Thread-topic: Vulnerability Type Distributions in CVE
> -----Original Message-----
> From: Steven M. Christey [mailto:coley@xxxxxxxxxxxxxxx]
> Sent: Thursday, October 05, 2006 3:19 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Vulnerability Type Distributions in CVE
>
>
> (note: HTML versions of the tables in this paper are included on the
> web site, whose URL is given below. Some mailing list programs seem
> to be mishandling the encoding of the HTML tables, or rejecting them
> due to size constraints.)
>
>
> ==========================================================
> Vulnerability Type Distributions in CVE
> ==========================================================
> Author: Steve Christey
> Date: October 4, 2006
> Document version: 1.0
> URL:
>
>
> This is a draft report and does not represent an official position of
> The MITRE Corporation. Copyright (c) 2006, The MITRE Corporation. All
> rights reserved. Permission is granted to redistribute this document
> if this paragraph is not removed. This document is subject to change
> without notice.
>
>
> =============================
> ===== Table of Contents =====
> =============================
>
> Introduction
> Summary of Results
> Data Sets
> Trend Table Color Key
> Table 1 Analysis: Overall Trends
> Table 2 and 3 Analysis: OS vs. non-OS
> Table 4 Analysis: Open and Closed Source
> Possible Future Work
> Notes on Potential Bias
> (In)Frequently Asked Questions
> Credits
> References
> Flaw Terminology
> Table 1: Overall Results
> Table 2: OS Vendors
> Table 3: OS Vendors vs. Others
> Table 4: Open and Closed Source (OS vendors)
>
>
> ========================
> ===== Introduction =====
> ========================
>
> For the past 5 years, CVE has been tracking the types of errors that
> lead to publicly reported vulnerabilities, and periodically reporting
> trends on a limited scale. In support of the Common Weakness
> Enumeration (CWE) project [1], and as a result of the interest in this
> work as mentioned during the "Year of the web application: Hack & Data
> from the Front lines" panel at the 5th Annual Cyber Security Executive
> Summit in New York City on September 13, 2006, we have published a
> more extensive analysis. An updated version will be released once
> 2006 is complete.
>
> The primary goal of this study is to better understand research trends
> using publicly reported vulnerabilities. It should be noted that the
> data is obtained from an uncontrolled population, i.e., decentralized
> public reports from a research community with diverse goals and
> interests, with an equally diverse set of vendors and developers.
> More specialized, exhaustive, and repeatable methods could be devised
> to evaluate software security. But until such methods reach maturity
> and widespread acceptance, the overall state of software security can
> be viewed through the lens of public reports.
>
> ==============================
> ===== Summary of Results =====
> ==============================
>
> 1) The total number of publicly reported web application
> vulnerabilities has risen sharply, to the point where they have
> overtaken buffer overflows. This is probably due to ease of
> detection and exploitation of web vulnerabilities, combined with
> the proliferation of low-grade software applications. In 2005 and
> 2006, cross-site scripting (XSS) was number 1, and SQL injection
> was number 2. PHP remote file inclusion is number 3 in 2006;
> because it allows arbitrary code execution on a vulnerable server,
> this is a worrisome trend, although proper configuration is
> frequently enough to eliminate it.
>
> 2) Buffer overflows are still the number 1 issue as reported in
> operating system (OS) vendor advisories. XSS is still high in this
> category, at number 2 in 2005 and number 3 in 2006, although other
> web application vulnerabilities appear much less frequently.
>
> 3) Integer overflows, barely in the top 10 overall in the past few
> years, are in the top 3 for OS vendor advisories. This might
> indicate expert researcher interest in high-profile software.
>
> 4) There are noticeable differences in the types of vulnerabilities
> being reported in open and closed source OS vendor advisories.
> These merit further investigation because they might reflect
> important differences in development, research, and disclosure
> practices.
>
> 5) The data is inconclusive regarding whether there is a concrete
> improvement in overall software security. While there is a rise in
> "new" vulnerability classes, the raw numbers for older classes have
> not changed significantly. Further investigation is also required
> in this area.
>
>
> =====================
> ===== Data Sets =====
> =====================
>
> Three main data sets were used in this analysis.
>
> OVERALL: this data set consists of all CVEs that were first publicly
> reported in 2001 or later (earlier CVEs do not have the appropriate
> fields filled out.) CVE includes all types of software, whether from
> a major vendor or an individual hobbyist programmer, as long as the
> associated vulnerability has been reported by the developer or posted
> by a researcher or third party to sources such as mailing lists and
> vulnerability databases. CVE only includes distributable software,
> i.e., it does not include issues that are reported for custom software
> in specific web sites. While CVE data is incomplete, it is estimated
> that it is 80% complete relative to all major mailing lists and
> vulnerability databases, with the likely exception of data from 2003.
>
> OS VENDOR: this data set identifies CVEs that are associated with
> operating system (OS) vendor advisories, which would capture
> vulnerabilities in the kernel, as well as applications that are
> supported by the OS vendor. The data was limited to CVEs that have
> one or more references from the following sources. For open source OS
> vendors, the following sources were used: DEBIAN, FREEBSD,
> MANDRAKE/MANDRIVA, NETBSD, OPENBSD, REDHAT, and SUSE. The closed
> source OS vendors included: AIXAPAR, APPLE, CISCO, HP, MS, MSKB, SCO,
> SGI, SUN, and SUNALERT. CVE does not have the internal data fields to
> support more fine-grained analysis for major non-OS vendors.
>
> OPEN/CLOSED SOURCE: open and closed source operating system (OS)
> vendors were using the same methods and categories as described in the
> "OS VENDOR" section. Because some closed source vendors such as Apple
> have significant codebase overlap with open source products, any
> overlapping CVEs were removed from the data set. Both open and closed
> sets had at least 1700 vulnerabilities.
>
> In each data set, vulnerabilities were not removed if they were marked
> as "disputed." Many disputes are incorrect or unresolved.
>
> =================================
> ===== Trend Table Color Key =====
> =================================
>
> In the HTML pages, the following color key is used for trend tables.
>
> GRAY: used in comparisons to help visually separate one data set from
> another
>
> RED: a top 10 for that year
>
> GREEN: during that year, the vulnerability's rank was at least 5
> points BELOW the average rank for that vulnerability
>
> YELLOW: during that year, the vulnerability's rank was at least 5
> points ABOVE the average rank for that vulnerability
>
> So, green on the left indicates vulns with RISING popularity, as will
> yellow on the right. Green on the right indicates vulns with FALLING
> popularity, as will yellow on the left.
>
>
> ============================================
> ===== Table 1 Analysis: Overall Trends =====
> ============================================
>
> The most notable trend is the sharp rise in public reports for
> vulnerabilities that are specific to web applications.
>
> Buffer overflows were number 1 year after year, but that changed in
> 2005 with the rise of web application vulnerabilities, including
> cross-site scripting (XSS), SQL injection, and remote file inclusion,
> although SQL injection is not limited just to web applications. In
> fact, so far in 2006, buffer overflows are only #4.
>
> There are probably several contributing factors to this increase in
> web vulnerabilities:
>
> 1) The most basic data manipulations for these vulnerabilities are
> very simple to perform, e.g., "'" for SQL injection and
> "<script>alert('hi')</script>" for XSS. This makes it easy for
> beginning researchers to quickly test large amounts of software.
>
> 2) There is a plethora of freely available web applications. Much of
> the code is alpha or beta, written by inexperienced programmers
> with easy-to-learn languages such as PHP, and distributed on
> high-traffic sites. The applications might have a small or
> non-existent user base. Such software is often rife with
> easy-to-find vulnerabilities, and it is often a target for
> beginning researchers. The large number of these
> "fish-in-a-barrel" applications is probably a major contributor to
> the overall trends.
>
> 3) With XSS, every input has the potential to be an attack vector,
> which does not occur with other vulnerability types. This leaves
> more opportunity for a single mistake to occur in a program that
> otherwise protects against XSS. SQL injection also has many
> potential attack vectors.
>
> 4) Despite popular opinion that XSS is easily prevented, it has many
> subtleties and variants. Even solid applications can have flaws in
> them; consider non-standard browser behaviors that try to "fix"
> malformed HTML, which might slip by a filter that uses regular
> expressions. Finally, until early 2006, the PHP interpreter had a
> vulnerability in which it did not quote error messages, but many
> researchers only reported the surface-level "resultant" XSS instead
> of figuring out whether there was a different "primary"
> vulnerability that led to the error.
>
> 5) There is some evidence that over the past couple of years, web
> defacers have taken an interest in performing and publishing their
> own research. This is probably due to the ease of finding
> vulnerabilities, combined with the presence of high-risk problems
> such as PHP file inclusion, which can be used to remotely install
> powerful, easily-available backdoor code. Based on customer posts
> to numerous vendor forums, there is solid evidence that remote file
> inclusion is regularly used to compromise web servers, which also
> helps to explain its popularity.
>
>
> Overall Trends: Other Interesting Results
> -----------------------------------------
>
> 1) For 2006, the top 5 vulnerability types are responsible for 57% of
> all CVEs. With over 35 vulnerability types used in this report,
> and dozens more as currently identified in CWE, this shows how most
> public reports concentrate only on a handful of vulnerability
> types.
>
> 2) PHP remote file inclusion (php-include) has been steadily gaining
> ground since 2001, enough so that it is number 3 at this point in
> 2006. See items (2) and (5) from the previous section for a
> possible explanation.
>
> 3) Over the years, there has been a noticeable decline in shell
> metacharacters, symbolic link following, and directory traversal.
