All posts by rocco

Vulnerabilities of the TLS Protocol

Read Time:2 Minute, 6 Second

Secure Socket Layer (SSL) and its successor, Transport Layer Security (TLS), are widely used protocols for secure online communication. They provide encryption and authentication between two applications over a network, ensuring the confidentiality and integrity of data transmitted between them.

However, SSL/TLS is not invulnerable, and over the years, several vulnerabilities have been discovered that can compromise the security of online transactions. One of the most significant vulnerabilities is the POODLE attack, discovered in 2014, which affects the older versions of SSL/TLS. This vulnerability allows an attacker to exploit the way SSL/TLS handles padding in the encryption process, enabling them to read encrypted information, including sensitive information such as passwords and credit card numbers.

Another vulnerability is the BEAST attack, which exploits a vulnerability in the way SSL/TLS handles block ciphers in older versions of the protocol. This attack allows an attacker to intercept and decrypt secure HTTPS cookies, potentially giving them access to sensitive data.

A third vulnerability is known as the DROWN attack, which can exploit weak encryption protocols such as SSLv2. The attack allows an attacker to read encrypted data transmitted over an SSL/TLS connection by exploiting a flaw in the SSLv2 protocol. Even though SSLv2 is now considered obsolete and no longer used, some older systems may still have it enabled, leaving them vulnerable to attack.

To ensure the maximum security of your online transactions, it’s essential to be aware of the potential vulnerabilities of SSL/TLS and to take necessary precautions. To start with, it’s recommended to use the latest version of TLS, which is currently TLS 1.3, and to disable support for older, insecure protocols like SSLv2 and SSLv3.

It’s also important to use strong encryption ciphers and to regularly test your TLS configuration for potential vulnerabilities. This can be done using tools like SSL Labs’ SSL Server Test, which can check the strength of your TLS configuration and identify any potential vulnerabilities.

Another crucial step is to regularly update your TLS certificates, which verify the identity of the server you’re communicating with and ensure that your data is not intercepted by an attacker. TLS certificates have an expiration date, so it’s essential to keep them up to date to ensure maximum security.

Finally, consider using other security measures like firewalls, antivirus software, and two-factor authentication to provide an additional layer of protection.

By taking these necessary precautions, you can significantly reduce the risk of SSL/TLS vulnerabilities and ensure the maximum security of your online transactions.

CWE

Read Time:1 Minute, 11 Second

CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs.

The goal is to support all those methods (including automatic ones) to control and prevent software errors. It can be used at the development stage, during the Code Review activity, and later on during the penetration test activity to classify and communicate the vulnerability type to developers. The system is at version 4.7 and contains over 600 categories of weaknesses and vulnerabilities

The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications.
The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.

Please check our post about Vulnerability Analysis to learn more about CWE usage.

Please find a list of all the CWE below or use the search box above to find a specific CWE.

  • The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them

    Apache Tomcat is an open-source web server and servlet container that is widely used in enterprise environments to run Java web applications. However, like any web server, it is also vulnerable to various security threats. In this article, we’ll explore some of the most dangerous vulnerabilities in Tomcat and provide tips on how to protect…

  • ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows

    Zero-day vulnerabilities are a serious threat to cybersecurity, as they can be exploited by malicious actors to gain unauthorized access to systems. One such vulnerability is ZDI-CAN-18333, a critical zero-day vulnerability that affects Microsoft Windows. In this article, we’ll take a closer look at what this vulnerability is, how it works, and what you can…

  • CWE-669 – Incorrect Resource Transfer Between Spheres

    Description The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. A “control sphere” is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product’s security…

  • CWE-67 – Improper Handling of Windows Device Names

    Description The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file. Not properly handling virtual…

  • CWE-670 – Always-Incorrect Control Flow Implementation

    Description The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. This weakness captures cases in which a particular code segment is always incorrect with respect to the algorithm that it is implementing. For example,…

  • CWE-671 – Lack of Administrator Control over Security

    Description The product uses security features in a way that prevents the product’s administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator. If the product’s administrator does not…

