All posts by rocco

Vulnerabilities of the TLS Protocol

Read Time:2 Minute, 6 Second

Secure Socket Layer (SSL) and its successor, Transport Layer Security (TLS), are widely used protocols for secure online communication. They provide encryption and authentication between two applications over a network, ensuring the confidentiality and integrity of data transmitted between them.

However, SSL/TLS is not invulnerable, and over the years, several vulnerabilities have been discovered that can compromise the security of online transactions. One of the most significant vulnerabilities is the POODLE attack, discovered in 2014, which affects the older versions of SSL/TLS. This vulnerability allows an attacker to exploit the way SSL/TLS handles padding in the encryption process, enabling them to read encrypted information, including sensitive information such as passwords and credit card numbers.

Another vulnerability is the BEAST attack, which exploits a vulnerability in the way SSL/TLS handles block ciphers in older versions of the protocol. This attack allows an attacker to intercept and decrypt secure HTTPS cookies, potentially giving them access to sensitive data.

A third vulnerability is known as the DROWN attack, which can exploit weak encryption protocols such as SSLv2. The attack allows an attacker to read encrypted data transmitted over an SSL/TLS connection by exploiting a flaw in the SSLv2 protocol. Even though SSLv2 is now considered obsolete and no longer used, some older systems may still have it enabled, leaving them vulnerable to attack.

To ensure the maximum security of your online transactions, it’s essential to be aware of the potential vulnerabilities of SSL/TLS and to take necessary precautions. To start with, it’s recommended to use the latest version of TLS, which is currently TLS 1.3, and to disable support for older, insecure protocols like SSLv2 and SSLv3.

It’s also important to use strong encryption ciphers and to regularly test your TLS configuration for potential vulnerabilities. This can be done using tools like SSL Labs’ SSL Server Test, which can check the strength of your TLS configuration and identify any potential vulnerabilities.

Another crucial step is to regularly update your TLS certificates, which verify the identity of the server you’re communicating with and ensure that your data is not intercepted by an attacker. TLS certificates have an expiration date, so it’s essential to keep them up to date to ensure maximum security.

Finally, consider using other security measures like firewalls, antivirus software, and two-factor authentication to provide an additional layer of protection.

By taking these necessary precautions, you can significantly reduce the risk of SSL/TLS vulnerabilities and ensure the maximum security of your online transactions.

CWE

Read Time:1 Minute, 11 Second

CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs.

The goal is to support all those methods (including automatic ones) to control and prevent software errors. It can be used at the development stage, during the Code Review activity, and later on during the penetration test activity to classify and communicate the vulnerability type to developers. The system is at version 4.7 and contains over 600 categories of weaknesses and vulnerabilities

The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications.
The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.

Please check our post about Vulnerability Analysis to learn more about CWE usage.

Please find a list of all the CWE below or use the search box above to find a specific CWE.

  • CWE-600 – Uncaught Exception in Servlet

    Description The Servlet does not catch all exceptions, which may reveal sensitive debugging information. When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a…

  • CWE-601 – URL Redirection to Untrusted Site (‘Open Redirect’)

    Description A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to…

  • CWE-565 – Reliance on Cookies without Validation and Integrity Checking

    Description The application relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user. Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Reliance on cookies without detailed validation and…

  • CWE-566 – Authorization Bypass Through User-Controlled SQL Primary Key

    Description The software uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-639   Consequences Confidentiality, Integrity, Access Control: Read Application…

  • CWE-567 – Unsynchronized Access to Shared Data in a Multithreaded Context

    Description The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-820 CWE-662 CWE-662 CWE-488   Consequences Confidentiality, Integrity, Availability: Read Application Data, Modify Application Data, DoS: Instability, DoS: Crash,…

  • CWE-568 – finalize() Method Without super.finalize()

    Description The software contains a finalize() method that does not call super.finalize(). The Java Language Specification states that it is a good practice for a finalize() method to call super.finalize(). Modes of Introduction: – Implementation     Related Weaknesses CWE-573 CWE-459   Consequences Other: Quality Degradation   Potential Mitigations Phase: Implementation Description:  Call the super.finalize()…

  • CWE-57 – Path Equivalence: ‘fakedir/../realdir/filename’