> It is unclear whether software is actually improving with respect
> to these problems, or if they are not investigated as frequently.
>
> 4) Information leaks (infoleak) appear regularly. There are 2 main
> reasons for the prominence: "information leak" is a more general
> class than others (see CWE for more precise sub-categories), and
> when an error message includes a full path, that is usually
> categorized as an information leak, although it might be resultant
> from a separate primary vulnerability.
>
> 5) The inability to handle malformed inputs (dos-malform), which
> usually leads to a crash or hang, is also a general class.
> Malformed-input vulnerabilities have not been studied as closely as
> injection vulnerabilities, at least with respect to identifying the
> root cause of the problem. Also, many reports do not specify how
> an input is malformed. There are likely many cases in which a
> researcher accidentally triggers a more serious vulnerability but
> does not perform sufficient diagnosis to determine the primary
> issue. Finally, vendor reports might only identify an issue as
> being related to "malformed input," which obscures the primary
> cause.
>
> 6) As the percentage of buffer overflows has declined, there has been
> an increase in related vulnerability types, including integer
> overflows (int-overflow), signedness errors, and double frees
> (double-free). These are still very low-percentage, probably due
> to their relative newness and difficulty of detection compared to
> classic overflows. In addition, these newly emerging vulnerability
> types might be labeled as buffer overflows, since they often lead
> to buffer overflows, and the "buffer overflow" term is used
> interchangeably for attack, cause, and effect.
>
> 7) Other interesting web application vulnerabilities are webroot
> (storage of sensitive files under the web document root),
> form-field (web parameter tampering), upload of files with
> executable extensions (e.g., file.php.gif), eval injection, and
> Cross-Site Request Forgery (CSRF).
>
>
> ==================================================
> ===== Table 2 and 3 Analysis: OS vs. non-OS ======
> ==================================================
>
> Given the increase in web application vulnerabilities and the
> likelihood that it is partially due to researcher interest in software
> with small user bases, an analysis was performed based solely on
> advisories from operating system (OS) vendors. These advisories
> frequently include the OS kernel and key applications that are
> supported by the vendor. See the Data Sets section for more
> information. Unfortunately, more precise data sets could not be
> generated.
>
> Table 2 provides the data for OS vendor advisories alone. Table 3
> contrasts the OS vendor advisories with all other reported issues.
>
> There are several notable results:
>
> 1) Integer overflows are heavily represented in OS vendor advisories,
> rising to number 2 so far in 2006, even though they represent a
> small percentage of vulnerabilities overall. This probably
> reflects growing interest by expert researchers in finding integer
> overflows, along with the tendency of expert researchers to
> evaluate widely deployed software. The affected software ranges
> widely, including the kernel, cryptographic modules, and multimedia
> file processors such as image viewers and music players. After
> 2004, many of the reported issues occur in libraries or common
> DLLs.
>
> 2) Buffer overflows are still #1. This is probably due to
> under-representation of web applications in OS advisories, relative
> to other CVEs. In addition, as related issues like integer
> overflows increase, they might be detected or reported as buffer
> overflows, since buffer overflows are frequently resultant from
> integer overflows.
>
> 3) XSS is still very common, even in OS advisories, and it appears
> with the same frequency as integer overflows in 2006. An informal
> analysis shows that the affected software includes web servers, web
> browsers, email clients, administrative interfaces, and Wiki/CMS.
>
> 4) With the exception of XSS, there is a wide gulf between web-related
> vulnerabilities in OS advisories and other issues. SQL injection
> is not even in the top 10 for OS advisories, and PHP remote file
> inclusion is practially nonexistent. Many other web-related
> vulnerabilities occupy the bottom of the chart. For SQL injection,
> it is possible that most OS-supported applications do not use
> databases, or aren't web accessible. SQL injection vulnerabilities
> are not web-specific, but it seems that they are rarely reported
> for non-web applications, so it is possible that this reflects some
> researcher bias.
>
> 5) Directory traversal and format string vulnerabilities are
> frequently reported at a higher rate in OS vendor advisories than
> elsewhere. The reason is unclear, because these vulnerabilities
> are not restricted to local attack vectors, so one might expect
> that they would also appear regularly in web applications.
> However, it is likely that researchers do not focus on format
> strings because they are rarely exploitable for code execution in
> languages other than C. In the case of PHP, many PHP functions are
> subject to both remote file inclusion and directory traversal, and
> it might be that only the file inclusion is publicly reported. (In
> fact, the overlap is so close that this sometimes causes
> difficulties with classification).
>
> 6) In 2006 so far, more than a quarter (27%) of the OS vendor
> advisories did not have sufficient details to actually classify the
> vulnerability (type "unk"). This is in sharp contrast to the
> non-OS issues, which comprise less than 8%. However, because of
> the data sets in question, the non-OS CVEs will include many
> non-coordinated disclosures that would, by their nature, require
> more details. The next table will demonstrate that it is not just
> closed source vendor advisories that omit sufficient details for
> vulnerability classification.
>
> 7) The "top 5" and "top 10" vulnerabilities in each year are a much
> smaller percentage of total vulnerabilities in OS vendor advisories
> than non-OS issues. For example, in 2005, the top 5 totaled 29.4%
> for OS issues, but 55% for non-OS. For OS issues, this suggests an
> increasing diversity in the kinds of vulnerabilities being
> reported, whereas for other issues, that diversity appears to be
> decreasing. However, this could be another reflection of the
> domination of web application vulnerabilities.
>
>
>
> ====================================================
> ===== Table 4 Analysis: Open and Closed Source =====
> ====================================================
>
> Table 4 compares the vulnerability type distribution between the open
> source and closed source operating system (OS) vendors. See the "Data
> Sets" section for more information on how the data sets were
> generated. As a reminder, CVEs that overlapped both open and closed
> source sets were omitted.
>
> IMPORTANT: it is inappropriate to use these results to compare the
> relative security of open and closed source products, so the report
> excludes raw numbers. Both sets had at least 1700 vulnerabilities.
> There are too many variations in vendor advisory release policies,
> possible differences in research techniques, and other factors cited
> in [2]. And, simply put, there is too much potential for raw numbers
> to be misused and misinterpreted.
>
> However, some results pose interesting questions that merit more
> in-depth investigation. These discrepancies might reflect differences
> in vulnerability research techniques, researcher sub-communities,
> vendor disclosure policies, and development practices and APIs, but
> this has not been proven.
>
> The research and vendor communities are encouraged to investigate the
> underlying causes for these differences, which could provide lessons
> learned for all software developers, open and closed source alike.
>
> Some of the most notable results are:
>
> 1) The percentage of "unknown" vulnerabilities - those that could not
> be classified due to lack of details - is significantly higher in
> closed source than open source advisories, and 45% so far for 2006.
> With such a wide discrepancy, it is difficult to know whether any
> of the remaining results in this section are significant. It
> should be noted that 10% of issues in open source advisories do not
> have enough details to classify the problem.
>
> 2) Buffer overflows are number 1 for both open and closed, with
> roughly the same percentage over the years.
>
> 3) Symbolic link vulnerabilities appear at a higher rate in open
> source than closed source, although this might be due to the
> non-Unix OSes in the data set. While Windows has "shortcuts"
> (.LNK) that are similar to Unix links, they appear very rarely in
> Microsoft advisories, or for Windows-based applications. It is not
> clear whether this is due to under-research or API/development
> differences. The author recalls that at least one Linux researcher
> appeared to concentrate on symbolic link issues in 2004 and 2005,
> so researcher bias might also be a factor.
>
> 4) Malformed-input vulnerabilities appear more frequently in closed
> source advisories than open source. This might be due to a lack of
> details in closed source advisories. If an advisory mentions a
> problem due to "malformed data," it might be assigned the
> dos-malform type. Another factor might be due to black box
> techniques. It seems likely that fuzzers and other tools would be
> used more frequently against closed source products than open
> source, but this is not known.
>
> 5) XSS vulnerabilities appear more frequently in open source
> advisories than closed, but this might be a reflection of vendor
> release policies for advisories. It seems that open source vendors
> are more likely to release advisories for smaller packages.
>
> 6) Format string vulnerabilities appear more frequently in open
> source. There are probably several factors. First, susceptible
> API library calls such as printf() are easily found in source code
> using crude methods, whereas binary reverse engineering techniques
> are not conducted by many researchers (this might also be an
> explanation for symbolic link issues). Second, many format string
> problems seem to occur in rarely-triggered error conditions, which
> makes them more difficult to test with black box methods.
>
> Perhaps most surprising: it appears that, since 2003, the non-Unix
> closed source advisories have not mentioned any format strings. It
> is not clear why there would be such a radical difference, although
> it could be due to the lack of details in those advisories.
>
> 7) Integer overflows have been roughly the same rank for open and
> closed source. This is a curious similarity, since one might not
> expect open and closed source analysis techniques to be equally
> capable in finding these problems.
>
> 8) Another interesting example is in the use of default passwords.
> Over the years, very few open source vendor advisories have
> mentioned default passwords, whereas they appear with some
> regularity in closed source advisories. It is not clear whether
> this is a difference in shipping/configuration practices or vendor
> disclosure policies.
>
> 9) Shell metacharacter issues appear less frequently in non-Unix
> closed source than other closed source advisories. This result was
> found by a separate analysis; it is not evident in Table 4. This
> could be due to usage patterns of API functions such as
> CreateProcess() for Windows, and system() for Unix. This result is
> being reported because it is the most concrete example of how API
> functions might play a role in implementation-level
> vulnerabilities.
>
>
> ================================
> ===== Possible Future Work =====
> ================================
>
> 1) The vulnerability types could be tied to other CVE-normalized data,
> such as IDS, incident databases, or vulnerability scanning results.