  • CWE-672 – Operation on a Resource after Expiration or Release

    Description The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-666   Consequences Integrity, Confidentiality: Modify Application Data, Read Application Data If a released resource is subsequently reused or reallocated, then an attempt to…

  • CWE-673 – External Influence of Sphere Definition

    Description The product does not prevent the definition of control spheres from external actors. Typically, a product defines its control sphere within the code itself, or through configuration by the product’s administrator. In some cases, an external party can change the definition of the control sphere. This is typically a resultant weakness. Modes of Introduction:…

  • CWE-674 – Uncontrolled Recursion

    Description The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack. Modes of Introduction: – Implementation     Related Weaknesses CWE-691   Consequences Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory) Resources including CPU, memory, and stack memory could be…

  • CWE-675 – Multiple Operations on Resource in Single-Operation Context

    Description The product performs the same operation on a resource two or more times, when the operation should only be applied once. Modes of Introduction: – Implementation     Related Weaknesses CWE-573 CWE-586 CWE-102   Consequences Other: Other   Potential Mitigations CVE References

  • CWE-676 – Use of Potentially Dangerous Function

    Description The program invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-1177   Consequences Other: Varies by Context, Quality Degradation, Unexpected State If the function…

  • CWE-680 – Integer Overflow to Buffer Overflow

    Description The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow. Modes of Introduction:     Related Weaknesses CWE-190 CWE-119   Consequences Integrity, Availability, Confidentiality: Modify Memory, DoS: Crash, Exit, or Restart, Execute…

  • CWE-681 – Incorrect Conversion between Numeric Types

    Description When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur. Modes of Introduction: – Implementation   Likelihood of Exploit: High   Related Weaknesses…

  • CWE-682 – Incorrect Calculation

    Description The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management. When software performs a security-critical calculation incorrectly, it might lead to incorrect resource allocations, incorrect privilege assignments, or failed comparisons among other things. Many of the direct results of an incorrect calculation can…

  • CWE-683 – Function Call With Incorrect Order of Arguments

    Description The software calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses. While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers or types of arguments, such…

  • CWE-684 – Incorrect Provision of Specified Functionality

    Description The code does not function according to its published specifications, potentially leading to incorrect usage. When providing functionality to an external party, it is important that the software behaves in accordance with the details specified. When requirements of nuances are not documented, the functionality may produce unintended behaviors for the caller, possibly leading to…

  • CWE-685 – Function Call With Incorrect Number of Arguments

    Description The software calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses. Modes of Introduction: – Implementation     Related Weaknesses CWE-628   Consequences Other: Quality Degradation   Potential Mitigations Phase: Testing Description:  Because this function call often…

  • CWE-686 – Function Call With Incorrect Argument Type

    Description The software calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses. This weakness is most likely to occur in loosely typed languages, or in strongly typed languages in which the types of variable arguments cannot be enforced at compilation…

  • CWE-687 – Function Call With Incorrectly Specified Argument Value

    Description The software calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses. Modes of Introduction: – Implementation     Related Weaknesses CWE-628   Consequences Other: Quality Degradation   Potential Mitigations CVE References

  • CWE-688 – Function Call With Incorrect Variable or Reference as Argument

    Description The software calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses. Modes of Introduction: – Implementation     Related Weaknesses CWE-628   Consequences Other: Quality Degradation   Potential Mitigations Phase: Testing Description:  Because this…

  • CWE-689 – Permission Race Condition During Resource Copy

    Description The product, while copying or cloning a resource, does not set the resource’s permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place. Modes of Introduction: – Implementation     Related Weaknesses CWE-362 CWE-362 CWE-732   Consequences Confidentiality, Integrity: Read Application Data,…

  • CWE-69 – Improper Handling of Windows ::DATA Alternate Data Stream

    Description The software does not properly prevent access to, or detect usage of, alternate data streams (ADS). An attacker can use an ADS to hide information about a file (e.g. size, the name of the process) from a system or file browser tools such as Windows Explorer and ‘dir’ at the command line utility. Alternately,…

