-field | 00.5% | 00.7% (23) | 00.8% (17) | 00.5% (21) | 00.2% (25) | 00.4% (20) | 00.5% (15) | |
| [20] | relpath | 00.4% | 00.8% (22) | 00.3% (29) | 00.9% (14) | 00.6% (18) | 00.3% (23) | 00.3% (20) | |
| [21] | race | 00.4% | 00.5% (26) | 00.4% (22) | 00.6% (18) | 00.4% (21) | 00.6% (17) | 00.3% (24) | |
| [22] | memleak | 00.4% | 01.1% (18) | 00.2% (32) | 00.4% (22) | 00.5% (19) | 00.3% (22) | 00.2% (26) | |
| [23] | msdos-device | 00.4% | 01.0% (20) | 00.6% (19) | 00.9% (13) | 00.2% (24) | 00.2% (28) | 00.0% (34) | |
| [24] | crlf | 00.3% | … | 00.2% (33) | 00.1% (31) | 00.5% (20) | 00.4% (21) | 00.3% (19) | |
| [25] | default | 00.3% | 01.1% (16) | 00.7% (18) | 00.1% (32) | 00.2% (26) | 00.1% (33) | 00.1% (29) | |
| [26] | spoof | 00.3% | 01.0% (19) | 00.3% (28) | 00.1% (29) | 00.1% (33) | 00.2% (25) | 00.3% (25) | |
| [27] | sandbox | 00.3% | 01.2% (15) | 01.0% (16) | … | 00.2% (31) | 00.0% (34) | … | |
| [28] | rand | 00.3% | 01.2% (14) | 00.6% (20) | 00.3% (24) | 00.2% (32) | 00.0% (35) | 00.2% (27) | |
| [29] | upload | 00.3% | … | 00.0% (36) | 00.1% (30) | 00.2% (27) | 00.5% (18) | 00.3% (22) | |
| [30] | signedness | 00.2% | 00.1% (31) | 00.4% (23) | 00.8% (15) | 00.2% (22) | 00.3% (24) | 00.0% (32) | |
| [31] | dos-release | 00.2% | 00.9% (21) | 00.5% (21) | 00.2% (27) | 00.2% (28) | … | … | |
| [32] | CF | 00.2% | 00.7% (24) | 00.3% (27) | 00.2% (28) | … | 00.1% (31) | 00.1% (28) | |
| [33] | eval-inject | 00.2% | … | … | … | 00.0% (35) | 00.2% (26) | 00.3% (23) | |
| [34] | design | 00.1% | 00.6% (25) | 00.4% (24) | 00.1% (33) | 00.0% (34) | 00.1% (32) | 00.0% (31) | |
| [35] | double-free | 00.1% | … | 00.1% (35) | 00.3% (23) | 00.2% (23) | 00.1% (30) | 00.1% (30) | |
| [36] | CSRF | 00.1% | … | 00.0% (37) | … | 00.2% (30) | 00.2% (29) | 00.0% (33) | |
| [37] | type-check | 00.1% | 00.4% (27) | 00.4% (25) | … | … | 00.0% (36) | 00.0% (35) | |
| [38] | none | 00.0% | … | 00.1% (34) | … | … | … | … | |
| UNKNOWN/UNSPECIFIED ITEMS | |||||||||
| unk | 09.0% | 07.9% | 07.1% | 07.0% | 08.2% | 08.9% | 11.5% | ||
| other | 15.2% | 16.7% | 19.0% | 11.8% | 17.2% | 13.1% | 14.9% | ||
| not-specified | 06.9% | 00.1% | 03.0% | 20.5% | 11.3% | 11.3% | 00.3% | ||
Continue reading for definitions:
Flaw Terminology
——————-
Type: other
Rank: [N/A]
Total vulns: 2467
Desc:
Other vulnerability; issue could not be described in version of
taxonomy that was available at the time the flaw type was determined.
Type: XSS
Rank: [1]
Total vulns: 2247
Desc:
Cross-site scripting (aka XSS)
Type: buf
Rank: [2]
Total vulns: 2156
Desc:
Buffer overflow
Type: unk
Rank: [N/A]
Total vulns: 1461
Desc:
Unknown vulnerability; report is too vague, or issue could not be
described in version of taxonomy that was available at the time the
flaw type was determined.
Type: sql-inject
Rank: [3]
Total vulns: 1416
Desc:
SQL injection vulnerability
Type: not-specified
Rank: [N/A]
Total vulns: 1119
Desc:
The analyst has not assigned a flaw type to the issue.