> This could determine the types of vulnerabilities that are being
> actively exploited or detected in real-world enterprises.
>
> 2) More precise classification could be informative. Approximately
> 30% of CVEs have vulnerability types that cannot be described using
> the current classification scheme. Another 15% are "unknown"
> vulnerabilities whose disclosures do not have sufficient details to
> determine any vulnerability type, but this problem is unavoidable,
> since some vendors do not release these details.
>
> 3) A crude measure of researcher diversity might be possible by
> linking data to other vulnerability databases that record this
> information. This could be used to determine if the raw number of
> researchers is increasing (probably), how that rate is increasing
> relative to the number of vulnerabilities (unknown), and how many
> different bug types are found by the average researcher (probably
> fairly small). If such data is available, then a further breakdown
> could be performed based on professional researchers versus others.
>
> 4) More precise data sets could be identified, such as a cross-section
> of market leaders in various product categories, not just OS vendor
> advisories. CVE does not record this type of information.
>
> ===================================
> ===== Notes on Potential Bias =====
> ===================================
>
> The diversity of both researchers and vendor disclosure practices
> introduces several unmeasurable biases, as described in more detail in
> [2].
>
> In the overall results, 2003's issues have 20% with vulnerabilities
> that are "not specified" by the CVE analyst, which is inconsistent
> with statistics from other years. Many of these vulnerabilities were
> reviewed after this discovery, and they are in fact of type "other."
> This discrepancy has not been sufficiently explained, although it is
> probably at least partially due to the relative percentage of CVEs in
> OS vendor advisories to other CVEs, since 2003 was a low-output year
> for CVE and thus the concentration was in high-priority software.
>
> Some vulnerability types are probably under-represented due to
> classification difficulty. For example, the "form-field" type (web
> parameter tampering) might occasionally get classified as an
> authentication error, depending on how the original researcher reports
> the issue.
>
>
> ==========================================
> ===== (In)Frequently Asked Questions =====
> ==========================================
>
> 1) Why aren't you giving out raw numbers for open vs. closed source?
>
> Answer: we already said why. See paragraph 2 of the Table 4
> analysis for a reminder.
>
> 2) Why are you releasing this report now, with incomplete 2006 data?
>
> Answer: when MITRE mentioned the preliminary results at the Cyber
> Security Executive Summit on September 13, there was a lot more
> interest than we had originally anticipated. Subsequent discussion
> of the results might help us to provide a better report when 2006
> is done.
>
> 3) How does this compare with the other summaries you've posted in the
> past? Why have the numbers and percentages changed for older
> years?
>
> Answer: (1) we occasionally add CVEs for older issues, (2) some of
> the previously released summaries were cumulative instead of
> offering a year-by-year breakdown, and (3) eventually, as a new
> type of vulnerability is reported more frequently, the CVE project
> notices it enough to give it a name, or at least a type. Once we
> do that, we can go back and update the older CVEs that also had the
> issue. However, we often rely on keyword searches in CVE
> descriptions for doing these kinds of updates. The earliest
> reports of new vulnerability types probably don't get captured
> fully, because CVE descriptions frequently vary in the early days
> or months of a new vulnerability type. Most updates to these
> vulnerability trends trigger an informal review of the "other"
> vulnerabilities for the data set in order to update the type
> fields.
>
> 4) There are a lot more vulnerability types than what you've covered.
>
> Answer: That's an observation, not a question. If a certain
> vulnerability type is not on the list, then it probably didn't
> appear frequently enough for the CVE project to track closely.
> There are several reasons: (1) the vulnerability type is selected
> from a large dropdown menu during CVE refinement, but also (2) our
> work in the Common Weakness Enumeration (CWE) is producing hundreds
> of vuln types, and we want that to become a little more stable
> before doing the next round of modifications to CVE data. Finally,
> (3) with approximately 3,500 vulnerabilities marked "other" or "not
> specified", it is cost-prohibitive to review each CVE when the set
> of categories is updated.
>
> 5) Why isn't my favorite web vulnerability here?
>
> Answer: Many web vulnerabilities are difficult to classify because
> they are "multi-factor," i.e., they are composed of multiple bugs,
> weaknesses, and/or design limitations. Other web issues are really
> just specialized attacks that use other primary vulnerabilities.
> For example, most HTTP response splitting problems rely on CRLF
> injection, so they are classified under CRLF injection.
>
>
> ===================
> ===== Credits =====
> ===================
>
> Large-scale trend analyses like this are not possible without the body
> of knowledge that has been formed by hundreds or thousands of
> researchers, from hobbyists to professionals.
>
> Thanks to the following for substantive feedback on the initial draft,
> sometimes in the form of a question that required more investigation:
> Bill Heinbockel, Chris Wysopal, and Mark Curphey.
>
>
> ======================
> ===== References =====
> ======================
>
> [1] CWE,
>
> [2] "Open Letter on the Interpretation of 'Vulnerability Statistics'"
> Bugtraq, Full-Disclosure
> January 5, 2006
>
>
> y/041028.html
>
>
> ============================
> ===== Flaw Terminology =====
> ============================
>
> Type: auth
> CWE: CWE-289, CWE-288, CWE-302, CWE-305, CWE-294, CWE-290,
> CWE-287, CWE-303
> Description:
> Weak/bad authentication problem
>
> Type: buf
> CWE: CWE-119, CWE-120, others
> Description:
> Buffer overflow
>
> Type: CF
> CWE: none
> Description:
> General configuration problem, not perm or default
>
> Type: crlf
> CWE: CWE-93
> Description:
> CRLF injection
>
> Type: crypt
> CWE: CWE-310, CWE-311, CWE-347, CWE-320, CWE-325
> Description:
> Cryptographic error (poor design or implementation), including
> plaintext storage/transmission of sensitive information.
>
> Type: CSRF
> CWE: CWE-352
> Description:
> Cross-Site Request Forgery (CSRF)
>
> Type: default
> CWE: N/A
> Description:
> Insecure default configuration, e.g., passwords or permissions
>
> Type: design
> CWE: none
> Description:
> Design problem, generally in protocols or programming languages.
> Since 2005, its use has been limited due to the highly general nature
> of this type.
>
> Type: dos-flood
> CWE: CWE-400
> Description:
> DoS caused by flooding with a large number of *legitimately formatted*
> requests/etc.; normally DoS is a crash, or spending a lot more time on
> a task than it "should"
>
> Type: dos-malform
> CWE: CWE-238, CWE-234, CWE-166, CWE-230, many others
> Description:
> DoS caused by malformed input
>
> Type: dos-release
> CWE: CWE-404
> Description:
> DoS because system does not properly release resources
>
> Type: dot
> CWE: CWE-22, CWE-23, CWE-36
> Description:
> Directory traversal (file access via ".." or variants)
>
> Type: double-free
> CWE: CWE-415
> Description:
> Double-free vulnerability
>
> Type: eval-inject
> CWE: CWE-95
> Description:
> Eval injection
>
> Type: form-field
> CWE: CWE-472
> Description:
> CGI program inherently trusts form field that should not be modified
> (i.e., should be stored locally)
>
> Type: format-string
> CWE: CWE-134
> Description:
> Format string vulnerability; user can inject format specifiers during
> string processing.
>
> Type: infoleak
> CWE: CWE-205, CWE-212, CWE-203, CWE-209, CWE-207, CWE-200,
> CWE-215, others
> Description:
> Information leak by a product, which is not the result of another
> vulnerability; typically by design or by producing different "answers"
> that suggest the state; often related to configuration / permissions
> or error reporting/handling.
>
> Type: int-overflow
> CWE: CWE-190
> Description:
> A numeric value can be incremented to the point where it overflows and
> begins at the minimum value, with security implications. Overlaps
> signedness errors.
>
> Type: link
> CWE: CWE-61, CWE-64
> Description:
> Symbolic link following
>
> Type: memleak
> CWE: CWE-401
> Description:
> Memory leak (doesn't free memory when it should); use this instead of
> dos-release
>
> Type: metachar
> CWE: CWE-78
> Description:
> Unescaped shell metacharacters or other unquoted "special" char's;
> currently includes SQL injection but not XSS.
>
> Type: msdos-device
> CWE: CWE-67
> Description:
> Problem due to file names with MS-DOS device names.
>
> Type: not-specified
> CWE: none
> Description:
> The CVE analyst has not assigned a flaw type to the issue, typically
> similar to "other".
>
> Type: other
> CWE: none
> Description:
> Other vulnerability; issue could not be described with an available
> type at the time of analysis.
>
> Type: pass
> CWE: CWE-259
> Description:
> Default or hard-coded password
>
> Type: perm
> CWE: CWE-276
> Description:
> Assigns bad permissions, improperly calculates permissions, or
> improperly checks permissions
>
> Type: php-include
> CWE: CWE-98
> Description:
> PHP remote file inclusion
>
> Type: priv
> CWE: CWE-266, CWE-274, CWE-272, CWE-250, CWE-264, CWE-265,
> CWE-268, CWE-270, CWE-271, CWE-269, CWE-267
> Description:
> Bad privilege assignment, or privileged process/action is
> unprotected/unauthenticated.
>
> Type: race
> CWE: CWE-362, CWE-366, CWE-364, CWE-367, CWE-421, CWE-368,
> CWE-363, CWE-370
> Description:
> General race condition (NOT SYMBOLIC LINK FOLLOWING (link)!)