  • CWE-647 – Use of Non-Canonical URL Paths for Authorization Decisions

    Description The software defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-863   Consequences Access Control: Bypass Protection Mechanism An attacker may…

  • CWE-648 – Incorrect Use of Privileged APIs

    Description The application does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: Low   Related Weaknesses CWE-269   Consequences Access Control: Gain Privileges…

  • CWE-649 – Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking

    Description The software uses obfuscation or encryption of inputs that should not be mutable by an external actor, but the software does not use integrity checks to detect if those inputs have been modified. When an application relies on obfuscation or incorrectly applied / weak encryption to protect client-controllable tokens or parameters, that may have…

  • CWE-65 – Windows Hard Link

    Description The software, when opening a file or directory, does not sufficiently handle when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files. Failure for a system to check for hard…

  • CWE-650 – Trusting HTTP Permission Methods on the Server Side

    Description The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state. The HTTP GET…

  • CWE-651 – Exposure of WSDL File Containing Sensitive Information

    Description The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g. what parameters they expect and what types they return). Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-538…

  • CWE-652 – Improper Neutralization of Data within XQuery Expressions (‘XQuery Injection’)

    Description The software uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query. The net effect is that the attacker will have control over the information selected…

  • CWE-653 – Improper Isolation or Compartmentalization

    Description The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions. When a weakness occurs in functionality that is accessible by lower-privileged users, then without strong boundaries, an attack might extend the scope of the damage to higher-privileged users. Modes of Introduction: – Architecture and…

  • CWE-654 – Reliance on a Single Factor in a Security Decision

    Description A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-657 CWE-693  …

  • CWE-655 – Insufficient Psychological Acceptability

    Description The software has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-657 CWE-693   Consequences Access Control: Bypass Protection Mechanism By bypassing the security mechanism,…

  • CWE-656 – Reliance on Security Through Obscurity

    Description The software uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism. This reliance on “security through obscurity” can produce resultant weaknesses if an attacker is able to reverse engineer the inner workings of the mechanism. Note that…

  • CWE-657 – Violation of Secure Design Principles

    Description The product violates well-established principles for secure design. This can introduce resultant weaknesses or make it easier for developers to introduce related weaknesses during implementation. Because code is centered around design, it can be resource-intensive to fix design problems. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-710   Consequences Other:…

  • CWE-66 – Improper Handling of File Names that Identify Virtual Resources

    Description The product does not handle or incorrectly handles a file name that identifies a “virtual” resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file. Virtual file names are represented like normal file…

  • CWE-662 – Improper Synchronization

    Description The software utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes. Modes of Introduction: – Architecture and Design…

  • CWE-663 – Use of a Non-reentrant Function in a Concurrent Context

    Description The software calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-662   Consequences Integrity, Confidentiality, Other: Modify Memory,…

  • CWE-664 – Improper Control of a Resource Through its Lifetime

    Description The software does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release. Modes of Introduction: – Implementation     Related Weaknesses   Consequences Other: Other   Potential Mitigations Phase: Testing Description:  Use Static analysis tools to check for unreleased resources. CVE References

  • CWE-665 – Improper Initialization

    Description The software does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used. This can have security implications when the associated resource is expected to have certain properties or values, such as a variable that determines whether a user has been authenticated…

  • CWE-666 – Operation on Resource in Wrong Phase of Lifetime

    Description The software performs an operation on a resource at the wrong phase of the resource’s lifecycle, which can lead to unexpected behaviors. When a developer wants to initialize, use or release a resource, it is important to follow the specifications outlined for how to operate on that resource and to ensure that the resource…

  • CWE-667 – Improper Locking

    Description The software does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-662 CWE-662 CWE-662 CWE-662   Consequences Availability: DoS: Resource Consumption (CPU) Inconsistent locking discipline can lead to deadlock.   Potential Mitigations Phase:…