    Description The software contains protection mechanisms to restrict access to ‘realdir/filename’, but it constructs pathnames using external input in the form of ‘fakedir/../realdir/filename’ that are not handled by those mechanisms. This allows attackers to perform unauthorized actions against the targeted file. Modes of Introduction: – Implementation     Related Weaknesses CWE-41   Consequences Confidentiality, Integrity:…

  • CWE-570 – Expression is Always False

    Description The software contains an expression that will always evaluate to false. Modes of Introduction: – Implementation     Related Weaknesses CWE-710 CWE-561   Consequences Other: Quality Degradation, Varies by Context   Potential Mitigations Phase: Testing Description:  Use Static Analysis tools to spot such conditions. CVE References

  • CWE-571 – Expression is Always True

    Description The software contains an expression that will always evaluate to true. Modes of Introduction: – Implementation     Related Weaknesses CWE-710 CWE-561   Consequences Other: Quality Degradation, Varies by Context   Potential Mitigations Phase: Testing Description:  Use Static Analysis tools to spot such conditions. CVE References

  • CWE-572 – Call to Thread run() instead of start()

    Description The program calls a thread’s run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee. In most cases a direct call to a Thread object’s run() method is a bug. The programmer intended to begin a new thread of control, but accidentally…

  • CWE-573 – Improper Following of Specification by Caller

    Description The software does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform. When leveraging external functionality, such as an API, it is important that the caller does so in accordance with the requirements of the external functionality or else unintended behaviors may result, possibly leaving…

  • CWE-574 – EJB Bad Practices: Use of Synchronization Primitives

    Description The program violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives. The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline:…

  • CWE-575 – EJB Bad Practices: Use of AWT Swing

    Description The program violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing. The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: “An enterprise…

  • CWE-576 – EJB Bad Practices: Use of Java I/O

    Description The program violates the Enterprise JavaBeans (EJB) specification by using the java.io package. The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline:…

  • CWE-577 – EJB Bad Practices: Use of Sockets

    Description The program violates the Enterprise JavaBeans (EJB) specification by using sockets. The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: “An enterprise…

  • CWE-578 – EJB Bad Practices: Use of Class Loader

    Description The program violates the Enterprise JavaBeans (EJB) specification by using the class loader. The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline:…

  • CWE-579 – J2EE Bad Practices: Non-serializable Object Stored in Session

    Description The application stores a non-serializable object as an HttpSession attribute, which can hurt reliability. A J2EE application can make use of multiple JVMs in order to improve application reliability and performance. In order to make the multiple JVMs appear as a single application to the end user, the J2EE container can replicate an HttpSession…

  • CWE-58 – Path Equivalence: Windows 8.3 Filename

    Description The software contains a protection mechanism that restricts access to a long filename on a Windows operating system, but the software does not properly restrict access to the equivalent short “8.3” filename. On later Windows operating systems, a file can have a “long name” and a short name that is compatible with older Windows…

  • CWE-580 – clone() Method Without super.clone()

    Description The software contains a clone() method that does not call super.clone() to obtain the new object. All implementations of clone() should obtain the new object by calling super.clone(). If a class does not follow this convention, a subclass’s clone() method will return an object of the wrong type. Modes of Introduction: – Implementation  …

  • CWE-581 – Object Model Violation: Just One of Equals and Hashcode Defined

    Description The software does not maintain equal hashcodes for equal objects. Java objects are expected to obey a number of invariants related to equality. One of these invariants is that equal objects must have equal hashcodes. In other words, if a.equals(b) == true then a.hashCode() == b.hashCode(). Modes of Introduction: – Implementation     Related…

  • CWE-582 – Array Declared Public, Final, and Static

    Description The program declares an array public, final, and static, which is not sufficient to prevent the array’s contents from being modified. Because arrays are mutable objects, the final constraint requires that the array object itself be assigned only once, but makes no guarantees about the values of the array elements. Since the array is…

  • CWE-583 – finalize() Method Declared Public

    Description The program violates secure coding principles for mobile code by declaring a finalize() method public. A program should never call finalize explicitly, except to call super.finalize() inside an implementation of finalize(). In mobile code situations, the otherwise error prone practice of manual garbage collection can become a security threat if an attacker can maliciously…

  • CWE-545 – DEPRECATED: Use of Dynamic Class Loading

    Description This weakness has been deprecated because it partially overlaps CWE-470, it describes legitimate programmer behavior, and other portions will need to be integrated into other entries. Modes of Introduction:     Related Weaknesses   Consequences   Potential Mitigations CVE References

