SANS CWE Coverage

Overview

SysAdmin, Audit, Network, Security (SANS) demonstrates the currently most common and impactful software weaknesses. Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working.

This article organizes Common Weakness Enumerations (CWEs) relevant to SANS.

Each row in the table below outlines a specific compliance standard, categorized by the following columns:

Compliance Standard: The specific category of the standard to which the CWE is mapped.
Languages: Supported programming languages.
CWE-ID: The relevant CWE for this standard, along with a short description.

SANS TOP 25 CWE Coverage

#	Languages	CWE-ID
1.	C/C++ (Beta)	CWE-125: Out-of-bounds Read
2.	C# Gen 2 JavaScript / TypeScript Gen 2 Python Gen 2	CWE-1333: Inefficient Regular Expression Complexity
3.	Java Gen 2	CWE-15: External Control of System or Configuration Setting
4.	C/C++ (Beta)	CWE-190: Integer Overflow or Wraparound
5.	ASP Classic/Visual Basic/VBScript C# C# Gen 2 Groovy Java Java Gen 2 Kotlin Kotlin Mobile PHP Python Python Gen 2 VB.Net Xamarin (C#)	CWE-20: Improper Input Validation
6.	ABAP ASP Classic/Visual Basic/VBScript C# C# Gen 2 C/C++ (Beta) ColdFusion Go Groovy Java Java Gen 2 JavaScript / Node.js JavaScript / TypeScript Gen 2 Kotlin Kotlin Mobile PHP PLSQL Python Python Gen 2 R Ruby TypeScript VB.Net Xamarin (C#)	CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
7.	Android Java Kotlin Mobile Xamarin (C#)	CWE-295: Improper Certificate Validation
8.	ABAP C# Groovy Java Java Gen 2 JavaScript / Node.js Kotlin Kotlin Mobile PHP TypeScript VB.Net Xamarin (C#)	CWE-400: Uncontrolled Resource Consumption
9.	C/C++ (Beta)	CWE-416: Use After Free
10.	ASP Classic/Visual Basic/VBScript C# Go Groovy Java JavaScript / TypeScript Gen 2 Kotlin Kotlin Mobile PHP Ruby VB.Net	CWE-434: Unrestricted Upload of File with Dangerous Type
11.	C# C# Gen 2 Groovy Java Java Gen 2 JavaScript / TypeScript Gen 2 Kotlin Kotlin Mobile PHP Python Python Gen 2 VB.Net Xamarin (C#)	CWE-502: Deserialization of Untrusted Data
12.	C# C# Gen 2 Groovy Java Java Gen 2 JavaScript / Node.js JavaScript / TypeScript Gen 2 Kotlin Kotlin Mobile PHP Python Gen 2 R VB.Net	CWE-611: Improper Restriction of XML External Entity Reference
13.	C/C++ (Beta)	CWE-787: Out-of-bounds Write
14.	PHP	CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
15.	Android Java Apex C# C# Gen 2 Go Groovy Java Java Gen 2 JavaScript / Node.js JavaScript / TypeScript Gen 2 Kotlin Kotlin Mobile PHP Python Python Gen 2 R Ruby TypeScript VB.Net Xamarin (C#)	CWE-798: Use of Hard-coded Credentials
16.	JavaScript / Node.js JavaScript / TypeScript Gen 2 TypeScript	CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
17.	ABAP ASP Classic/Visual Basic/VBScript Apex C# C# Gen 2 C/C++ (Beta) Cobol ColdFusion Go Groovy Java Java Gen 2 JavaScript / Node.js JavaScript / TypeScript Gen 2 Kotlin Kotlin Mobile PHP PLSQL Python Python Gen 2 R Ruby TypeScript VB.Net Xamarin (C#)	CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
18.	ASP Classic/Visual Basic/VBScript Apex C# C# Gen 2 Go Groovy Java Java Gen 2 JavaScript / Node.js JavaScript / TypeScript Gen 2 Kotlin Kotlin Mobile PHP Python Gen 2 VB.Net	CWE-918: Server-Side Request Forgery (SSRF)
19.	ASP Classic/Visual Basic/VBScript C# Groovy Java Kotlin Kotlin Mobile VB.Net	CWE-94: Improper Control of Generation of Code ('Code Injection')