  • CWE-668 – Exposure of Resource to Wrong Sphere

    Description The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-664   Consequences Confidentiality, Integrity, Other: Read Application Data, Modify Application Data, Other   Potential Mitigations CVE References

  • CWE-621 – Variable Extraction Error

    Description The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables. Modes of Introduction: – Implementation     Related Weaknesses CWE-914 CWE-471   Consequences Integrity: Modify Application Data An…

  • CWE-622 – Improper Validation of Function Hook Arguments

    Description The product adds hooks to user-accessible API functions, but it does not properly validate the arguments. This could lead to resultant vulnerabilities. Such hooks can be used in defensive software that runs with privileges, such as anti-virus or firewall, which hooks kernel calls. When the arguments are not validated, they could be used to…

  • CWE-623 – Unsafe ActiveX Control Marked Safe For Scripting

    Description An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting. This might allow attackers to use dangerous functionality via a web page that accesses the control, which can lead to different resultant vulnerabilities, depending on the control’s behavior. Modes of Introduction: – Architecture and Design     Related Weaknesses…

  • CWE-624 – Executable Regular Expression Error

    Description The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers. Case (2) is possible in the PHP preg_replace() function, and possibly in other languages when a user-controlled input is inserted into a string that is later…

  • CWE-625 – Permissive Regular Expression

    Description The product uses a regular expression that does not sufficiently restrict the set of allowed values. Modes of Introduction: – Implementation     Related Weaknesses CWE-185 CWE-187 CWE-184 CWE-183   Consequences Access Control: Bypass Protection Mechanism   Potential Mitigations Phase: Implementation Description:  When applicable, ensure that the regular expression marks beginning and ending string…

  • CWE-626 – Null Byte Interaction Error (Poison Null Byte)

    Description The product does not properly handle null bytes or NUL characters when passing data between different representations or components. Modes of Introduction: – Implementation     Related Weaknesses CWE-147 CWE-436   Consequences Integrity: Unexpected State   Potential Mitigations Phase: Implementation Description:  Remove null bytes from all incoming strings. CVE References CVE-2005-4155 NUL byte bypasses…

  • CWE-627 – Dynamic Variable Evaluation

    Description In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions. The resultant vulnerabilities depend on the behavior of the application, both at the crossover point and in any control/data…

  • CWE-628 – Function Call with Incorrectly Specified Arguments

    Description The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses. Modes of Introduction: – Implementation     Related Weaknesses CWE-573   Consequences Other, Access Control: Quality Degradation, Gain Privileges or Assume Identity This weakness can cause unintended behavior and can lead to…

  • CWE-636 – Not Failing Securely (‘Failing Open’)

    Description When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions. By entering a less secure state, the product inherits the…

  • CWE-637 – Unnecessary Complexity in Protection Mechanism (Not Using ‘Economy of Mechanism’)

    Description The software uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used. Security mechanisms should be as simple as possible. Complex security mechanisms may engender partial implementations and compatibility problems, with resulting mismatches in assumptions and implemented security. A…

  • CWE-638 – Not Using Complete Mediation

    Description The software does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity’s rights or privileges change over time. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-657 CWE-862   Consequences Integrity, Confidentiality, Availability, Access Control, Other:…

  • CWE-639 – Authorization Bypass Through User-Controlled Key

    Description The system’s authorization functionality does not prevent one user from gaining access to another user’s data or record by modifying the key value identifying the data. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-863 CWE-863 CWE-284   Consequences Access Control: Bypass Protection Mechanism Access control checks…

  • CWE-64 – Windows Shortcut Following (.LNK)

    Description The software, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files. The shortcut (file with the .lnk extension) can permit an attacker…

  • CWE-640 – Weak Password Recovery Mechanism for Forgotten Password

    Description The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-287 CWE-287   Consequences Access Control: Gain Privileges or Assume Identity An attacker could gain unauthorized…

  • CWE-641 – Improper Restriction of Names for Files and Other Resources

    Description The application constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name. This may produce resultant weaknesses. For instance, if the names of these resources contain scripting characters, it is possible that a script may get executed in…