  • CWE-546 – Suspicious Comment

    Description The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses. Many suspicious comments, such as BUG, HACK, FIXME, LATER, LATER2, TODO, in the code indicate missing security functionality and checking. Others indicate code problems that programmers should fix, such as hard-coded variables, error handling, not using stored procedures, and performance…

  • CWE-547 – Use of Hard-coded, Security-relevant Constants

    Description The program uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. If the developer does not find all occurrences of the hard-coded constants, an incorrect policy decision may be made if one of the constants is not changed. Making changes…

  • CWE-548 – Exposure of Information Through Directory Listing

    Description A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers. A directory listing provides an attacker with the complete index of all the resources located inside of the directory. The specific risks and consequences vary depending on which files are listed and accessible. Modes of Introduction: – Implementation     Related Weaknesses…

  • CWE-549 – Missing Password Field Masking

    Description The software does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords. Modes of Introduction: – Implementation     Related Weaknesses CWE-522   Consequences Access Control: Bypass Protection Mechanism   Potential Mitigations Phase: Implementation, Requirements Description:  Recommendations include requiring all password fields in your web application be masked…

  • CWE-55 – Path Equivalence: ‘/./’ (Single Dot Directory)

    Description A software system that accepts path input in the form of single dot directory exploit (‘/./’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation     Related Weaknesses CWE-41   Consequences Confidentiality,…

  • CWE-550 – Server-generated Error Message Containing Sensitive Information

    Description Certain conditions, such as network failure, will cause a server error message to be displayed. While error messages in and of themselves are not dangerous, per se, it is what an attacker can glean from them that might cause eventual problems. Modes of Introduction: – Implementation     Related Weaknesses CWE-209   Consequences Confidentiality:…

  • CWE-551 – Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

    Description If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection. For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be…

  • CWE-552 – Files or Directories Accessible to External Parties

    Description The product makes files or directories accessible to unauthorized actors, even though they should not be. Web servers, FTP servers, and similar servers may store a set of files underneath a “root” directory that is accessible to the server’s users. Applications may store sensitive files underneath this root without also using access control to…

  • CWE-553 – Command Shell in Externally Accessible Directory

    Description A possible shell file exists in /cgi-bin/ or other accessible directories. This is extremely dangerous and can be used by an attacker to execute commands on the web server. Modes of Introduction: – Implementation     Related Weaknesses CWE-552   Consequences Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands   Potential Mitigations Phase: Installation,…

  • CWE-554 – ASP.NET Misconfiguration: Not Using Input Validation Framework

    Description The ASP.NET application does not use an input validation framework. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-1173   Consequences Integrity: Unexpected State Unchecked input leads to cross-site scripting, process control, and SQL injection vulnerabilities, among others.   Potential Mitigations Phase: Architecture and Design Description:  CVE References

  • CWE-555 – J2EE Misconfiguration: Plaintext Password in Configuration File

    Description The J2EE application stores a plaintext password in a configuration file. Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resource, making it an easy target for attackers. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-260   Consequences Access Control:…

  • CWE-556 – ASP.NET Misconfiguration: Use of Identity Impersonation

    Description Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges. The use of impersonated credentials allows an ASP.NET application to run with either the privileges of the client on whose behalf it is executing or with arbitrary privileges granted in its configuration. Modes of Introduction: – Implementation    …

  • CWE-558 – Use of getlogin() in Multithreaded Application

    Description The application uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values. The getlogin() function returns a pointer to a string that contains the name of the user associated with the calling process. The function is not reentrant, meaning that if it is called from another process, the contents…

  • CWE-56 – Path Equivalence: ‘filedir*’ (Wildcard)

    Description A software system that accepts path input in the form of asterisk wildcard (‘filedir*’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation     Related Weaknesses CWE-41 CWE-155   Consequences Confidentiality, Integrity:…

  • CWE-560 – Use of umask() with chmod-style Argument

    Description The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod(). Modes of Introduction: – Implementation     Related Weaknesses CWE-687   Consequences Confidentiality, Integrity, Access Control: Read Files or Directories, Modify Files or Directories, Bypass Protection Mechanism   Potential Mitigations Phase: Implementation Description:  Use umask()…