>
> Type: rand
> CWE: CWE-330, CWE-331, CWE-332, CWE-338, CWE-342, CWE-341,
> CWE-339, others
> Description:
> Generation of insufficiently random numbers, typically by using easily
> guessable sources of "random" data
>
> Type: relpath
> CWE: CWE-426, CWE-428, CWE-114
> Description:
> Untrusted search path vulnerability - Relies on search paths to find
> other executable programs or files, opening up to Trojan horse
> attacks, e.g., PATH environment variable in Unix.
>
> Type: sandbox
> CWE: CWE-265
> Description:
> Java/etc. sandbox escape - NOT BY DOT-DOT!
>
> Type: signedness
> CWE: CWE-195, CWE-196
> Description:
> Signedness error; a numeric value in one format/representation is
> improperly handled when it is used as if it were another
> format/representation. Overlaps integer overflows and array index
> errors.
>
> Type: spoof
> CWE: CWE-290, CWE-350, CWE-347, CWE-345, CWE-247, CWE-292, CWE-291
> Description:
> Product is vulnerable to spoofing attacks, generally by not properly
> verifying authenticity.
>
> Type: sql-inject
> CWE: CWE-89
> Description:
> SQL injection vulnerability
>
> Type: type-check
> CWE: unknown
> Description:
> Product incorrectly identifies the type of an input parameter or file,
> then dispatches the wrong "executable" (possibly itself) to process
> the input, or otherwise misrepresents the input in a security-critical
> way.
>
> Type: unk
> CWE: none
> Description:
> Unknown vulnerability; report is too vague to determine type of issue.
>
> Type: upload
> CWE: CWE-434
> Description:
> Product does not restrict the extensions for files that can be
> uploaded to the web server, leading to code execution if executable
> extensions are used in filenames, such as .asp, .php, and .shtml.
>
> Type: webroot
> CWE: CWE-219, CWE-433
> Description:
> Storage of sensitive data under web document root with insufficient
> access control.
>
> Type: XSS
> CWE: CWE-79, CWE-80, CWE-87, CWE-85, CWE-82, CWE-81, CWE-83, CWE-84
> Description:
> Cross-site scripting (aka XSS)
>
>
>
> ====================================
> ===== Table 1: Overall Results =====
> ====================================
>
>
> TOTAL 2001 2002
> 2003 2004 2005 2006
> (16192) (1434) (2138)
> (1173) (2534) (4538) (4375)
> ---------- ---------- ----------
> ---------- ---------- ---------- ----------
> [ 1] XSS 13.9% ( 1) 02.2% (11) 08.7% ( 2)
> 07.5% ( 2) 10.9% ( 2) 16.0% ( 1) 21.5% ( 1)
> 2247 32 187 88
> 276 725 939
> [ 2] buf 13.3% ( 2) 19.5% ( 1) 20.3% ( 1)
> 22.5% ( 1) 15.4% ( 1) 09.8% ( 3) 07.9% ( 4)
> 2156 279 433 264
> 391 445 344
> [ 3] sql-inject 08.7% ( 3) 00.4% (27) 01.8% (12)
> 03.0% ( 4) 05.5% ( 3) 12.9% ( 2) 14.0% ( 2)
> 1416 6 38 35
> 140 584 613
> [ 4] dot 04.7% ( 4) 08.9% ( 2) 05.1% ( 3)
> 02.9% ( 5) 04.1% ( 4) 04.3% ( 4) 04.4% ( 5)
> 764 127 110 34
> 104 195 194
> [ 5] php-include 03.5% ( 5) 00.1% (31) 00.3% (30)
> 00.8% (15) 01.4% (10) 02.1% ( 6) 09.5% ( 3)
> 561 1 6 9
> 36 95 414
> [ 6] infoleak 03.3% ( 6) 02.6% ( 9) 04.2% ( 5)
> 02.6% ( 7) 03.7% ( 5) 03.9% ( 5) 02.6% ( 6)
> 540 37 89 30
> 95 175 114
> [ 7] dos-malform 02.9% ( 7) 04.8% ( 3) 05.1% ( 4)
> 02.5% ( 8) 03.4% ( 6) 01.8% ( 8) 02.0% ( 7)
> 463 69 110 29
> 87 82 86
> [ 8] link 02.0% ( 8) 04.5% ( 4) 02.1% ( 9)
> 03.5% ( 3) 02.8% ( 7) 01.9% ( 7) 00.5% (16)
> 329 64 45 41
> 72 87 20
> [ 9] format-string 01.8% ( 9) 03.2% ( 7) 01.8% (11)
> 02.7% ( 6) 02.4% ( 8) 01.7% ( 9) 01.0% (10)
> 296 46 39 32
> 61 76 42
> [10] crypt 01.6% (10) 03.8% ( 6) 02.7% ( 6)
> 01.5% ( 9) 00.9% (16) 01.5% (10) 00.9% (11)
> 261 55 58 18
> 22 68 40
> [11] priv 01.4% (11) 02.5% (10) 02.2% ( 8)
> 01.0% (12) 01.3% (11) 01.5% (11) 00.9% (12)
> 233 36 46 12
> 32 67 40
> [12] metachar 01.3% (12) 03.8% ( 5) 02.6% ( 7)
> 00.7% (17) 01.0% (14) 01.3% (12) 00.3% (20)
> 218 55 56 8
> 26 59 14
> [13] perm 01.3% (13) 02.7% ( 8) 01.8% (10)
> 01.3% (11) 00.9% (15) 01.1% (13) 01.1% ( 9)
> 215 39 39 15
> 24 48 50
> [14] int-overflow 01.0% (14) 00.1% (32) 00.4% (22)
> 01.4% (10) 01.9% ( 9) 00.8% (15) 01.2% ( 8)
> 160 1 8 16
> 47 36 52
> [15] dos-flood 00.8% (15) 02.0% (12) 01.7% (13)
> 00.5% (19) 01.2% (12) 00.2% (27) 00.4% (17)
> 131 29 36 6
> 31 10 19
> [16] pass 00.8% (16) 01.1% (18) 01.3% (14)
> 00.2% (28) 01.1% (13) 00.8% (14) 00.4% (18)
> 125 16 27 2
> 28 36 16
> [17] auth 00.8% (17) 01.5% (13) 01.3% (15)
> 00.5% (20) 00.7% (17) 00.5% (19) 00.7% (14)
> 124 22 27 6
> 17 21 31
> [18] webroot 00.5% (18) 00.1% (29) 00.2% (32)
> 00.3% (24) 00.2% (30) 00.7% (16) 00.9% (13)
> 88 2 5 3
> 5 33 40
> [19] form-field 00.5% (19) 00.7% (24) 00.8% (17)
> 00.5% (21) 00.2% (27) 00.4% (20) 00.5% (15)
> 81 10 17 6
> 6 19 23
> [20] relpath 00.4% (20) 00.8% (22) 00.3% (29)
> 00.9% (14) 00.6% (18) 00.3% (22) 00.3% (21)
> 71 12 6 10
> 14 15 14
> [21] race 00.4% (21) 00.5% (26) 00.4% (24)
> 00.6% (18) 00.4% (21) 00.6% (17) 00.3% (24)
> 69 7 8 7
> 10 26 11
> [22] memleak 00.4% (22) 01.1% (17) 00.2% (31)
> 00.4% (22) 00.5% (19) 00.3% (23) 00.2% (27)
> 61 16 5 5
> 13 15 7
> [23] msdos-device 00.4% (23) 01.0% (20) 00.6% (19)
> 00.9% (13) 00.2% (23) 00.2% (28) 00.0% (32)
> 57 15 13 11
> 6 10 2
> [24] crlf 00.3% (24) 00.0% N/A 00.2% (33)
> 00.1% (30) 00.5% (20) 00.4% (21) 00.3% (19)
> 49 0 4 1
> 13 17 14
> [25] default 00.3% (26) 01.1% (16) 00.7% (18)
> 00.1% (33) 00.2% (26) 00.1% (33) 00.1% (29)
> 48 16 16 1
> 6 3 6
> [26] spoof 00.3% (25) 01.0% (19) 00.3% (28)
> 00.1% (32) 00.1% (33) 00.2% (26) 00.3% (25)
> 48 15 7 1
> 3 11 11
> [27] sandbox 00.3% (27) 01.2% (15) 01.0% (16)
> 00.0% N/A 00.2% (29) 00.0% (34) 00.0% N/A
> 46 17 22 0
> 5 2 0
> [28] rand 00.3% (28) 01.2% (14) 00.6% (20)
> 00.3% (25) 00.2% (32) 00.0% (35) 00.2% (26)
> 45 17 12 3
> 4 2 7
> [29] upload 00.3% (29) 00.0% N/A 00.0% (36)
> 00.1% (29) 00.2% (24) 00.5% (18) 00.3% (22)
