CWE-572 – Call to Thread run() instead of start()

Read Time:32 Second

Description

The program calls a thread’s run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.

In most cases a direct call to a Thread object’s run() method is a bug. The programmer intended to begin a new thread of control, but accidentally called run() instead of start(), so the run() method will execute in the caller’s thread of control.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-821

 

Consequences

Other: Quality Degradation, Varies by Context

 

Potential Mitigations

Phase: Implementation

Description: 

Use the start() method instead of the run() method.

CVE References

CWE-57 – Path Equivalence: ‘fakedir/../realdir/filename’

Read Time:57 Second

Description

The software contains protection mechanisms to restrict access to ‘realdir/filename’, but it constructs pathnames using external input in the form of ‘fakedir/../realdir/filename’ that are not handled by those mechanisms. This allows attackers to perform unauthorized actions against the targeted file.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-41

 

Consequences

Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories

 

Potential Mitigations

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2001-1152
    • Proxy allows remote attackers to bypass denylist restrictions and connect to unauthorized web servers by modifying the requested URL, including (1) a // (double slash), (2) a /SUBDIR/.. where the desired file is in the parentdir, (3) a /./, or (4) URL-encoded characters.
  • CVE-2000-0191
    • application check access for restricted URL before canonicalization
  • CVE-2005-1366
    • CGI source disclosure using “dirname/../cgi-bin”

CWE-568 – finalize() Method Without super.finalize()

Read Time:23 Second

Description

The software contains a finalize() method that does not call super.finalize().

The Java Language Specification states that it is a good practice for a finalize() method to call super.finalize().

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-573
CWE-459

 

Consequences

Other: Quality Degradation

 

Potential Mitigations

Phase: Implementation

Description: 

Call the super.finalize() method.

Phase: Testing

Description: 

Use static analysis tools to spot such issues in your code.

CVE References

CWE-567 – Unsynchronized Access to Shared Data in a Multithreaded Context

Read Time:39 Second

Description

The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-820
CWE-662
CWE-662
CWE-488

 

Consequences

Confidentiality, Integrity, Availability: Read Application Data, Modify Application Data, DoS: Instability, DoS: Crash, Exit, or Restart

If the shared variable contains sensitive data, it may be manipulated or displayed in another user session. If this data is used to control the application, its value can be manipulated to cause the application to crash or perform poorly.

 

Potential Mitigations

Phase: Implementation

Description: 

Remove the use of static variables used between servlets. If this cannot be avoided, use synchronized access for these variables.

CVE References

CWE-566 – Authorization Bypass Through User-Controlled SQL Primary Key

Read Time:38 Second

Description

The software uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-639

 

Consequences

Confidentiality, Integrity, Access Control: Read Application Data, Modify Application Data, Bypass Protection Mechanism

 

Potential Mitigations

Phase: Implementation

Description: 

Assume all input is malicious. Use a standard input validation mechanism to validate all input for length, type, syntax, and business rules before accepting the data. Use an “accept known good” validation strategy.

Phase: Implementation

Description: 

Use a parameterized query AND make sure that the accepted values conform to the business rules. Construct your SQL statement accordingly.

CVE References

CWE-565 – Reliance on Cookies without Validation and Integrity Checking

Read Time:1 Minute, 20 Second

Description

The application relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.

Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Reliance on cookies without detailed validation and integrity checking can allow attackers to bypass authentication, conduct injection attacks such as SQL injection and cross-site scripting, or otherwise modify inputs in unexpected ways.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-642
CWE-669
CWE-602

 

Consequences

Access Control: Gain Privileges or Assume Identity

It is dangerous to use cookies to set a user’s privileges. The cookie can be manipulated to escalate an attacker’s privileges to an administrative level.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Avoid using cookie data for a security-related decision.

Phase: Implementation

Description: 

Perform thorough input validation (i.e.: server side validation) on the cookie data if you’re going to use it for a security related decision.

Phase: Architecture and Design

Description: 

Add integrity checks to detect tampering.

Phase: Architecture and Design

Description: 

Protect critical cookies from replay attacks, since cross-site scripting or other attacks may allow attackers to steal a strongly-encrypted cookie that also passes integrity checks. This mitigation applies to cookies that should only be valid during a single transaction or session. By enforcing timeouts, you may limit the scope of an attack. As part of your integrity check, use an unpredictable, server-side value that is not exposed to the client.

CVE References

CWE-564 – SQL Injection: Hibernate

Read Time:1 Minute, 30 Second

Description

Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement’s meaning or to execute arbitrary SQL commands.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-89
CWE-89
CWE-89

 

Consequences

Confidentiality, Integrity: Read Application Data, Modify Application Data

 

Potential Mitigations

Phase: Requirements

Description: 

A non-SQL style database which is not subject to this flaw may be chosen.

Phase: Architecture and Design

Description: 

Follow the principle of least privilege when creating user accounts to a SQL database. Users should only have the minimum privileges necessary to use their account. If the requirements of the system indicate that a user can read and modify their own data, then limit their privileges so they cannot read/write others’ data.

Phase: Architecture and Design

Description: 

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Phase: Implementation

Description: 

Implement SQL strings using prepared statements that bind variables. Prepared statements that do not bind variables can be vulnerable to attack.

Phase: Implementation

Description: 

Use vigorous allowlist style checking on any user input that may be used in a SQL command. Rather than escape meta-characters, it is safest to disallow them entirely. Reason: Later use of data that have been entered in the database may neglect to escape meta-characters before use. Narrowly define the set of safe characters based on the expected value of the parameter in the request.

CVE References

CWE-563 – Assignment to Variable without Use

Read Time:36 Second

Description

The variable’s value is assigned but never used, making it a dead store.

After the assignment, the variable is either assigned another value or goes out of scope. It is likely that the variable is simply vestigial, but it is also possible that the unused variable points out a bug.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-1164

 

Consequences

Other: Quality Degradation, Varies by Context

This weakness could be an indication of a bug in the program or a deprecated variable that was not removed and is an indication of poor quality. This could lead to further bugs and the introduction of weaknesses.

 

Potential Mitigations

Phase: Implementation

Description: 

Remove unused variables from the code.

CVE References