  • CWE-561 – Dead Code

    Description The software contains dead code, which can never be executed. Dead code is source code that can never be executed in a running program. The surrounding code makes it impossible for a section of code to ever be executed. Modes of Introduction: – Implementation     Related Weaknesses CWE-1164   Consequences Other: Quality Degradation…

  • CWE-562 – Return of Stack Variable Address

    Description A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash. Because local variables are allocated on the stack, when a program returns a pointer to a local variable, it is returning a stack address. A subsequent function call is likely to re-use…

  • CWE-563 – Assignment to Variable without Use

    Description The variable’s value is assigned but never used, making it a dead store. After the assignment, the variable is either assigned another value or goes out of scope. It is likely that the variable is simply vestigial, but it is also possible that the unused variable points out a bug. Modes of Introduction: –…

  • CWE-564 – SQL Injection: Hibernate

    Description Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement’s meaning or to execute arbitrary SQL commands. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-89 CWE-89 CWE-89   Consequences Confidentiality, Integrity: Read Application Data, Modify Application Data   Potential Mitigations…

  • CWE-527 – Exposure of Version-Control Repository to an Unauthorized Control Sphere

    Description The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors. Version control repositories such as CVS or git store version-specific metadata and other details within subdirectories. If these subdirectories are stored on a web server or added…

  • CWE-528 – Exposure of Core Dump File to an Unauthorized Control Sphere

    Description The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors. Modes of Introduction: – Operation     Related Weaknesses CWE-552   Consequences Confidentiality: Read Application Data, Read Files or Directories   Potential Mitigations Phase: System Configuration Description:  Protect the…

  • CWE-529 – Exposure of Access Control List Files to an Unauthorized Control Sphere

    Description The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere. Exposure of these access control list files may give the attacker information about the configuration of the site or system. This information may then be used to bypass the intended…

  • CWE-53 – Path Equivalence: ‘multiple\internalbackslash’

    Description A software system that accepts path input in the form of multiple internal backslash (‘multipletrailing\slash’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation     Related Weaknesses CWE-41 CWE-165   Consequences Confidentiality,…

  • CWE-530 – Exposure of Backup File to an Unauthorized Control Sphere

    Description A backup file is stored in a directory or archive that is made accessible to unauthorized actors. Often, older backup files are renamed with an extension such as .~bk to distinguish them from production files. The source code for old files that have been renamed in this manner and left in the webroot can…

  • CWE-531 – Inclusion of Sensitive Information in Test Code

    Description Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions. Modes of Introduction: – Testing     Related Weaknesses CWE-540   Consequences Confidentiality: Read…

  • CWE-532 – Insertion of Sensitive Information into Log File

    Description Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: Medium   Related Weaknesses CWE-538 CWE-200   Consequences Confidentiality: Read Application Data Logging sensitive user data often provides attackers with…

  • CWE-533 – DEPRECATED: Information Exposure Through Server Log Files

    Description This entry has been deprecated because its abstraction was too low-level. See CWE-532. Modes of Introduction:     Related Weaknesses   Consequences   Potential Mitigations CVE References

  • CWE-534 – DEPRECATED: Information Exposure Through Debug Log Files

    Description This entry has been deprecated because its abstraction was too low-level. See CWE-532. Modes of Introduction:     Related Weaknesses   Consequences   Potential Mitigations CVE References

  • CWE-535 – Exposure of Information Through Shell Error Message

    Description A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-211   Consequences Confidentiality:…

  • CWE-536 – Servlet Runtime Error Message Containing Sensitive Information

    Description A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker. Modes of Introduction: – Implementation     Related Weaknesses CWE-211   Consequences Confidentiality: Read Application Data The error message may contain the location of the file in which the offending…

  • CWE-537 – Java Runtime Error Message Containing Sensitive Information

    Description In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system. Modes of Introduction: – Implementation     Related Weaknesses CWE-211   Consequences Confidentiality: Read Application Data   Potential Mitigations Phase: Implementation Description:  Do not expose sensitive error information to the user.…

  • CWE-538 – Insertion of Sensitive Information into Externally-Accessible File or Directory

    Description The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information. Modes of Introduction: – Implementation     Related Weaknesses CWE-200   Consequences Confidentiality: Read Files or Directories   Potential Mitigations Phase: Architecture and Design, Operation,…

  • CWE-539 – Use of Persistent Cookies Containing Sensitive Information

    Description The web application uses persistent cookies, but the cookies contain sensitive information. Cookies are small bits of data that are sent by the web application but stored locally in the browser. This lets the application use the cookie to pass information between pages and store variable information. The web application controls what information is…

