CWE-606 – Unchecked Input for Loop Condition

Read Time:21 Second

Description

The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-1284
CWE-834

 

Consequences

Availability: DoS: Resource Consumption (CPU)

 

Potential Mitigations

Phase: Implementation

Description: 

Do not use user-controlled data for loop conditions.

Phase: Implementation

Description: 

Perform input validation.

CVE References

CWE-605 – Multiple Binds to the Same Port

Read Time:41 Second

Description

When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed.

On most systems, a combination of setting the SO_REUSEADDR socket option, and a call to bind() allows any process to bind to a port to which a previous process has bound with INADDR_ANY. This allows a user to bind to the specific address of a server bound to INADDR_ANY on an unprivileged port, and steal its UDP packets/TCP connection.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-675
CWE-666

 

Consequences

Confidentiality, Integrity: Read Application Data

Packets from a variety of network services may be stolen or the services spoofed.

 

Potential Mitigations

Phase: Policy

Description: 

Restrict server socket address to known local addresses.

CVE References

CWE-603 – Use of Client-Side Authentication

Read Time:42 Second

Description

A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.

Client-side authentication is extremely weak and may be breached easily. Any attacker may read the source code and reverse-engineer the authentication mechanism to access parts of the application which would otherwise be protected.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-602
CWE-287
CWE-300
CWE-656

 

Consequences

Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Do not rely on client side data. Always perform server side authentication.

CVE References

  • CVE-2006-0230
    • Client-side check for a password allows access to a server using crafted XML requests from a modified client.

CWE-602 – Client-Side Enforcement of Server-Side Security

Read Time:2 Minute, 9 Second

Description

The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.

When the server relies on protection mechanisms placed on the client side, an attacker can modify the client-side behavior to bypass the protection mechanisms resulting in potentially unexpected interactions between the client and server. The consequences will vary, depending on what the mechanisms are trying to protect.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-669
CWE-693
CWE-471
CWE-290
CWE-300

 

Consequences

Access Control, Availability: Bypass Protection Mechanism, DoS: Crash, Exit, or Restart

Client-side validation checks can be easily bypassed, allowing malformed or unexpected input to pass into the application, potentially as trusted data. This may lead to unexpected states, behaviors and possibly a resulting crash.

Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity

Client-side checks for authentication can be easily bypassed, allowing clients to escalate their access levels and perform unintended actions.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Phase: Architecture and Design

Description: 

If some degree of trust is required between the two entities, then use integrity checking and strong authentication to ensure that the inputs are coming from a trusted source. Design the product so that this trust is managed in a centralized fashion, especially if there are complex or numerous communication channels, in order to reduce the risks that the implementer will mistakenly omit a check in a single code path.

Phase: Testing

Description: 

Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software’s operation may slow down, but it should not become unstable, crash, or generate incorrect results.

Phase: Testing

Description: 

Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.

CVE References

  • CVE-2006-6994
    • ASP program allows upload of .asp files by bypassing client-side checks.
  • CVE-2007-0163
    • steganography products embed password information in the carrier file, which can be extracted from a modified client.
  • CVE-2007-0164
    • steganography products embed password information in the carrier file, which can be extracted from a modified client.
  • CVE-2007-0100
    • client allows server to modify client’s configuration and overwrite arbitrary files.

CWE-601 – URL Redirection to Untrusted Site (‘Open Redirect’)

Read Time:2 Minute, 59 Second

Description

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.

Phishing is a general term for deceptive attempts to coerce private information from users that will be used for identity theft.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-610
CWE-610

 

Consequences

Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity

The user may be redirected to an untrusted page that contains malware which may then compromise the user’s machine. This will expose the user to extensive risk and the user’s interaction with the web server may also be compromised if the malware conducts keylogging or other attacks that steal credentials, personally identifiable information (PII), or other important data.

Access Control, Confidentiality, Other: Bypass Protection Mechanism, Gain Privileges or Assume Identity, Other

The user may be subjected to phishing attacks by being redirected to an untrusted page. The phishing attack may point to an attacker controlled web page that appears to be a trusted web site. The phishers may then steal the user’s credentials and then use these credentials to access the legitimate web site.

 

Potential Mitigations

Phase: Implementation

Description: 

Phase: Architecture and Design

Description: 

Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.

Phase: Architecture and Design

Description: 

Phase: Architecture and Design

Description: 

Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (CWE-330).

Note that this can be bypassed using XSS (CWE-79).

Phase: Architecture and Design, Implementation

Description: 

Phase: Operation

Effectiveness: Moderate

Description: 

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth.

An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization.

CVE References

  • CVE-2005-4206
    • URL parameter loads the URL into a frame and causes it to appear to be part of a valid page.
  • CVE-2008-2951
    • An open redirect vulnerability in the search script in the software allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL as a parameter to the proper function.
  • CVE-2008-2052
    • Open redirect vulnerability in the software allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the proper parameter.