  • CWE-642 – External Control of Critical State Data

    Description The software stores security-critical state information about its users, or the software itself, in a location that is accessible to unauthorized actors. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-668   Consequences Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity An attacker could potentially…

  • CWE-643 – Improper Neutralization of Data within XPath Expressions (‘XPath Injection’)

    Description The software uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query. The net effect is that the attacker will have control over the information selected…

  • CWE-644 – Improper Neutralization of HTTP Headers for Scripting Syntax

    Description The application does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-116   Consequences Integrity, Confidentiality, Availability: Execute Unauthorized Code…

  • CWE-646 – Reliance on File Name or Extension of Externally-Supplied File

    Description The software allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion. An application might use the file name or extension of…

  • CWE-602 – Client-Side Enforcement of Server-Side Security

    Description The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. When the server relies on protection mechanisms placed on the client side, an attacker can modify the client-side behavior to bypass the protection mechanisms resulting in potentially unexpected interactions between the…

  • CWE-603 – Use of Client-Side Authentication

    Description A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check. Client-side authentication is extremely weak and may be breached easily. Any attacker may read the source code and reverse-engineer the authentication mechanism to access parts of…

  • CWE-605 – Multiple Binds to the Same Port

    Description When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed. On most systems, a combination of setting the SO_REUSEADDR socket option, and a call to bind() allows any process to bind to a port to which a previous process has bound with INADDR_ANY.…

  • CWE-606 – Unchecked Input for Loop Condition

    Description The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping. Modes of Introduction: – Implementation     Related Weaknesses CWE-1284 CWE-834   Consequences Availability: DoS: Resource Consumption (CPU)   Potential Mitigations Phase: Implementation Description:  Do not use…

  • CWE-607 – Public Static Final Field References Mutable Object

    Description A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package. Modes of Introduction: – Implementation     Related Weaknesses CWE-471   Consequences Integrity: Modify Application Data   Potential Mitigations Phase: Implementation Description:  Protect mutable objects by making them…

  • CWE-608 – Struts: Non-private Field in ActionForm Class

    Description An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter. Modes of Introduction: – Implementation     Related Weaknesses CWE-668   Consequences Integrity, Confidentiality: Modify Application Data, Read Application Data   Potential Mitigations Phase: Implementation Description:  Make all fields private. Use getter…

  • CWE-609 – Double-Checked Locking

    Description The program uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient. Double-checked locking refers to the situation where a programmer checks to see if a resource has been initialized, grabs a lock, checks again to see if the resource has been initialized, and then performs…

  • CWE-61 – UNIX Symbolic Link (Symlink) Following

    Description The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files. A software system that allows UNIX symbolic links (symlink)…

  • CWE-610 – Externally Controlled Reference to a Resource in Another Sphere

    Description The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-664   Consequences Confidentiality, Integrity: Read Application Data, Modify Application Data   Potential Mitigations CVE References

  • CWE-611 – Improper Restriction of XML External Entity Reference

    Description The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. Modes of Introduction: – Implementation     Related Weaknesses CWE-610 CWE-610 CWE-441   Consequences Confidentiality: Read Application Data, Read Files…

  • CWE-612 – Improper Authorization of Index Containing Sensitive Information

    Description The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information. Web sites and other document repositories may apply an indexing routine against a group of private documents to facilitate search. If the index’s results are…

  • CWE-613 – Insufficient Session Expiration

    Description According to WASC, “Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.” Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-672 CWE-672 CWE-287   Consequences Access Control: Bypass Protection Mechanism   Potential Mitigations Phase: Implementation Description:  Set sessions/credentials expiration…

  • CWE-614 – Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute

    Description The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. Modes of Introduction: – Implementation     Related Weaknesses CWE-311   Consequences Confidentiality: Read Application Data   Potential Mitigations Phase: Implementation Description:  Always set the secure…

  • CWE-615 – Inclusion of Sensitive Information in Source Code Comments

    Description While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc. An attacker who finds these comments can map the application’s structure and files, expose hidden…