> 43 0 1 1
> 6 22 13
> [30] signedness 00.2% (30) 00.1% (30) 00.4% (23)
> 00.8% (16) 00.2% (25) 00.3% (24) 00.0% (34)
> 38 1 8 9
> 6 12 2
> [31] dos-release 00.2% (31) 00.9% (21) 00.5% (21)
> 00.2% (27) 00.2% (31) 00.0% N/A 00.0% N/A
> 30 13 10 2
> 5 0 0
> [32] CF 00.2% (32) 00.7% (23) 00.3% (27)
> 00.2% (26) 00.0% N/A 00.1% (31) 00.1% (28)
> 29 10 7 2
> 0 4 6
> [33] eval-inject 00.2% (33) 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% (34) 00.2% (25) 00.3% (23)
> 25 0 0 0
> 1 11 13
> [34] design 00.1% (34) 00.6% (25) 00.4% (26)
> 00.1% (31) 00.0% (35) 00.1% (32) 00.0% (31)
> 23 8 8 1
> 1 3 2
> [35] double-free 00.1% (35) 00.0% N/A 00.1% (34)
> 00.3% (23) 00.2% (22) 00.1% (30) 00.1% (30)
> 21 0 2 4
> 6 5 4
> [36] CSRF 00.1% (37) 00.0% N/A 00.0% (35)
> 00.0% N/A 00.2% (28) 00.2% (29) 00.0% (33)
> 16 0 1 0
> 5 8 2
> [37] type-check 00.1% (36) 00.4% (28) 00.4% (25)
> 00.0% N/A 00.0% N/A 00.0% (36) 00.0% (35)
> 16 6 8 0
> 0 1 1
> -------------------------
> UNKNOWN/UNSPECIFIED ITEMS
> -------------------------
> n/a unk 09.0% N/A 07.9% N/A 07.1% N/A
> 07.0% N/A 08.2% N/A 08.9% N/A 11.5% N/A
> 1460 114 151 82
> 209 402 502
> n/a other 15.2% N/A 16.7% N/A 19.0% N/A
> 11.8% N/A 17.2% N/A 13.1% N/A 14.9% N/A
> 2468 239 407 139
> 435 595 653
> n/a not-specified 06.9% N/A 00.1% N/A 03.1% N/A
> 20.5% N/A 11.3% N/A 11.3% N/A 00.3% N/A
> 1121 2 66 240
> 286 513 14
>
>
>
> ===============================
> ===== Table 2: OS Vendors =====
> ===============================
>
>
> TOTAL 2001 2002
> 2003 2004 2005 2006
> (4418) ( 443) ( 660) (
> 527) ( 736) (1199) ( 853)
> ---------- ---------- ----------
> ---------- ---------- ---------- ----------
> [ 1] buf 20.0% ( 1) 21.0% ( 1) 26.8% ( 1)
> 24.9% ( 1) 20.4% ( 1) 16.2% ( 1) 16.1% ( 1)
> 882 93 177 131
> 150 194 137
> [ 2] link 04.0% ( 2) 07.4% ( 2) 03.3% ( 4)
> 04.0% ( 2) 05.2% ( 2) 04.0% ( 3) 01.8% ( 5)
> 177 33 22 21
> 38 48 15
> [ 3] dos-malform 03.7% ( 3) 05.6% ( 3) 06.1% ( 2)
> 02.7% ( 4) 04.5% ( 4) 01.8% ( 7) 03.3% ( 4)
> 162 25 40 14
> 33 22 28
> [ 4] XSS 03.4% ( 4) 01.6% (12) 04.4% ( 3)
> 03.0% ( 3) 01.4% ( 7) 04.2% ( 2) 04.7% ( 3)
> 152 7 29 16
> 10 50 40
> [ 5] int-overflow 02.7% ( 5) 00.0% N/A 01.2% (12)
> 02.3% ( 6) 04.6% ( 3) 02.1% ( 6) 04.7% ( 2)
> 119 0 8 12
> 34 25 40
> [ 6] format-string 02.4% ( 6) 05.2% ( 4) 01.5% (10)
> 02.3% ( 5) 02.6% ( 5) 02.4% ( 5) 01.6% ( 7)
> 107 23 10 12
> 19 29 14
> [ 7] priv 02.0% ( 7) 04.1% ( 5) 02.3% ( 6)
> 00.8% (13) 00.8% (14) 02.6% ( 4) 01.6% ( 6)
> 88 18 15 4
> 6 31 14
> [ 8] perm 01.8% ( 8) 04.1% ( 6) 02.1% ( 7)
> 01.1% (11) 01.1% (10) 01.7% ( 8) 01.4% ( 9)
> 78 18 14 6
> 8 20 12
> [ 9] dot 01.4% ( 9) 01.6% (13) 01.5% ( 9)
> 01.1% ( 8) 01.6% ( 6) 01.3% (12) 01.6% ( 8)
> 64 7 10 6
> 12 15 14
> [10] metachar 01.2% (10) 02.0% ( 9) 02.6% ( 5)
> 00.8% (16) 00.7% (17) 01.3% (11) 00.4% (19)
> 53 9 17 4
> 5 15 3
> [11] infoleak 01.2% (11) 00.9% (20) 01.2% (13)
> 01.1% ( 9) 01.1% ( 9) 01.3% (10) 01.2% (10)
> 52 4 8 6
> 8 16 10
> [12] race 01.0% (12) 01.1% (17) 00.9% (15)
> 00.4% (19) 01.0% (11) 01.6% ( 9) 00.7% (13)
> 45 5 6 2
> 7 19 6
> [13] memleak 00.8% (13) 02.0% (10) 00.6% (19)
> 00.8% (14) 01.0% (12) 00.9% (14) 00.2% (23)
> 37 9 4 4
> 7 11 2
> [14] sql-inject 00.8% (14) 00.2% (27) 00.6% (21)
> 01.1% (10) 00.7% (16) 00.9% (13) 00.9% (11)
> 35 1 4 6
> 5 11 8
> [15] crypt 00.8% (15) 01.6% (14) 01.4% (11)
> 01.1% ( 7) 00.4% (18) 00.4% (18) 00.5% (16)
> 34 7 9 6
> 3 5 4
> [16] sandbox 00.7% (16) 02.7% ( 7) 02.1% ( 8)
> 00.0% N/A 00.1% (23) 00.2% (28) 00.0% N/A
> 29 12 14 0
> 1 2 0
> [17] relpath 00.6% (18) 01.6% (11) 00.3% (28)
> 00.4% (18) 01.1% ( 8) 00.3% (27) 00.7% (14)
> 28 7 2 2
> 8 3 6
> [18] dos-flood 00.6% (17) 02.5% ( 8) 00.6% (20)
> 00.2% (22) 00.3% (20) 00.3% (25) 00.8% (12)
> 28 11 4 1
> 2 3 7
> [19] auth 00.5% (20) 01.4% (15) 01.1% (14)
> 00.6% (17) 00.3% (21) 00.3% (21) 00.2% (24)
> 24 6 7 3
> 2 4 2
> [20] signedness 00.5% (19) 00.2% (24) 00.9% (16)
> 00.9% (12) 00.4% (19) 00.6% (15) 00.2% (25)
> 24 1 6 5
> 3 7 2
> [21] pass 00.5% (21) 00.2% (25) 00.8% (17)
> 00.2% (20) 00.8% (15) 00.3% (24) 00.5% (15)
> 21 1 5 1
> 6 4 4
> [22] double-free 00.4% (22) 00.0% N/A 00.3% (29)
> 00.8% (15) 00.8% (13) 00.3% (20) 00.4% (18)
> 19 0 2 4
> 6 4 3
> [23] rand 00.3% (23) 01.4% (16) 00.5% (22)
> 00.2% (27) 00.1% (24) 00.0% N/A 00.2% (27)
> 13 6 3 1
> 1 0 2
> [24] crlf 00.2% (25) 00.0% N/A 00.5% (23)
> 00.2% (25) 00.0% N/A 00.4% (17) 00.2% (20)
> 11 0 3 1
> 0 5 2
> [25] spoof 00.2% (24) 00.2% (26) 00.3% (26)
> 00.0% N/A 00.0% N/A 00.3% (23) 00.5% (17)
> 11 1 2 0
> 0 4 4
> [26] form-field 00.2% (26) 00.5% (22) 00.3% (27)
> 00.2% (21) 00.0% N/A 00.4% (16) 00.0% N/A
> 10 2 2 1
> 0 5 0
> [27] default 00.2% (27) 00.2% (28) 00.5% (24)
> 00.0% N/A 00.1% (22) 00.3% (26) 00.2% (21)
> 10 1 3 0
> 1 3 2
> [28] type-check 00.2% (28) 00.7% (21) 00.6% (18)
> 00.0% N/A 00.0% N/A 00.1% (30) 00.0% N/A
> 8 3 4 0
> 0 1 0
> [29] CF 00.2% (29) 00.9% (18) 00.2% (31)
> 00.2% (26) 00.0% N/A 00.0% N/A 00.1% (29)
> 7 4 1 1
> 0 0 1
> [30] dos-release 00.2% (30) 00.9% (19) 00.3% (25)
> 00.2% (23) 00.0% N/A 00.0% N/A 00.0% N/A
> 7 4 2 1
> 0 0 0
> [31] php-include 00.1% (31) 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.3% (19) 00.2% (26)
> 6 0 0 0
> 0 4 2
> [32] eval-inject 00.1% (32) 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.3% (22) 00.2% (22)
> 6 0 0 0
> 0 4 2
> [33] design 00.1% (33) 00.2% (23) 00.3% (30)
> 00.2% (24) 00.0% N/A 00.1% (31) 00.0% N/A
> 5 1 2 1
> 0 1 0
> [34] webroot 00.0% (35) 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.0% N/A 00.1% (28)
> 1 0 0 0
> 0 0 1
> [35] upload 00.0% (36) 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.1% (32) 00.0% N/A
> 1 0 0 0
> 0 1 0
> [36] CSRF 00.0% (34) 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.1% (29) 00.0% N/A