CWE-600 – Uncaught Exception in Servlet

Read Time:38 Second

Description

The Servlet does not catch all exceptions, which may reveal sensitive debugging information.

When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-248
CWE-209
CWE-390

 

Consequences

Confidentiality, Availability: Read Application Data, DoS: Crash, Exit, or Restart

 

Potential Mitigations

Phase: Implementation

Description: 

Implement Exception blocks to handle all types of Exceptions.

CVE References

CWE-6 – J2EE Misconfiguration: Insufficient Session-ID Length

Read Time:1 Minute, 35 Second

Description

The J2EE application is configured to use an insufficient session ID length.

If an attacker can guess or steal a session ID, then they may be able to take over the user’s session (called session hijacking). The number of possible session IDs increases with increased session ID length, making it more difficult to guess or steal a session ID.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-334

 

Consequences

Access Control: Gain Privileges or Assume Identity

If an attacker can guess an authenticated user’s session identifier, they can take over the user’s session.

 

Potential Mitigations

Phase: Implementation

Description: 

Session identifiers should be at least 128 bits long to prevent brute-force session guessing. A shorter session identifier leaves the application open to brute-force session guessing attacks.

Phase: Implementation

Description: 

A lower bound on the number of valid session identifiers that are available to be guessed is the number of users that are active on a site at any given moment. However, any users that abandon their sessions without logging out will increase this number. (This is one of many good reasons to have a short inactive session timeout.) With a 64 bit session identifier, assume 32 bits of entropy. For a large web site, assume that the attacker can try 1,000 guesses per second and that there are 10,000 valid session identifiers at any given moment. Given these assumptions, the expected time for an attacker to successfully guess a valid session identifier is less than 4 minutes. Now assume a 128 bit session identifier that provides 64 bits of entropy. With a very large web site, an attacker might try 10,000 guesses per second with 100,000 valid session identifiers available to be guessed. Given these assumptions, the expected time for an attacker to successfully guess a valid session identifier is greater than 292 years.

CVE References

CWE-599 – Missing Validation of OpenSSL Certificate

Read Time:1 Minute, 14 Second

Description

The software uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements.

This could allow an attacker to use an invalid certificate to claim to be a trusted host, use expired certificates, or conduct other attacks that could be detected if the certificate is properly validated.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-295

 

Consequences

Confidentiality: Read Application Data

The data read may not be properly secured, it might be viewed by an attacker.

Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity

Trust afforded to the system in question may allow for spoofing or redirection attacks.

Access Control: Gain Privileges or Assume Identity

If the certificate is not checked, it may be possible for a redirection or spoofing attack to allow a malicious host with a valid certificate to provide data under the guise of a trusted host. While the attacker in question may have a valid certificate, it may simply be a valid certificate for a different site. In order to ensure data integrity, we must check that the certificate is valid, and that it pertains to the site we wish to access.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Ensure that proper authentication is included in the system design.

Phase: Implementation

Description: 

Understand and properly implement all checks necessary to ensure the identity of entities involved in encrypted communications.

CVE References

CWE-598 – Use of GET Request Method With Sensitive Query Strings

Read Time:53 Second

Description

The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.

The query string for the URL could be saved in the browser’s history, passed through Referers to other web sites, stored in web logs, or otherwise recorded in other sources. If the query string contains sensitive information such as session identifiers, then attackers can use this information to launch further attacks.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-201

 

Consequences

Confidentiality: Read Application Data

At a minimum, attackers can garner information from query strings that can be utilized in escalating their method of attack, such as information about the internal workings of the application or database column names. Successful exploitation of query string parameter vulnerabilities could lead to an attacker impersonating a legitimate user, obtaining proprietary data, or simply executing actions not intended by the application developers.

 

Potential Mitigations

Phase: Implementation

Description: 

When sensitive information is sent, use the POST method (e.g. registration form).

CVE References

CWE-597 – Use of Wrong Operator in String Comparison

Read Time:44 Second

Description

The product uses the wrong operator when comparing a string, such as using “==” when the .equals() method should be used instead.

In Java, using == or != to compare two strings for equality actually compares two objects for equality rather than their string values for equality. Chances are good that the two references will never be equal. While this weakness often only affects program correctness, if the equality is used for a security decision, the unintended comparison result could be leveraged to affect program security.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-595
CWE-595
CWE-480

 

Consequences

Other: Other

 

Potential Mitigations

Phase: Implementation

Effectiveness: High

Description: 

Within Java, use .equals() to compare string values.
Within JavaScript, use == to compare string values.
Within PHP, use == to compare a numeric value to a string value. (PHP converts the string to a number.)

CVE References