  • CWE-616 – Incomplete Identification of Uploaded File Variables (PHP)

    Description The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files. These global variables could be overwritten by POST requests, cookies, or other…

  • CWE-617 – Reachable Assertion

    Description The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. Modes of Introduction: – Implementation     Related Weaknesses CWE-670 CWE-670   Consequences Availability: DoS: Crash, Exit, or Restart An attacker that can trigger…

  • CWE-618 – Exposed Unsafe ActiveX Method

    Description An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser’s security model (e.g. the zone or domain). ActiveX controls can exercise far greater control over the operating system than typical Java or javascript. Exposed methods can be subject to…

  • CWE-619 – Dangling Database Cursor (‘Cursor Injection’)

    Description If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor “dangling.” For example, an improper dangling cursor could arise from unhandled exceptions. The impact of the issue depends on the cursor’s role, but SQL injection attacks…

  • CWE-62 – UNIX Hard Link

    Description The software, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files. Failure for a system to check for…

  • CWE-620 – Unverified Password Change

    Description When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user. Modes of Introduction: – Architecture and Design    …

  • CWE-584 – Return Inside Finally Block

    Description The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded. Modes of Introduction: – Implementation     Related Weaknesses CWE-705   Consequences Other: Alter Execution Logic   Potential Mitigations Phase: Implementation Description:  Do not use a return statement inside the finally…

  • CWE-585 – Empty Synchronized Block

    Description The software contains an empty synchronized block. An empty synchronized block does not actually accomplish any synchronization and may indicate a troubled section of code. An empty synchronized block can occur because code no longer needed within the synchronized block is commented out without removing the synchronized block. Modes of Introduction: – Implementation  …

  • CWE-586 – Explicit Call to Finalize()

    Description The software makes an explicit call to the finalize() method from outside the finalizer. While the Java Language Specification allows an object’s finalize() method to be called from outside the finalizer, doing so is usually a bad idea. For example, calling finalize() explicitly means that finalize() will be called more than once: the first…

  • CWE-587 – Assignment of a Fixed Address to a Pointer

    Description The software sets a pointer to a specific address other than NULL or 0. Using a fixed address is not portable, because that address will probably not be valid in all environments or platforms. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-344 CWE-758   Consequences Integrity, Confidentiality, Availability: Execute Unauthorized…

  • CWE-588 – Attempt to Access Child of a Non-structure Pointer

    Description Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-704 CWE-758   Consequences Integrity: Modify Memory Adjacent variables in memory may be corrupted by assignments performed on fields after the cast.…

  • CWE-589 – Call to Non-ubiquitous API

    Description The software uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences. Some functions that offer security features supported by the OS are not available on all versions of the OS in common use.…

  • CWE-59 – Improper Link Resolution Before File Access (‘Link Following’)

    Description The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. Soft links are a UNIX term that is synonymous with simple shortcuts on windows based platforms. Modes of Introduction: – Implementation   Likelihood…

  • CWE-590 – Free of Memory not on the Heap

    Description The application calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc(). When free() is called on an invalid pointer, the program’s memory management data structures may become corrupted. This corruption can cause the program to crash or, in some circumstances, an…

  • CWE-591 – Sensitive Data Storage in Improperly Locked Memory

    Description The application stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors. On Windows systems the VirtualLock function can lock a…

  • CWE-592 – DEPRECATED: Authentication Bypass Issues

    Description This weakness has been deprecated because it covered redundant concepts already described in CWE-287. Modes of Introduction:     Related Weaknesses   Consequences   Potential Mitigations CVE References

  • CWE-593 – Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created

    Description The software modifies the SSL context after connection creation has begun. If the program modifies the SSL_CTX object after creating SSL objects from it, there is the possibility that older SSL objects created from the original context could all be affected by that change. Modes of Introduction: – Architecture and Design     Related…

  • CWE-594 – J2EE Framework: Saving Unserializable Objects to Disk

    Description When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully. In heavy load conditions, most J2EE application frameworks flush objects to disk to manage memory requirements of incoming requests. For example, session scoped objects, and even application scoped objects, are written to disk…