  • CWE-54 – Path Equivalence: ‘filedir’ (Trailing Backslash)

    Description A software system that accepts path input in the form of trailing backslash (‘filedir’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation     Related Weaknesses CWE-41 CWE-162   Consequences Confidentiality, Integrity:…

  • CWE-540 – Inclusion of Sensitive Information in Source Code

    Description Source code on a web server or repository often contains sensitive information and should generally not be accessible to users. There are situations where it is critical to remove source code from an area or server. For example, obtaining Perl source code on a system allows an attacker to understand the logic of the…

  • CWE-541 – Inclusion of Sensitive Information in an Include File

    Description If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system. Modes of Introduction: – Implementation     Related Weaknesses CWE-540   Consequences Confidentiality: Read Application Data   Potential Mitigations Phase: Architecture and Design Description:  Do not store sensitive information…

  • CWE-542 – DEPRECATED: Information Exposure Through Cleanup Log Files

    Description This entry has been deprecated because its abstraction was too low-level. See CWE-532. Modes of Introduction:     Related Weaknesses   Consequences   Potential Mitigations CVE References

  • CWE-543 – Use of Singleton Pattern Without Synchronization in a Multithreaded Context

    Description The software uses the singleton pattern when creating a resource within a multithreaded environment. The use of a singleton pattern may not be thread-safe. Modes of Introduction: – Implementation     Related Weaknesses CWE-820 CWE-662 CWE-662   Consequences Other, Integrity: Other, Modify Application Data   Potential Mitigations Phase: Architecture and Design Description:  Use the…

  • CWE-544 – Missing Standardized Error Handling Mechanism

    Description The software does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknesses. If the application handles error messages individually, on a one-by-one basis, this is likely to result in inconsistent error handling. The causes of errors may be lost. Also, detailed information about…

  • CWE-502 – Deserialization of Untrusted Data

    Description The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. Serialization and deserialization refer to the process of taking program-internal object-related data, packaging it in a way that allows the data to be externally stored or transferred (“serialization”), then extracting the serialized data to reconstruct the original object (“deserialization”).…

  • CWE-506 – Embedded Malicious Code

    Description The application contains code that appears to be malicious in nature. Malicious flaws have acquired colorful names, including Trojan horse, trapdoor, timebomb, and logic-bomb. A developer might insert malicious code with the intent to subvert the security of an application or its host system at some time in the future. It generally refers to…

  • CWE-507 – Trojan Horse

    Description The software appears to contain benign or useful functionality, but it also contains code that is hidden from normal operation that violates the intended security policy of the user or the system administrator. Modes of Introduction: – Implementation     Related Weaknesses CWE-506   Consequences Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands  …

  • CWE-508 – Non-Replicating Malicious Code

    Description Non-replicating malicious code only resides on the target system or software that is attacked; it does not attempt to spread to other systems. Modes of Introduction: – Implementation     Related Weaknesses CWE-507   Consequences Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands   Potential Mitigations Phase: Operation Description:  Antivirus software can help mitigate…

  • CWE-509 – Replicating Malicious Code (Virus or Worm)

    Description Replicating malicious code, including viruses and worms, will attempt to attack other systems once it has successfully compromised the target system or software. Modes of Introduction: – Implementation     Related Weaknesses CWE-507   Consequences Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands   Potential Mitigations Phase: Operation Description:  Antivirus software scans for viruses…

  • CWE-51 – Path Equivalence: ‘/multiple//internal/slash’

    Description A software system that accepts path input in the form of multiple internal slash (‘/multiple//internal/slash/’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation     Related Weaknesses CWE-41   Consequences Confidentiality, Integrity:…

  • CWE-510 – Trapdoor

    Description A trapdoor is a hidden piece of code that responds to a special input, allowing its user access to resources without passing through the normal security enforcement mechanism. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-506   Consequences Confidentiality, Integrity, Availability, Access Control: Execute Unauthorized Code or Commands, Bypass Protection…

  • CWE-511 – Logic/Time Bomb

    Description The software contains code that is designed to disrupt the legitimate operation of the software (or its environment) when a certain time passes, or when a certain logical condition is met. When the time bomb or logic bomb is detonated, it may perform a denial of service such as crashing the system, deleting critical…

