A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.
Modes of Introduction:
– Implementation
Integrity, Other: Unexpected State, Varies by Context
Phase: Implementation
Description:
Make the cloneable() method final.
A software system that accepts path input in the form of trailing slash (‘filedir/’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.
Modes of Introduction:
– Implementation
Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories
The application is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.
A common development practice is to add “back door” code specifically designed for debugging or testing purposes that is not intended to be shipped or deployed with the application. These back door entry points create security risks because they are not considered during design or testing and fall outside of the expected operating conditions of the application.
Modes of Introduction:
– Implementation
Confidentiality, Integrity, Availability, Access Control, Other: Bypass Protection Mechanism, Read Application Data, Gain Privileges or Assume Identity, Varies by Context
The severity of the exposed debug application will depend on the particular instance. At the least, it will give an attacker sensitive information about the settings and mechanics of web applications on the server. At worst, as is often the case, the debug application will allow an attacker complete control over the web application and server, as well as confidential information that either of these access.
Phase: Build and Compilation, Distribution
Description:
Remove debug code before deploying the application.
The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.
Modes of Introduction:
– Implementation
Confidentiality: Read Application Data
Phase: Architecture and Design
Description:
Protect the application’s sessions from information leakage. Make sure that a session’s data is not used or visible by other sessions.
Phase: Testing
Description:
Use a static analysis tool to scan the code for information leakage vulnerabilities (e.g. Singleton Member Field).
Phase: Architecture and Design
Description:
In a multithreading environment, storing user data in Servlet member fields introduces a data access race condition. Do not use member fields to store information in the Servlet.
Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.
The purpose of package scope is to prevent accidental access by other parts of a program. This is an ease-of-software-development feature but not a security feature.
Modes of Introduction:
– Implementation
Likelihood of Exploit: Medium
Confidentiality: Read Application Data
Any data in a Java package can be accessed outside of the Java framework if the package is distributed.
Integrity: Modify Application Data
The data in a Java class can be modified by anyone outside of the Java framework if the packages is distributed.
Phase: Architecture and Design, Implementation
Description:
Data should be private static and final whenever possible. This will assure that your code is protected by instantiating early, preventing access and tampering.
The program compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.
If the decision to trust the methods and data of an object is based on the name of a class, it is possible for malicious users to send objects of the same name as trusted classes and thereby gain the trust afforded to known classes and types.
Modes of Introduction:
– Implementation
Likelihood of Exploit: High
Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands
If a program relies solely on the name of an object to determine identity, it may execute the incorrect or unintended code.
Phase: Implementation
Description:
Use class equivalency to determine type. Rather than use the class name to determine if an object is of a given type, use the getClass() method, and == operator.
The program omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.
This can lead to critical code executing in situations where it should not.
Modes of Introduction:
– Implementation
Likelihood of Exploit: Medium
Other: Alter Execution Logic
This weakness can cause unintended logic to be executed and other unexpected application behavior.
Phase: Implementation
Description:
Omitting a break statement so that one may fall through is often indistinguishable from an error, and therefore should be avoided. If you need to use fall-through capabilities, make sure that you have clearly documented this within the switch statement, and ensure that you have examined all the logical possibilities.
Phase: Implementation
Description:
The functionality of omitting a break statement could be clarified with an if statement. This method is much safer.
The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.
In some languages, braces (or other delimiters) are optional for blocks. When the delimiter is omitted, it is possible to insert a logic error in which a statement is thought to be in a block but is not. In some cases, the logic error can have security implications.
Modes of Introduction:
– Implementation
Likelihood of Exploit: Low
Confidentiality, Integrity, Availability: Alter Execution Logic
This is a general logic error which will often lead to obviously-incorrect behaviors that are quickly noticed and fixed. In lightly tested or untested code, this error may be introduced it into a production environment and provide additional attack vectors by creating a control flow path leading to an unexpected state in the application. The consequences will depend on the types of behaviors that are being incorrectly executed.
Phase: Implementation
Description:
Always use explicit block delimitation and use static-analysis technologies to enforce this practice.
The code uses an operator for comparison when the intention was to perform an assignment.
In many languages, the compare statement is very close in appearance to the assignment statement; they are often confused.
Modes of Introduction:
– Implementation
Likelihood of Exploit: Low
Availability, Integrity: Unexpected State
The assignment will not take place, which should cause obvious program execution problems.
Phase: Testing
Description:
Many IDEs and static analysis products will detect this problem.
The code uses an operator for assignment when the intention was to perform a comparison.
In many languages the compare statement is very close in appearance to the assignment statement and are often confused. This bug is generally the result of a typo and usually causes obvious problems with program execution. If the comparison is in an if statement, the if statement will usually evaluate the value of the right-hand side of the predicate.
Modes of Introduction:
– Implementation
Likelihood of Exploit: Low
Other: Alter Execution Logic
Phase: Testing
Description:
Many IDEs and static analysis products will detect this problem.
Phase: Implementation
Description:
Place constants on the left. If one attempts to assign a constant with a variable, the compiler will produce an error.