  • CWE-595 – Comparison of Object References Instead of Object Contents

    Description The program compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects. For example, in Java, comparing objects using == usually produces deceptive results, since the == operator compares object references rather than values; often, this means that using == for strings is actually comparing the strings’…

  • CWE-596 – DEPRECATED: Incorrect Semantic Object Comparison

    Description This weakness has been deprecated. It was poorly described and difficult to distinguish from other entries. It was also inappropriate to assign a separate ID solely because of domain-specific considerations. Its closest equivalent is CWE-1023. Modes of Introduction:     Related Weaknesses   Consequences   Potential Mitigations CVE References

  • CWE-597 – Use of Wrong Operator in String Comparison

    Description The product uses the wrong operator when comparing a string, such as using “==” when the .equals() method should be used instead. In Java, using == or != to compare two strings for equality actually compares two objects for equality rather than their string values for equality. Chances are good that the two references…

  • CWE-598 – Use of GET Request Method With Sensitive Query Strings

    Description The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request. The query string for the URL could be saved in the browser’s history, passed through Referers to other web sites, stored in web logs, or otherwise recorded in other sources. If…

  • CWE-599 – Missing Validation of OpenSSL Certificate

    Description The software uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements. This could allow an attacker to use an invalid certificate to claim to be a trusted host, use expired certificates, or conduct other attacks that could be detected if…

  • CWE-6 – J2EE Misconfiguration: Insufficient Session-ID Length

    Description The J2EE application is configured to use an insufficient session ID length. If an attacker can guess or steal a session ID, then they may be able to take over the user’s session (called session hijacking). The number of possible session IDs increases with increased session ID length, making it more difficult to guess…

CWE-669 – Incorrect Resource Transfer Between Spheres

Read Time:49 Second

Description

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

A “control sphere” is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product’s security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for “administrators” who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be “users who are authenticated to the operating system on which the product is installed.” Each sphere has different sets of actors and allowable behaviors.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-664

 

Consequences

Confidentiality, Integrity: Read Application Data, Modify Application Data, Unexpected State

 

Potential Mitigations

CVE References

CWE-67 – Improper Handling of Windows Device Names

Read Time:2 Minute, 22 Second

Description

The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.

Not properly handling virtual filenames (e.g. AUX, CON, PRN, COM1, LPT1) can result in different types of vulnerabilities. In some cases an attacker can request a device via injection of a virtual filename in a URL, which may cause an error that leads to a denial of service or an error page that reveals sensitive information. A software system that allows device names to bypass filtering runs the risk of an attacker injecting malicious code in a file with the name of a device.

Historically, there was a bug in the Windows operating system that caused a blue screen of death. Even after that issue was fixed DOS device names continue to be a factor.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-66

 

Consequences

Availability, Confidentiality, Other: DoS: Crash, Exit, or Restart, Read Application Data, Other

 

Potential Mitigations

Phase: Implementation

Description: 

Be familiar with the device names in the operating system where your system is deployed. Check input for these device names.

CVE References

  • CVE-2002-0106
    • Server allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name.
  • CVE-2002-0200
    • Server allows remote attackers to cause a denial of service via an HTTP request for an MS-DOS device name.
  • CVE-2002-1052
    • Product allows remote attackers to use MS-DOS device names in HTTP requests to cause a denial of service or obtain the physical path of the server.
  • CVE-2001-0493
    • Server allows remote attackers to cause a denial of service via a URL that contains an MS-DOS device name.
  • CVE-2001-0558
    • Server allows a remote attacker to create a denial of service via a URL request which includes a MS-DOS device name.
  • CVE-2000-0168
    • Microsoft Windows 9x operating systems allow an attacker to cause a denial of service via a pathname that includes file device names, aka the “DOS Device in Path Name” vulnerability.
  • CVE-2001-0492
    • Server allows remote attackers to determine the physical path of the server via a URL containing MS-DOS device names.
  • CVE-2004-0552
    • Product does not properly handle files whose names contain reserved MS-DOS device names, which can allow malicious code to bypass detection when it is installed, copied, or executed.
  • CVE-2005-2195
    • Server allows remote attackers to cause a denial of service (application crash) via a URL with a filename containing a .cgi extension and an MS-DOS device name.