> 1 0 0 0
> 0 1 0
> -------------------------
> UNKNOWN/UNSPECIFIED ITEMS
> -------------------------
> n/a unk 16.0% N/A 12.4% N/A 12.6% N/A
> 10.4% N/A 12.2% N/A 16.1% N/A 27.2% N/A
> 708 55 83 55
> 90 193 232
> n/a other 16.4% N/A 15.3% N/A 15.6% N/A
> 12.0% N/A 12.2% N/A 14.4% N/A 26.6% N/A
> 724 68 103 63
> 90 173 227
> n/a not-specified 14.3% N/A 00.2% N/A 05.9% N/A
> 26.0% N/A 24.6% N/A 22.2% N/A 00.8% N/A
> 631 1 39 137
> 181 266 7
>
>
>
>
> ==========================================
> ===== Table 3: OS Vendors vs. Others =====
> ==========================================
>
>
> TOTAL 2001 2002
> 2003 2004 2005 2006
> ---------- ---------- ----------
> ---------- ---------- ---------- ----------
> OS-ven 4418 443 660
> 527 736 1199 853
> Other 11774 991 1478
> 646 1798 3339 3522
> ---------- ---------- ----------
> ---------- ---------- ---------- ----------
> [ 1] XSS 03.4% ( 4) 01.6% (13) 04.4% ( 3)
> 03.0% ( 3) 01.4% ( 7) 04.2% ( 2) 04.7% ( 2)
> 152 7 29 16
> 10 50 40
> **** 17.8% ( 1) 02.5% ( 8) 10.7% ( 2)
> 11.1% ( 2) 14.8% ( 1) 20.2% ( 1) 25.5% ( 1)
> 2095 25 158 72
> 266 675 899
> [ 2] buf 20.0% ( 1) 21.0% ( 1) 26.8% ( 1)
> 24.9% ( 1) 20.4% ( 1) 16.2% ( 1) 16.1% ( 1)
> 882 93 177 131
> 150 194 137
> **** 10.8% ( 3) 18.8% ( 1) 17.3% ( 1)
> 20.6% ( 1) 13.4% ( 2) 07.5% ( 3) 05.9% ( 4)
> 1274 186 256 133
> 241 251 207
> [ 3] sql-inject 00.8% (14) 00.2% (27) 00.6% (19)
> 01.1% ( 8) 00.7% (16) 00.9% (13) 00.9% (11)
> 35 1 4 6
> 5 11 8
> **** 11.7% ( 2) 00.5% (26) 02.3% ( 8)
> 04.5% ( 3) 07.5% ( 3) 17.2% ( 2) 17.2% ( 2)
> 1381 5 34 29
> 135 573 605
> [ 4] dot 01.4% ( 9) 01.6% (14) 01.5% ( 9)
> 01.1% (10) 01.6% ( 6) 01.3% (11) 01.6% ( 8)
> 64 7 10 6
> 12 15 14
> **** 05.9% ( 4) 12.1% ( 2) 06.8% ( 3)
> 04.3% ( 4) 05.1% ( 4) 05.4% ( 4) 05.1% ( 5)
> 700 120 100 28
> 92 180 180
> [ 5] php-include 00.1% (32) 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.3% (19) 00.2% (27)
> 6 0 0 0
> 0 4 2
> **** 04.7% ( 5) 00.1% (30) 00.4% (22)
> 01.4% (11) 02.0% ( 8) 02.7% ( 6) 11.7% ( 3)
> 555 1 6 9
> 36 91 412
> [ 6] infoleak 01.2% (11) 00.9% (20) 01.2% (13)
> 01.1% (11) 01.1% ( 9) 01.3% (10) 01.2% (10)
> 52 4 8 6
> 8 16 10
> **** 04.1% ( 6) 03.3% ( 6) 05.5% ( 4)
> 03.7% ( 5) 04.8% ( 5) 04.8% ( 5) 03.0% ( 6)
> 488 33 81 24
> 87 159 104
> [ 7] dos-malform 03.7% ( 3) 05.6% ( 3) 06.1% ( 2)
> 02.7% ( 4) 04.5% ( 4) 01.8% ( 7) 03.3% ( 4)
> 162 25 40 14
> 33 22 28
> **** 02.6% ( 7) 04.4% ( 5) 04.7% ( 5)
> 02.3% ( 8) 03.0% ( 6) 01.8% ( 8) 01.6% ( 7)
> 301 44 70 15
> 54 60 58
> [ 8] link 04.0% ( 2) 07.4% ( 2) 03.3% ( 4)
> 04.0% ( 2) 05.2% ( 2) 04.0% ( 3) 01.8% ( 5)
> 177 33 22 21
> 38 48 15
> **** 01.3% (11) 03.1% ( 7) 01.6% (13)
> 03.1% ( 7) 01.9% ( 9) 01.2% (11) 00.1% (25)
> 152 31 23 20
> 34 39 5
> [ 9] format-string 02.4% ( 6) 05.2% ( 4) 01.5% (10)
> 02.3% ( 6) 02.6% ( 5) 02.4% ( 5) 01.6% ( 6)
> 107 23 10 12
> 19 29 14
> **** 01.6% ( 9) 02.3% ( 9) 02.0% (11)
> 03.1% ( 6) 02.3% ( 7) 01.4% ( 9) 00.8% (12)
> 189 23 29 20
> 42 47 28
> [10] crypt 00.8% (15) 01.6% (12) 01.4% (11)
> 01.1% ( 9) 00.4% (19) 00.4% (16) 00.5% (15)
> 34 7 9 6
> 3 5 4
> **** 01.9% ( 8) 04.8% ( 3) 03.3% ( 6)
> 01.9% ( 9) 01.1% (14) 01.9% ( 7) 01.0% (10)
> 227 48 49 12
> 19 63 36
> [11] priv 02.0% ( 7) 04.1% ( 5) 02.3% ( 6)
> 00.8% (16) 00.8% (13) 02.6% ( 4) 01.6% ( 7)
> 88 18 15 4
> 6 31 14
> **** 01.2% (12) 01.8% (12) 02.1% (10)
> 01.2% (14) 01.4% (11) 01.1% (12) 00.7% (13)
> 145 18 31 8
> 26 36 26
> [12] metachar 01.2% (10) 02.0% (10) 02.6% ( 5)
> 00.8% (15) 00.7% (17) 01.3% (12) 00.4% (19)
> 53 9 17 4
> 5 15 3
> **** 01.4% (10) 04.6% ( 4) 02.6% ( 7)
> 00.6% (20) 01.2% (13) 01.3% (10) 00.3% (21)
> 165 46 39 4
> 21 44 11
> [13] perm 01.8% ( 8) 04.1% ( 6) 02.1% ( 7)
> 01.1% ( 7) 01.1% (10) 01.7% ( 8) 01.4% ( 9)
> 78 18 14 6
> 8 20 12
> **** 01.2% (13) 02.1% (10) 01.7% (12)
> 01.4% (12) 00.9% (15) 00.8% (15) 01.1% ( 9)
> 137 21 25 9
> 16 28 38
> [14] int-overflow 02.7% ( 5) 00.0% N/A 01.2% (12)
> 02.3% ( 5) 04.6% ( 3) 02.1% ( 6) 04.7% ( 3)
> 119 0 8 12
> 34 25 40
> **** 00.3% (22) 00.1% (31) 00.0% N/A
> 00.6% (18) 00.7% (17) 00.3% (21) 00.3% (17)
> 41 1 0 4
> 13 11 12
> [15] dos-flood 00.6% (18) 02.5% ( 8) 00.6% (18)
> 00.2% (27) 00.3% (21) 00.3% (26) 00.8% (12)
> 28 11 4 1
> 2 3 7
> **** 00.9% (15) 01.8% (11) 02.2% ( 9)
> 00.8% (17) 01.6% (10) 00.2% (23) 00.3% (18)
> 103 18 32 5
> 29 7 12
> [16] pass 00.5% (21) 00.2% (25) 00.8% (17)
> 00.2% (26) 00.8% (15) 00.3% (20) 00.5% (17)
> 21 1 5 1
> 6 4 4
> **** 00.9% (14) 01.5% (16) 01.5% (14)
> 00.2% (27) 01.2% (12) 01.0% (14) 00.3% (16)
> 104 15 22 1
> 22 32 12
> [17] auth 00.5% (20) 01.4% (15) 01.1% (14)
> 00.6% (17) 00.3% (20) 00.3% (23) 00.2% (23)
> 24 6 7 3
> 2 4 2
> **** 00.8% (16) 01.6% (13) 01.4% (15)
> 00.5% (22) 00.8% (16) 00.5% (17) 00.8% (11)
> 100 16 20 3
> 15 17 29
> [18] webroot 00.0% (35) 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.0% N/A 00.1% (28)
> 1 0 0 0
> 0 0 1
> **** 00.7% (17) 00.2% (28) 00.3% (26)
> 00.5% (21) 00.3% (26) 01.0% (13) 01.1% ( 8)
> 87 2 5 3
> 5 33 39
> [19] form-field 00.2% (27) 00.5% (22) 00.3% (26)
> 00.2% (21) 00.0% N/A 00.4% (18) 00.0% N/A
> 10 2 2 1
> 0 5 0
> **** 00.6% (18) 00.8% (20) 01.0% (16)
> 00.8% (15) 00.3% (23) 00.4% (18) 00.7% (14)
> 71 8 15 5
> 6 14 23
> [20] relpath 00.6% (17) 01.6% (11) 00.3% (25)
> 00.4% (19) 01.1% ( 8) 00.3% (27) 00.7% (13)
> 28 7 2 2
> 8 3 6
> **** 00.4% (20) 00.5% (25) 00.3% (27)
> 01.2% (13) 00.3% (22) 00.4% (19) 00.2% (22)
> 43 5 4 8
> 6 12 8
> [21] race 01.0% (12) 01.1% (17) 00.9% (16)
> 00.4% (18) 01.0% (12) 01.6% ( 9) 00.7% (14)
> 45 5 6 2
> 7 19 6
> **** 00.2% (27) 00.2% (29) 00.1% (29)
> 00.8% (16) 00.2% (30) 00.2% (27) 00.1% (24)
> 24 2 2 5
> 3 7 5
> [22] memleak 00.8% (13) 02.0% ( 9) 00.6% (20)
