CWE-450 – Multiple Interpretations of UI Input

Read Time:30 Second

Description

The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-357

 

Consequences

Other: Varies by Context

 

Potential Mitigations

Phase: Implementation

Description: 

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

CWE-45 – Path Equivalence: ‘file…name’ (Multiple Internal Dot)

Read Time:21 Second

Description

A software system that accepts path input in the form of multiple internal dot (‘file…dir’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-44
CWE-165

 

Consequences

Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories

 

Potential Mitigations

CVE References

CWE-449 – The UI Performs the Wrong Action

Read Time:37 Second

Description

The UI performs the wrong action with respect to the user’s request.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-446

 

Consequences

Other: Quality Degradation, Varies by Context

 

Potential Mitigations

Phase: Testing

Description: 

Perform extensive functionality testing of the UI. The UI should behave as specified.

CVE References

  • CVE-2001-1387
    • Network firewall accidentally implements one command line option as if it were another, possibly leading to behavioral infoleak.
  • CVE-2001-0081
    • Command line option correctly suppresses a user prompt but does not properly disable a feature, although when the product prompts the user, the feature is properly disabled.
  • CVE-2002-1977
    • Product does not “time out” according to user specification, leaving sensitive data available after it has expired.

CWE-448 – Obsolete Feature in UI

Read Time:18 Second

Description

A UI function is obsolete and the product does not warn the user.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-446

 

Consequences

Other: Quality Degradation, Varies by Context

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Remove the obsolete feature from the UI. Warn the user that the feature is no longer supported.

CVE References

CWE-447 – Unimplemented or Unsupported Feature in UI

Read Time:45 Second

Description

A UI function for a security feature appears to be supported and gives feedback to the user that suggests that it is supported, but the underlying functionality is not implemented.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-446
CWE-671

 

Consequences

Other: Varies by Context

 

Potential Mitigations

Phase: Testing

Description: 

Perform functionality testing before deploying the application.

CVE References

  • CVE-2000-0127
    • GUI configuration tool does not enable a security option when a checkbox is selected, although that option is honored when manually set in the configuration file.
  • CVE-2001-0863
    • Router does not implement a specific keyword when it is used in an ACL, allowing filter bypass.
  • CVE-2001-0865
    • Router does not implement a specific keyword when it is used in an ACL, allowing filter bypass.
  • CVE-2004-0979
    • Web browser does not properly modify security setting when the user sets it.

CWE-446 – UI Discrepancy for Security Feature

Read Time:42 Second

Description

The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feature is in a secure state.

When the user interface does not properly reflect what the user asks of it, then it can lead the user into a false sense of security. For example, the user might check a box to enable a security option to enable encrypted communications, but the software does not actually enable the encryption. Alternately, the user might provide a “restrict ALL'” access control rule, but the software only implements “restrict SOME”.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-684

 

Consequences

Other: Varies by Context

 

Potential Mitigations

CVE References

  • CVE-1999-1446
    • UI inconsistency; visited URLs list not cleared when “Clear History” option is selected.

CWE-444 – Inconsistent Interpretation of HTTP Requests (‘HTTP Request Smuggling’)

Read Time:1 Minute, 38 Second

Description

When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to “smuggle” a request to one device without the other device being aware of it.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-436
CWE-436

 

Consequences

Integrity, Non-Repudiation, Access Control: Unexpected State, Hide Activities, Bypass Protection Mechanism

An attacker could create a request to exploit a number of weaknesses including 1) the request can trick the web server to associate a URL with another URLs webpage and caching the contents of the webpage (web cache poisoning attack), 2) the request can be structured to bypass the firewall protection mechanisms and gain unauthorized access to a web application, and 3) the request can invoke a script or a page that returns client credentials (similar to a Cross Site Scripting attack).

 

Potential Mitigations

Phase: Implementation

Description: 

Use a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433].

Phase: Implementation

Description: 

Use only SSL communication.

Phase: Implementation

Description: 

Terminate the client session after each request.

Phase: System Configuration

Description: 

Turn all pages to non-cacheable.

CVE References

  • CVE-2005-2088
    • Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
  • CVE-2005-2089
    • Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
  • CVE-2005-2090
    • Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
  • CVE-2005-2091
    • Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
  • CVE-2005-2092
    • Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
  • CVE-2005-2093
    • Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
  • CVE-2005-2094
    • Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.

CWE-441 – Unintended Proxy or Intermediary (‘Confused Deputy’)

Read Time:1 Minute, 42 Second

Description

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product’s control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-610
CWE-668

 

Consequences

Non-Repudiation, Access Control: Gain Privileges or Assume Identity, Hide Activities, Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Enforce the use of strong mutual authentication mechanism between the two parties.

Phase: Architecture and Design

Description: 

Whenever a product is an intermediary or proxy for
transactions between two other components, the proxy core
should not drop the identity of the initiator of the
transaction. The immutability of the identity of the
initiator must be maintained and should be forwarded all the
way to the target.

CVE References

  • CVE-1999-0017
    • FTP bounce attack. The design of the protocol allows an attacker to modify the PORT command to cause the FTP server to connect to other machines besides the attacker’s.
  • CVE-1999-0168
    • RPC portmapper could redirect service requests from an attacker to another entity, which thinks the requests came from the portmapper.
  • CVE-2005-0315
    • FTP server does not ensure that the IP address in a PORT command is the same as the FTP user’s session, allowing port scanning by proxy.
  • CVE-2002-1484
    • Web server allows attackers to request a URL from another server, including other ports, which allows proxied scanning.
  • CVE-2001-1484
    • Bounce attack allows access to TFTP from trusted side.
  • CVE-2010-1637
    • Web-based mail program allows internal network scanning using a modified POP3 port number.
  • CVE-2009-0037
    • URL-downloading library automatically follows redirects to file:// and scp:// URLs

CWE-440 – Expected Behavior Violation

Read Time:32 Second

Description

A feature, API, or function does not perform according to its specification.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-684

 

Consequences

Other: Quality Degradation, Varies by Context

 

Potential Mitigations

CVE References

  • CVE-2003-0187
    • Program uses large timeouts on “undeserving” to compensate for inconsistency of support for linked lists.
  • CVE-2003-0465
    • “strncpy” in Linux kernel acts different than libc on x86, leading to expected behavior difference – sort of a multiple interpretation error?
  • CVE-2005-3265
    • Buffer overflow in product stems the use of a third party library function that is expected to have internal protection against overflows, but doesn’t.