CWE-491 – Public cloneable() Method Without Final (‘Object Hijack’)

Read Time:20 Second

Description

A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-668

 

Consequences

Integrity, Other: Unexpected State, Varies by Context

 

Potential Mitigations

Phase: Implementation

Description: 

Make the cloneable() method final.

CVE References

CWE-49 – Path Equivalence: ‘filename/’ (Trailing Slash)

Read Time:51 Second

Description

A software system that accepts path input in the form of trailing slash (‘filedir/’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-41
CWE-162

 

Consequences

Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories

 

Potential Mitigations

CVE References

  • CVE-2001-0446
    • Application server allows remote attackers to read source code for .jsp files by appending a / to the requested URL.
  • CVE-2004-0334
    • Bypass Basic Authentication for files using trailing “/”
  • CVE-2001-0892
    • Web server allows remote attackers to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing /.
  • CVE-2004-1814
    • Directory traversal vulnerability in server allows remote attackers to read protected files via .. (dot dot) sequences in an HTTP request.

CWE-489 – Active Debug Code

Read Time:1 Minute, 0 Second

Description

The application is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

A common development practice is to add “back door” code specifically designed for debugging or testing purposes that is not intended to be shipped or deployed with the application. These back door entry points create security risks because they are not considered during design or testing and fall outside of the expected operating conditions of the application.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-710
CWE-215

 

Consequences

Confidentiality, Integrity, Availability, Access Control, Other: Bypass Protection Mechanism, Read Application Data, Gain Privileges or Assume Identity, Varies by Context

The severity of the exposed debug application will depend on the particular instance. At the least, it will give an attacker sensitive information about the settings and mechanics of web applications on the server. At worst, as is often the case, the debug application will allow an attacker complete control over the web application and server, as well as confidential information that either of these access.

 

Potential Mitigations

Phase: Build and Compilation, Distribution

Description: 

Remove debug code before deploying the application.

CVE References

CWE-488 – Exposure of Data Element to Wrong Session

Read Time:38 Second

Description

The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-668

 

Consequences

Confidentiality: Read Application Data

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Protect the application’s sessions from information leakage. Make sure that a session’s data is not used or visible by other sessions.

Phase: Testing

Description: 

Use a static analysis tool to scan the code for information leakage vulnerabilities (e.g. Singleton Member Field).

Phase: Architecture and Design

Description: 

In a multithreading environment, storing user data in Servlet member fields introduces a data access race condition. Do not use member fields to store information in the Servlet.

CVE References

CWE-487 – Reliance on Package-level Scope

Read Time:44 Second

Description

Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.

The purpose of package scope is to prevent accidental access by other parts of a program. This is an ease-of-software-development feature but not a security feature.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-664

 

Consequences

Confidentiality: Read Application Data

Any data in a Java package can be accessed outside of the Java framework if the package is distributed.

Integrity: Modify Application Data

The data in a Java class can be modified by anyone outside of the Java framework if the packages is distributed.

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Description: 

Data should be private static and final whenever possible. This will assure that your code is protected by instantiating early, preventing access and tampering.

CVE References

CWE-486 – Comparison of Classes by Name

Read Time:46 Second

Description

The program compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.

If the decision to trust the methods and data of an object is based on the name of a class, it is possible for malicious users to send objects of the same name as trusted classes and thereby gain the trust afforded to known classes and types.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-1025

 

Consequences

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands

If a program relies solely on the name of an object to determine identity, it may execute the incorrect or unintended code.

 

Potential Mitigations

Phase: Implementation

Description: 

Use class equivalency to determine type. Rather than use the class name to determine if an object is of a given type, use the getClass() method, and == operator.

CVE References

CWE-484 – Omitted Break Statement in Switch

Read Time:50 Second

Description

The program omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.

This can lead to critical code executing in situations where it should not.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-710
CWE-670

 

Consequences

Other: Alter Execution Logic

This weakness can cause unintended logic to be executed and other unexpected application behavior.

 

Potential Mitigations

Phase: Implementation

Description: 

Omitting a break statement so that one may fall through is often indistinguishable from an error, and therefore should be avoided. If you need to use fall-through capabilities, make sure that you have clearly documented this within the switch statement, and ensure that you have examined all the logical possibilities.

Phase: Implementation

Description: 

The functionality of omitting a break statement could be clarified with an if statement. This method is much safer.

CVE References

CWE-483 – Incorrect Block Delimitation

Read Time:1 Minute, 1 Second

Description

The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.

In some languages, braces (or other delimiters) are optional for blocks. When the delimiter is omitted, it is possible to insert a logic error in which a statement is thought to be in a block but is not. In some cases, the logic error can have security implications.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-670

 

Consequences

Confidentiality, Integrity, Availability: Alter Execution Logic

This is a general logic error which will often lead to obviously-incorrect behaviors that are quickly noticed and fixed. In lightly tested or untested code, this error may be introduced it into a production environment and provide additional attack vectors by creating a control flow path leading to an unexpected state in the application. The consequences will depend on the types of behaviors that are being incorrectly executed.

 

Potential Mitigations

Phase: Implementation

Description: 

Always use explicit block delimitation and use static-analysis technologies to enforce this practice.

CVE References

  • CVE-2014-1266
    • incorrect indentation of “goto” statement makes it more difficult to detect an incorrect goto (Apple’s “goto fail”)

CWE-482 – Comparing instead of Assigning

Read Time:26 Second

Description

The code uses an operator for comparison when the intention was to perform an assignment.

In many languages, the compare statement is very close in appearance to the assignment statement; they are often confused.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-480

 

Consequences

Availability, Integrity: Unexpected State

The assignment will not take place, which should cause obvious program execution problems.

 

Potential Mitigations

Phase: Testing

Description: 

Many IDEs and static analysis products will detect this problem.

CVE References

CWE-481 – Assigning instead of Comparing

Read Time:42 Second

Description

The code uses an operator for assignment when the intention was to perform a comparison.

In many languages the compare statement is very close in appearance to the assignment statement and are often confused. This bug is generally the result of a typo and usually causes obvious problems with program execution. If the comparison is in an if statement, the if statement will usually evaluate the value of the right-hand side of the predicate.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-480
CWE-697

 

Consequences

Other: Alter Execution Logic

 

Potential Mitigations

Phase: Testing

Description: 

Many IDEs and static analysis products will detect this problem.

Phase: Implementation

Description: 

Place constants on the left. If one attempts to assign a constant with a variable, the compiler will produce an error.

CVE References