  • CWE-512 – Spyware

    Description The software collects personally identifiable information about a human user or the user’s activities, but the software accesses this information using other resources besides itself, and it does not require that user’s explicit approval or direct input into the software. “Spyware” is a commonly used term with many definitions and interpretations. In general, it…

  • CWE-514 – Covert Channel

    Description A covert channel is a path that can be used to transfer information in a way not intended by the system’s designers. Typically the system has not given authorization for the transmission and has no knowledge of its occurrence. Modes of Introduction: – Implementation     Related Weaknesses CWE-1229   Consequences Confidentiality, Access Control:…

  • CWE-515 – Covert Storage Channel

    Description A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another. What distinguishes this case from that of ordinary operation is that the bits are used to convey encoded information. Covert storage channels occur when out-of-band data is stored in messages for the…

  • CWE-516 – DEPRECATED: Covert Timing Channel

    Description This weakness can be found at CWE-385. Modes of Introduction:     Related Weaknesses   Consequences   Potential Mitigations CVE References

  • CWE-52 – Path Equivalence: ‘/multiple/trailing/slash//’

    Description A software system that accepts path input in the form of multiple trailing slash (‘/multiple/trailing/slash//’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation     Related Weaknesses CWE-41 CWE-163 CWE-289   Consequences…

  • CWE-520 – .NET Misconfiguration: Use of Impersonation

    Description Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks. .NET server applications can optionally execute using the identity of the user authenticated to the client. The intention of this functionality is to bypass authentication…

  • CWE-521 – Weak Password Requirements

    Description The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts. Authentication mechanisms often rely on a memorized secret (also known as a password) to provide an assertion of identity for a user of a system. It is therefore important that this password be…

  • CWE-522 – Insufficiently Protected Credentials

    Description The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-287 CWE-287 CWE-668   Consequences Access Control: Gain Privileges or Assume Identity An attacker could gain access to user accounts and access…

  • CWE-523 – Unprotected Transport of Credentials

    Description Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server. SSL (Secure Socket Layer) provides data confidentiality and integrity to HTTP. By encrypting HTTP messages, SSL protects from attackers eavesdropping or altering message contents. Modes of Introduction: – Architecture…

  • CWE-524 – Use of Cache Containing Sensitive Information

    Description The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere. Applications may use caches to improve efficiency when communicating with remote entities or performing intensive calculations. A cache maintains a pool of objects, threads, connections, pages, financial data, passwords, or…

  • CWE-525 – Use of Web Browser Cache Containing Sensitive Information

    Description The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached. Modes of Introduction: – Implementation     Related Weaknesses CWE-524   Consequences Confidentiality: Read Application Data Browsers often store information in a client-side cache, which can leave behind…

  • CWE-526 – Exposure of Sensitive Information Through Environmental Variables

    Description Environmental variables may contain sensitive information about a remote server. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-497   Consequences Confidentiality: Read Application Data   Potential Mitigations Phase: Architecture and Design Description:  Protect information stored in environment variable from being exposed to the user. CVE References

  • CWE-483 – Incorrect Block Delimitation

    Description The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error. In some languages, braces (or other delimiters) are optional for blocks. When the delimiter is omitted, it is possible to insert a logic error in which a statement is thought to be in…

  • CWE-484 – Omitted Break Statement in Switch

    Description The program omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition. This can lead to critical code executing in situations where it should not. Modes of Introduction: – Implementation…

  • CWE-486 – Comparison of Classes by Name

    Description The program compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name. If the decision to trust the methods and data of an object is based on the name of a class, it is possible for malicious users to send objects of the…

  • CWE-487 – Reliance on Package-level Scope

    Description Java packages are not inherently closed; therefore, relying on them for code security is not a good practice. The purpose of package scope is to prevent accidental access by other parts of a program. This is an ease-of-software-development feature but not a security feature. Modes of Introduction: – Implementation   Likelihood of Exploit: Medium…

  • CWE-488 – Exposure of Data Element to Wrong Session

    Description The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session. Modes of Introduction: – Implementation     Related Weaknesses CWE-668   Consequences Confidentiality: Read Application Data   Potential Mitigations Phase: Architecture and Design Description:  Protect the application’s sessions from…

  • CWE-489 – Active Debug Code

    Description The application is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information. A common development practice is to add “back door” code specifically designed for debugging or testing purposes that is not intended to be shipped or deployed with the application. These…