> 00.8% (13) 01.0% (11) 00.9% (14) 00.2% (25)
> 37 9 4 4
> 7 11 2
> **** 00.2% (28) 00.7% (22) 00.1% (33)
> 00.2% (29) 00.3% (19) 00.1% (30) 00.1% (26)
> 24 7 1 1
> 6 4 5
> [23] msdos-device 00.0% N/A 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A
> 0 0 0 0
> 0 0 0
> **** 00.5% (19) 01.5% (15) 00.9% (17)
> 01.7% (10) 00.3% (21) 00.3% (22) 00.1% (31)
> 57 15 13 11
> 6 10 2
> [24] crlf 00.2% (24) 00.0% N/A 00.5% (23)
> 00.2% (25) 00.0% N/A 00.4% (17) 00.2% (24)
> 11 0 3 1
> 0 5 2
> **** 00.3% (23) 00.0% N/A 00.1% (34)
> 00.0% N/A 00.7% (18) 00.4% (20) 00.3% (19)
> 38 0 1 0
> 13 12 12
> [25] spoof 00.2% (25) 00.2% (28) 00.3% (29)
> 00.0% N/A 00.0% N/A 00.3% (21) 00.5% (16)
> 11 1 2 0
> 0 4 4
> **** 00.3% (25) 01.4% (17) 00.3% (25)
> 00.2% (28) 00.2% (29) 00.2% (25) 00.2% (23)
> 37 14 5 1
> 3 7 7
> [26] default 00.2% (26) 00.2% (26) 00.5% (24)
> 00.0% N/A 00.1% (22) 00.3% (25) 00.2% (26)
> 10 1 3 0
> 1 3 2
> **** 00.3% (24) 01.5% (14) 00.9% (18)
> 00.2% (26) 00.3% (27) 00.0% N/A 00.1% (29)
> 38 15 13 1
> 5 0 4
> [27] sandbox 00.7% (16) 02.7% ( 7) 02.1% ( 8)
> 00.0% N/A 00.1% (24) 00.2% (28) 00.0% N/A
> 29 12 14 0
> 1 2 0
> **** 00.1% (33) 00.5% (24) 00.5% (20)
> 00.0% N/A 00.2% (28) 00.0% N/A 00.0% N/A
> 17 5 8 0
> 4 0 0
> [28] rand 00.3% (23) 01.4% (16) 00.5% (22)
> 00.2% (23) 00.1% (23) 00.0% N/A 00.2% (22)
> 13 6 3 1
> 1 0 2
> **** 00.3% (26) 01.1% (18) 00.6% (19)
> 00.3% (23) 00.2% (32) 00.1% (32) 00.1% (28)
> 32 11 9 2
> 3 2 5
> [29] upload 00.0% (34) 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.1% (32) 00.0% N/A
> 1 0 0 0
> 0 1 0
> **** 00.4% (21) 00.0% N/A 00.1% (32)
> 00.2% (30) 00.3% (20) 00.6% (16) 00.4% (15)
> 42 0 1 1
> 6 21 13
> [30] signedness 00.5% (19) 00.2% (24) 00.9% (15)
> 00.9% (12) 00.4% (18) 00.6% (15) 00.2% (20)
> 24 1 6 5
> 3 7 2
> **** 00.1% (35) 00.0% N/A 00.1% (30)
> 00.6% (19) 00.2% (31) 00.1% (28) 00.0% N/A
> 14 0 2 4
> 3 5 0
> [31] dos-release 00.2% (29) 00.9% (19) 00.3% (30)
> 00.2% (20) 00.0% N/A 00.0% N/A 00.0% N/A
> 7 4 2 1
> 0 0 0
> **** 00.2% (29) 00.9% (19) 00.5% (21)
> 00.2% (25) 00.3% (25) 00.0% N/A 00.0% N/A
> 23 9 8 1
> 5 0 0
> [32] CF 00.2% (30) 00.9% (18) 00.2% (31)
> 00.2% (24) 00.0% N/A 00.0% N/A 00.1% (29)
> 7 4 1 1
> 0 0 1
> **** 00.2% (30) 00.6% (23) 00.4% (23)
> 00.2% (24) 00.0% N/A 00.1% (29) 00.1% (27)
> 22 6 6 1
> 0 4 5
> [33] eval-inject 00.1% (31) 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.3% (22) 00.2% (21)
> 6 0 0 0
> 0 4 2
> **** 00.2% (31) 00.0% N/A 00.0% N/A
> 00.0% N/A 00.1% (34) 00.2% (26) 00.3% (20)
> 19 0 0 0
> 1 7 11
> [34] design 00.1% (33) 00.2% (23) 00.3% (27)
> 00.2% (22) 00.0% N/A 00.1% (30) 00.0% N/A
> 5 1 2 1
> 0 1 0
> **** 00.2% (32) 00.7% (21) 00.4% (24)
> 00.0% N/A 00.1% (33) 00.1% (31) 00.1% (32)
> 18 7 6 0
> 1 2 2
> [35] double-free 00.4% (22) 00.0% N/A 00.3% (28)
> 00.8% (14) 00.8% (14) 00.3% (24) 00.4% (18)
> 19 0 2 4
> 6 4 3
> **** 00.0% (37) 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.0% (33) 00.0% (33)
> 2 0 0 0
> 0 1 1
> [36] type-check 00.2% (28) 00.7% (21) 00.6% (21)
> 00.0% N/A 00.0% N/A 00.1% (31) 00.0% N/A
> 8 3 4 0
> 0 1 0
> **** 00.1% (36) 00.3% (27) 00.3% (28)
> 00.0% N/A 00.0% N/A 00.0% N/A 00.0% (34)
> 8 3 4 0
> 0 0 1
> [37] CSRF 00.0% (36) 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.1% (29) 00.0% N/A
> 1 0 0 0
> 0 1 0
> **** 00.1% (34) 00.0% N/A 00.1% (31)
> 00.0% N/A 00.3% (24) 00.2% (24) 00.1% (30)
> 15 0 1 0
> 5 7 2
> -------------------------
> UNKNOWN/UNSPECIFIED ITEMS
> -------------------------
> n/a unk 16.0% N/A 12.4% N/A 12.6% N/A
> 10.4% N/A 12.2% N/A 16.1% N/A 27.2% N/A
> 708 55 83 55
> 90 193 232
> **** 06.4% N/A 06.0% N/A 04.6% N/A
> 04.2% N/A 06.6% N/A 06.3% N/A 07.7% N/A
> 752 59 68 27
> 119 209 270
> n/a other 16.4% N/A 15.3% N/A 15.6% N/A
> 12.0% N/A 12.2% N/A 14.4% N/A 26.6% N/A
> 724 68 103 63
> 90 173 227
> **** 14.8% N/A 17.3% N/A 20.6% N/A
> 11.8% N/A 19.2% N/A 12.6% N/A 12.1% N/A
> 1744 171 304 76
> 345 422 426
> n/a not-specified 14.3% N/A 00.2% N/A 05.9% N/A
> 26.0% N/A 24.6% N/A 22.2% N/A 00.8% N/A
> 631 1 39 137
> 181 266 7
> **** 04.2% N/A 00.1% N/A 01.8% N/A
> 15.9% N/A 05.8% N/A 07.4% N/A 00.2% N/A
> 490 1 27 103
> 105 247 7
>
>
>
> ==================================================
> ===== Table 4: Open and Closed Source (OS vendors)
> ==================================================
>
>
> TOTAL 2001 2002
> 2003 2004 2005 2006
> ---------- ---------- ----------
> ---------- ---------- ---------- ----------
> [ 1] buf 19.7% ( 1) 20.3% ( 1) 24.6% ( 1)
> 25.0% ( 1) 24.5% ( 1) 14.6% ( 1) 17.1% ( 1)
> **** 20.4% ( 1) 20.3% ( 1) 27.7% ( 1)
> 26.1% ( 1) 15.3% ( 1) 18.5% ( 1) 16.3% ( 1)
> [ 2] link 06.4% ( 2) 14.0% ( 2) 04.8% ( 3)
> 04.9% ( 2) 08.6% ( 2) 06.1% ( 2) 02.4% ( 5)
> **** 01.6% ( 6) 01.0% (17) 01.8% ( 9)
> 03.0% ( 2) 01.9% ( 5) 00.8% ( 7) 01.6% ( 6)
> [ 3] dos-malform 02.8% ( 5) 02.7% ( 7) 04.4% ( 4)
> 02.6% ( 6) 03.5% ( 5) 01.7% ( 8) 03.3% ( 4)
> **** 05.3% ( 2) 09.2% ( 2) 08.1% ( 2)
> 02.5% ( 3) 07.3% ( 2) 02.1% ( 3) 03.9% ( 3)
> [ 4] XSS 04.6% ( 3) 02.7% ( 8) 05.9% ( 2)
> 03.0% ( 5) 01.4% (10) 05.5% ( 3) 07.1% ( 2)
> **** 02.3% ( 3) 00.5% (22) 03.6% ( 4)
> 02.5% ( 4) 00.8% ( 8) 02.1% ( 4) 03.2% ( 4)
> [ 5] format-string 04.0% ( 4) 08.6% ( 3) 02.9% ( 6)
> 03.0% ( 4) 04.9% ( 3) 03.7% ( 4) 02.4% ( 6)
> **** 00.8% (16) 01.4% (13) 00.6% (17)
> 02.0% ( 5) 00.4% (18) 00.8% (10) 00.3% (17)
> [ 6] int-overflow 02.6% ( 6) 00.0% N/A 02.2% ( 7)
> 03.4% ( 3) 04.0% ( 4) 02.2% ( 7) 03.5% ( 3)
> **** 01.7% ( 5) 00.0% N/A 00.0% N/A
> 01.0% ( 7) 03.4% ( 3) 00.8% ( 8) 04.2% ( 2)
> [ 7] priv 02.3% ( 7) 05.4% ( 4) 01.8% ( 8)
> 01.5% (12) 01.2% (11) 02.3% ( 5) 02.2% ( 7)
> **** 01.8% ( 4) 01.9% ( 8) 03.0% ( 6)
> 00.0% N/A 00.4% (16) 03.4% ( 2) 00.8% (13)
> [ 8] perm 02.2% ( 8) 05.4% ( 5) 01.1% (13)