Type: dot
Rank: [4]
Total vulns: 764
Desc:
Directory traversal (file access via “..” or variants)
Type: php-include
Rank: [5]
Total vulns: 561
Desc:
PHP remote file inclusion
Type: infoleak
Rank: [6]
Total vulns: 540
Desc:
Information leak by a product, which is not the result of another
vulnerability; typically by design or by producing different “answers”
that suggest the state; often related to configuration / permissions
or error reporting/handling.
Type: dos-malform
Rank: [7]
Total vulns: 463
Desc:
DoS caused by malformed input
Type: link
Rank: [8]
Total vulns: 329
Desc:
Symbolic link following
Type: format-string
Rank: [9]
Total vulns: 296
Desc:
Format string vulnerability; user can inject format specifiers during
string processing.
Type: crypt
Rank: [10]
Total vulns: 261
Desc:
Cryptographic error (poor design or implementation)
Type: priv
Rank: [11]
Total vulns: 233
Desc:
Bad privilege assignment, or privileged process/action is
unprotected/unauthenticated.
Type: metachar
Rank: [12]
Total vulns: 218
Desc:
Unescaped shell metacharacters or other unquoted “special” char’s;
currently includes SQL injection but not XSS.
Type: perm
Rank: [13]
Total vulns: 215
Desc:
Assigns bad permissions, improperly calculates permissions, or
improperly checks permissions
Type: int-overflow
Rank: [14]
Total vulns: 160
Desc:
A numeric value can be incremented to the point where it overflows and
begins at the minimum value, with security implications. Overlaps
signedness errors.
Type: dos-flood
Rank: [15]
Total vulns: 131
Desc:
DoS caused by flooding with a large number of *legitimately formatted*
requests/etc.; normally DoS is a crash, or spending a lot more time on
a task than it “should”
Type: pass
Rank: [16]
Total vulns: 125
Desc:
Default password
Type: auth
Rank: [17]
Total vulns: 124
Desc:
Weak/bad authentication problem
Type: webroot
Rank: [18]
Total vulns: 88
Desc:
Storage of sensitive data under web document root with insufficient
access control.
Type: form-field
Rank: [19]
Total vulns: 81
Desc:
CGI program inherently trusts form field that should not be modified
(i.e. should be stored locally)
Type: relpath
Rank: [20]
Total vulns: 71
Desc:
Untrusted search path vulnerability - Relies on search paths to find
other executable programs or files, opening up to Trojan horse
attacks, e.g. PATH environment variable in Unix.
Type: race
Rank: [21]
Total vulns: 69
Desc:
General race condition (NOT SYMBOLIC LINK FOLLOWING (link)!)
Type: memleak
Rank: [22]
Total vulns: 61
Desc:
Memory leak (doesn’t free memory when it should); use this instead of
dos-release
Type: msdos-device
Rank: [23]
Total vulns: 57
Desc:
Problem due to file names with MS-DOS device names.
Type: crlf
Rank: [24]
Total vulns: 49
Desc:
Type: spoof
Rank: [25]
Total vulns: 48
Desc:
Product is vulnerable to spoofing attacks, generally by not properly
verifying authenticity.
Type: default
Rank: [26]
Total vulns: 48
Desc:
Insecure default configuration, e.g. passwords or permissions
Type: sandbox
Rank: [27]
Total vulns: 46
Desc:
Java/etc. sandbox escape - NOT BY DOT-DOT!
Type: rand
Rank: [28]
Total vulns: 45
Desc:
Generation of insufficiently random numbers, typically by using easily
guessable sources of “random” data
Type: upload
Rank: [29]
Total vulns: 43
Desc:
Type: signedness
Rank: [30]
Total vulns: 38
Desc:
Signedness error; a numeric value in one format/representation is
improperly handled when it is used as if it were another
format/representation. Overlaps integer overflows and array index
errors.
Type: dos-release
Rank: [31]
Total vulns: 30
Desc:
DoS because system does not properly release resources
Type: CF
Rank: [32]
Total vulns: 29
Desc:
General configuration problem
Type: eval-inject
Rank: [33]
Total vulns: 25
Desc:
Eval injection
Type: design
Rank: [34]
Total vulns: 23
Desc:
Design problem, generally in protocols or programming languages
Type: double-free
Rank: [35]
Total vulns: 21
Desc:
Double-free vulnerability
Type: type-check
Rank: [36]
Total vulns: 16
Desc:
Product incorrectly identifies the type of an input parameter or file,
then dispatches the wrong “executable” (possibly itself) to process
the input, or otherwise misrepresents the input in a security-critical
way.
Type: CSRF
Rank: [37]
Total vulns: 16
Desc:
Type: none
Rank: [38]
Total vulns: 2
Desc:
0 Responses to “State of the hack”
Leave a Reply