  • CWE-49 – Path Equivalence: ‘filename/’ (Trailing Slash)

    Description A software system that accepts path input in the form of trailing slash (‘filedir/’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation     Related Weaknesses CWE-41 CWE-162   Consequences Confidentiality, Integrity:…

  • CWE-491 – Public cloneable() Method Without Final (‘Object Hijack’)

    Description A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state. Modes of Introduction: – Implementation     Related Weaknesses CWE-668   Consequences Integrity, Other: Unexpected State, Varies by Context   Potential…

  • CWE-492 – Use of Inner Class Containing Sensitive Data

    Description Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers. Inner classes quietly introduce several security concerns because of the way they are translated into Java bytecode. In Java source code, it appears that an inner class can be…

  • CWE-493 – Critical Public Variable Without Final Modifier

    Description The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values. If a field is non-final and public, it can be changed once the value is set by any function that has access to the class which contains the field. This could lead…

  • CWE-494 – Download of Code Without Integrity Check

    Description The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code. An attacker can execute malicious code by compromising the host server, performing DNS spoofing, or modifying the code in transit. Modes of Introduction: – Architecture and Design  …

  • CWE-495 – Private Data Structure Returned From A Public Method

    Description The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways. Modes of Introduction: – Implementation     Related Weaknesses CWE-664   Consequences Integrity: Modify Application Data The contents of the data structure can be modified from outside the…

  • CWE-496 – Public Data Assigned to Private Array-Typed Field

    Description Assigning public data to a private array is equivalent to giving public access to the array. Modes of Introduction: – Implementation     Related Weaknesses CWE-664   Consequences Integrity: Modify Application Data The contents of the array can be modified from outside the intended scope.   Potential Mitigations Phase: Implementation Description:  Do not allow…

  • CWE-497 – Exposure of Sensitive System Information to an Unauthorized Control Sphere

    Description The application does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the application does. Modes of Introduction: – Implementation     Related Weaknesses CWE-200   Consequences Confidentiality: Read Application Data   Potential Mitigations Phase: Architecture and…

  • CWE-498 – Cloneable Class Containing Sensitive Information

    Description The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class. Cloneable classes are effectively open classes, since data cannot be hidden in them. Classes that do not explicitly deny cloning can be cloned by any other class without running the constructor.…

  • CWE-499 – Serializable Class Containing Sensitive Data

    Description The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class. Serializable classes are effectively open classes since data cannot be hidden in them. Classes that do not explicitly deny serialization can be serialized by any other…

  • CWE-5 – J2EE Misconfiguration: Data Transmission Without Encryption

    Description Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted. Modes of Introduction: – Implementation     Related Weaknesses CWE-319   Consequences Confidentiality: Read Application Data Integrity: Modify Application Data  …

  • CWE-50 – Path Equivalence: ‘//multiple/leading/slash’

    Description A software system that accepts path input in the form of multiple leading slash (‘//multiple/leading/slash’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation     Related Weaknesses CWE-41 CWE-161   Consequences Confidentiality,…

CWE-669 – Incorrect Resource Transfer Between Spheres

Read Time:49 Second

Description

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

A “control sphere” is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product’s security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for “administrators” who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be “users who are authenticated to the operating system on which the product is installed.” Each sphere has different sets of actors and allowable behaviors.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-664

 

Consequences

Confidentiality, Integrity: Read Application Data, Modify Application Data, Unexpected State

 

Potential Mitigations

CVE References

CWE-67 – Improper Handling of Windows Device Names

Read Time:2 Minute, 22 Second

Description

The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.

Not properly handling virtual filenames (e.g. AUX, CON, PRN, COM1, LPT1) can result in different types of vulnerabilities. In some cases an attacker can request a device via injection of a virtual filename in a URL, which may cause an error that leads to a denial of service or an error page that reveals sensitive information. A software system that allows device names to bypass filtering runs the risk of an attacker injecting malicious code in a file with the name of a device.

Historically, there was a bug in the Windows operating system that caused a blue screen of death. Even after that issue was fixed DOS device names continue to be a factor.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-66

 

Consequences

Availability, Confidentiality, Other: DoS: Crash, Exit, or Restart, Read Application Data, Other

 

Potential Mitigations

Phase: Implementation

Description: 

Be familiar with the device names in the operating system where your system is deployed. Check input for these device names.