CWE-670 – Always-Incorrect Control Flow Implementation

Read Time:49 Second

Description

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

This weakness captures cases in which a particular code segment is always incorrect with respect to the algorithm that it is implementing. For example, if a C programmer intends to include multiple statements in a single block but does not include the enclosing braces (CWE-483), then the logic is always incorrect. This issue is in contrast to most weaknesses in which the code usually behaves correctly, except when it is externally manipulated in malicious ways.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-691

 

Consequences

Other: Other, Alter Execution Logic

 

Potential Mitigations

CVE References

  • CVE-2021-3011
    • virtual interrupt controller in a virtualization product allows crash of host by writing a certain invalid value to a register, which triggers a fatal error instead of returning an error code

CWE-671 – Lack of Administrator Control over Security

Read Time:39 Second

Description

The product uses security features in a way that prevents the product’s administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.

If the product’s administrator does not have the ability to manage security-related decisions at all times, then protecting the product from outside threats – including the product’s developer – can become impossible. For example, a hard-coded account name and password cannot be changed by the administrator, thus exposing that product to attacks that the administrator can not prevent.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-657

 

Consequences

Other: Varies by Context

 

Potential Mitigations

CVE References

CWE-672 – Operation on a Resource after Expiration or Release

Read Time:41 Second

Description

The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-666

 

Consequences

Integrity, Confidentiality: Modify Application Data, Read Application Data

If a released resource is subsequently reused or reallocated, then an attempt to use the original resource might allow access to sensitive data that is associated with a different user or entity.

Other, Availability: Other, DoS: Crash, Exit, or Restart

When a resource is released it might not be in an expected state, later attempts to access the resource may lead to resultant errors that may lead to a crash.

 

Potential Mitigations

CVE References

  • CVE-2009-3547
    • chain: race condition might allow resource to be released before operating on it, leading to NULL dereference

CWE-673 – External Influence of Sphere Definition

Read Time:22 Second

Description

The product does not prevent the definition of control spheres from external actors.

Typically, a product defines its control sphere within the code itself, or through configuration by the product’s administrator. In some cases, an external party can change the definition of the control sphere. This is typically a resultant weakness.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-664

 

Consequences

Other: Other

 

Potential Mitigations

CVE References

CWE-674 – Uncontrolled Recursion

Read Time:1 Minute, 29 Second

Description

The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-691

 

Consequences

Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)

Resources including CPU, memory, and stack memory could be rapidly consumed or exhausted, eventually leading to an exit or crash.

Confidentiality: Read Application Data

In some cases, an application’s interpreter might kill a process or thread that appears to be consuming too much resources, such as with PHP’s memory_limit setting. When the interpreter kills the process/thread, it might report an error containing detailed information such as the application’s installation path.

 

Potential Mitigations

Phase: Implementation

Effectiveness: Moderate

Description: 

Ensure an end condition will be reached under all logic conditions. The end condition may include testing against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.

Phase: Implementation

Effectiveness: Limited

Description: 

Increase the stack size.

Increasing the stack size might only be a temporary measure, since the stack typically is still not very large, and it might remain easy for attackers to cause an out-of-stack fault.

CVE References

  • CVE-2007-3409
    • Self-referencing pointers create infinite loop and resultant stack exhaustion.
  • CVE-2016-10707
    • Javascript application accidentally changes input in a way that prevents a recursive call from detecting an exit condition.
  • CVE-2016-3627
    • An attempt to recover a corrupted XML file infinite recursion protection counter was not always incremented missing the exit condition.
  • CVE-2019-15118
    • USB-audio driver’s descriptor code parsing allows unlimited recursion leading to stack exhaustion.