As you can see in the table below, Cross-Site Scripting, SQL Injection and Buffer overflows are three most common and serious programming errors that result in vulnerabilities. This list was published recently on 17 February 2010.
| Rank | Name |
|---|---|
| [1] | Failure to Preserve Web Page Structure ('Cross-site Scripting') |
| [2] | Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') |
| [3] | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| [4] | Cross-Site Request Forgery (CSRF) |
| [5] | Improper Access Control (Authorization) |
| [6] | Reliance on Untrusted Inputs in a Security Decision |
| [7] | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| [8] | Unrestricted Upload of File with Dangerous Type |
| [9] | Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') |
| [10] | Missing Encryption of Sensitive Data |
| [11] | Use of Hard-coded Credentials |
| [12] | Buffer Access with Incorrect Length Value |
| [13] | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') |
| [14] | Improper Validation of Array Index |
| [15] | Improper Check for Unusual or Exceptional Conditions |
| [16] | Information Exposure Through an Error Message |
| [17] | Integer Overflow or Wraparound |
| [18] | Incorrect Calculation of Buffer Size |
| [19] | Missing Authentication for Critical Function |
| [20] | Download of Code Without Integrity Check |
| [21] | Incorrect Permission Assignment for Critical Resource |
| [22] | Allocation of Resources Without Limits or Throttling |
| [23] | URL Redirection to Untrusted Site ('Open Redirect') |
| [24] | Use of a Broken or Risky Cryptographic Algorithm |
| [25] | Race Condition |
Source: 2010 CWE/SANS Top 25 Most Dangerous Programming Errors