> 01.9% ( 8) 01.7% ( 7) 02.3% ( 6) 01.4% ( 9)
> **** 01.6% ( 7) 02.4% ( 6) 03.3% ( 5)
> 00.5% (11) 00.4% (12) 00.8% (12) 01.8% ( 5)
> [ 9] dot 01.5% (10) 00.5% (18) 01.8% ( 9)
> 01.1% (15) 02.0% ( 6) 01.4% (12) 01.6% ( 8)
> **** 01.2% (10) 01.9% (10) 00.9% (13)
> 01.0% ( 9) 01.5% ( 7) 00.5% (18) 01.6% ( 7)
> [10] infoleak 01.1% (13) 00.5% (19) 01.5% (12)
> 01.1% (13) 01.2% (12) 01.0% (14) 01.4% (10)
> **** 01.1% (13) 01.4% (12) 00.9% (12)
> 01.0% ( 8) 00.4% (17) 01.6% ( 5) 01.1% (10)
> [11] metachar 01.5% ( 9) 03.2% ( 6) 02.9% ( 5)
> 01.5% (11) 00.6% (15) 01.4% (11) 00.5% (15)
> **** 00.5% (18) 01.0% (18) 01.2% (11)
> 00.0% N/A 00.4% (14) 00.5% (15) 00.0% N/A
> [12] race 01.4% (11) 02.3% ( 9) 01.8% (10)
> 00.4% (19) 01.7% ( 8) 01.6% ( 9) 00.8% (13)
> **** 00.3% (24) 00.0% N/A 00.0% N/A
> 00.5% (10) 00.0% N/A 00.8% (14) 00.3% (21)
> [13] sql-inject 01.2% (12) 00.5% (21) 00.7% (18)
> 01.9% ( 9) 00.9% (13) 01.6% (10) 01.4% (11)
> **** 00.4% (19) 00.0% N/A 00.6% (18)
> 00.5% (20) 00.4% (13) 00.0% N/A 00.8% (14)
> [14] memleak 00.9% (14) 00.0% N/A 00.7% (16)
> 01.1% (14) 01.4% ( 9) 01.2% (13) 00.3% (24)
> **** 00.9% (15) 04.3% ( 4) 00.3% (19)
> 00.5% (12) 00.0% N/A 00.8% (13) 00.3% (19)
> [15] crypt 00.7% (16) 01.8% (11) 00.7% (15)
> 01.9% ( 7) 00.0% N/A 00.4% (18) 00.3% (21)
> **** 00.9% (14) 01.0% (16) 02.1% ( 7)
> 00.0% N/A 00.8% (11) 00.5% (16) 00.5% (15)
> [16] sandbox 00.2% (26) 00.5% (15) 00.0% N/A
> 00.0% N/A 00.3% (20) 00.3% (23) 00.0% N/A
> **** 01.4% ( 8) 05.3% ( 3) 04.2% ( 3)
> 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A
> [17] dos-flood 00.3% (21) 01.4% (12) 00.4% (24)
> 00.0% N/A 00.0% N/A 00.3% (24) 00.0% N/A
> **** 01.1% (11) 03.9% ( 5) 00.9% (14)
> 00.5% (14) 00.8% ( 9) 00.3% (19) 01.3% ( 8)
> [18] relpath 00.6% (17) 01.8% (10) 00.7% (17)
> 00.4% (18) 00.3% (16) 00.4% (19) 00.5% (18)
> **** 00.7% (17) 01.4% (14) 00.0% N/A
> 00.5% (13) 01.9% ( 6) 00.0% N/A 01.1% (12)
> [19] auth 00.1% (28) 00.5% (16) 00.0% N/A
> 00.0% N/A 00.3% (17) 00.0% N/A 00.3% (20)
> **** 01.2% ( 9) 02.4% ( 7) 02.1% ( 8)
> 01.5% ( 6) 00.4% (15) 01.0% ( 6) 00.3% (18)
> [20] pass 00.0% (32) 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.1% (28) 00.0% N/A
> **** 01.1% (12) 00.5% (20) 01.5% (10)
> 00.5% (16) 02.3% ( 4) 00.8% (11) 01.1% ( 9)
> [21] signedness 00.8% (15) 00.5% (17) 01.8% (11)
> 01.5% (10) 00.3% (19) 00.6% (17) 00.5% (16)
> **** 00.2% (29) 00.0% N/A 00.0% N/A
> 00.5% (17) 00.0% N/A 00.5% (17) 00.0% N/A
> [22] double-free 00.6% (18) 00.0% N/A 00.4% (22)
> 01.1% (16) 00.9% (14) 00.3% (25) 00.8% (12)
> **** 00.2% (28) 00.0% N/A 00.0% N/A
> 00.5% (19) 00.8% (10) 00.3% (21) 00.0% N/A
> [23] spoof 00.2% (23) 00.0% N/A 00.7% (20)
> 00.0% N/A 00.0% N/A 00.4% (21) 00.0% N/A
> **** 00.3% (22) 00.5% (23) 00.0% N/A
> 00.0% N/A 00.0% N/A 00.3% (20) 01.1% (11)
> [24] form-field 00.4% (20) 00.5% (20) 00.7% (19)
> 00.4% (20) 00.0% N/A 00.7% (16) 00.0% N/A
> **** 00.1% (31) 00.5% (21) 00.0% N/A
> 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A
> [25] crlf 00.5% (19) 00.0% N/A 01.1% (14)
> 00.0% N/A 00.0% N/A 00.7% (15) 00.5% (17)
> **** 00.0% N/A 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A
> [26] rand 00.2% (22) 00.9% (13) 00.4% (21)
> 00.4% (17) 00.0% N/A 00.0% N/A 00.3% (22)
> **** 00.3% (23) 01.9% ( 9) 00.3% (22)
> 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A
> [27] default 00.1% (29) 00.0% N/A 00.0% N/A
> 00.0% N/A 00.3% (18) 00.0% N/A 00.3% (23)
> **** 00.4% (20) 00.5% (24) 00.6% (16)
> 00.0% N/A 00.0% N/A 00.8% ( 9) 00.3% (16)
> [28] dos-release 00.1% (27) 00.5% (22) 00.4% (23)
> 00.4% (21) 00.0% N/A 00.0% N/A 00.0% N/A
> **** 00.2% (27) 01.4% (11) 00.3% (21)
> 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A
> [29] type-check 00.0% (34) 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.1% (26) 00.0% N/A
> **** 00.3% (21) 01.4% (15) 00.9% (15)
> 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A
> [30] CF 00.1% (30) 00.9% (14) 00.0% N/A
> 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A
> **** 00.2% (26) 01.0% (19) 00.0% N/A
> 00.5% (18) 00.0% N/A 00.0% N/A 00.3% (22)
> [31] eval-inject 00.2% (24) 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.4% (20) 00.5% (14)
> **** 00.0% N/A 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A
> [32] php-include 00.2% (25) 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.4% (22) 00.3% (19)
> **** 00.0% N/A 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A
> [33] design 00.0% N/A 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A
> **** 00.2% (25) 00.5% (25) 00.3% (20)
> 00.5% (15) 00.0% N/A 00.3% (22) 00.0% N/A
> [34] webroot 00.0% N/A 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A
> **** 00.1% (30) 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.0% N/A 00.3% (20)
> [35] upload 00.0% (33) 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.1% (29) 00.0% N/A
> **** 00.0% N/A 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A
> [36] CSRF 00.0% (31) 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.1% (27) 00.0% N/A
> **** 00.0% N/A 00.0% N/A 00.0% N/A
> 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A
> -------------------------
> UNKNOWN/UNSPECIFIED ITEMS
> -------------------------
> n/a unk 09.7% N/A 12.2% N/A 10.3% N/A
> 04.5% N/A 07.8% N/A 11.5% N/A 10.1% N/A
> **** 25.7% N/A 13.0% N/A 15.7% N/A
> 20.1% N/A 23.0% N/A 26.9% N/A 45.0% N/A
> n/a other 19.3% N/A 13.1% N/A 20.6% N/A
> 15.7% N/A 10.4% N/A 15.9% N/A 39.4% N/A
> **** 12.4% N/A 18.8% N/A 12.7% N/A
> 05.0% N/A 14.9% N/A 10.7% N/A 12.4% N/A
> n/a not-specified 13.4% N/A 00.0% N/A 04.4% N/A
> 21.6% N/A 21.9% N/A 20.5% N/A 00.8% N/A
> **** 13.2% N/A 00.5% N/A 06.3% N/A
> 28.6% N/A 22.6% N/A 24.3% N/A 00.5% N/A
>
>
>
>