CVE References

  • CVE-2002-0106
    • Server allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name.
  • CVE-2002-0200
    • Server allows remote attackers to cause a denial of service via an HTTP request for an MS-DOS device name.
  • CVE-2002-1052
    • Product allows remote attackers to use MS-DOS device names in HTTP requests to cause a denial of service or obtain the physical path of the server.
  • CVE-2001-0493
    • Server allows remote attackers to cause a denial of service via a URL that contains an MS-DOS device name.
  • CVE-2001-0558
    • Server allows a remote attacker to create a denial of service via a URL request which includes a MS-DOS device name.
  • CVE-2000-0168
    • Microsoft Windows 9x operating systems allow an attacker to cause a denial of service via a pathname that includes file device names, aka the “DOS Device in Path Name” vulnerability.
  • CVE-2001-0492
    • Server allows remote attackers to determine the physical path of the server via a URL containing MS-DOS device names.
  • CVE-2004-0552
    • Product does not properly handle files whose names contain reserved MS-DOS device names, which can allow malicious code to bypass detection when it is installed, copied, or executed.
  • CVE-2005-2195
    • Server allows remote attackers to cause a denial of service (application crash) via a URL with a filename containing a .cgi extension and an MS-DOS device name.

CWE-670 – Always-Incorrect Control Flow Implementation

Read Time:49 Second

Description

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

This weakness captures cases in which a particular code segment is always incorrect with respect to the algorithm that it is implementing. For example, if a C programmer intends to include multiple statements in a single block but does not include the enclosing braces (CWE-483), then the logic is always incorrect. This issue is in contrast to most weaknesses in which the code usually behaves correctly, except when it is externally manipulated in malicious ways.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-691

 

Consequences

Other: Other, Alter Execution Logic

 

Potential Mitigations

CVE References

  • CVE-2021-3011
    • virtual interrupt controller in a virtualization product allows crash of host by writing a certain invalid value to a register, which triggers a fatal error instead of returning an error code

CWE-671 – Lack of Administrator Control over Security

Read Time:39 Second

Description

The product uses security features in a way that prevents the product’s administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.

If the product’s administrator does not have the ability to manage security-related decisions at all times, then protecting the product from outside threats – including the product’s developer – can become impossible. For example, a hard-coded account name and password cannot be changed by the administrator, thus exposing that product to attacks that the administrator can not prevent.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-657

 

Consequences

Other: Varies by Context

 

Potential Mitigations

CVE References

CWE-672 – Operation on a Resource after Expiration or Release

Read Time:41 Second

Description

The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-666

 

Consequences

Integrity, Confidentiality: Modify Application Data, Read Application Data

If a released resource is subsequently reused or reallocated, then an attempt to use the original resource might allow access to sensitive data that is associated with a different user or entity.

Other, Availability: Other, DoS: Crash, Exit, or Restart

When a resource is released it might not be in an expected state, later attempts to access the resource may lead to resultant errors that may lead to a crash.

 

Potential Mitigations

CVE References

  • CVE-2009-3547
    • chain: race condition might allow resource to be released before operating on it, leading to NULL dereference

CWE-673 – External Influence of Sphere Definition

Read Time:22 Second

Description

The product does not prevent the definition of control spheres from external actors.

Typically, a product defines its control sphere within the code itself, or through configuration by the product’s administrator. In some cases, an external party can change the definition of the control sphere. This is typically a resultant weakness.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-664

 

Consequences

Other: Other

 

Potential Mitigations

CVE References

CWE-674 – Uncontrolled Recursion

Read Time:1 Minute, 29 Second

Description

The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-691

 

Consequences

Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)

Resources including CPU, memory, and stack memory could be rapidly consumed or exhausted, eventually leading to an exit or crash.

Confidentiality: Read Application Data

In some cases, an application’s interpreter might kill a process or thread that appears to be consuming too much resources, such as with PHP’s memory_limit setting. When the interpreter kills the process/thread, it might report an error containing detailed information such as the application’s installation path.

 

Potential Mitigations

Phase: Implementation

Effectiveness: Moderate

Description: 

Ensure an end condition will be reached under all logic conditions. The end condition may include testing against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.

Phase: Implementation

Effectiveness: Limited

Description: 

Increase the stack size.

Increasing the stack size might only be a temporary measure, since the stack typically is still not very large, and it might remain easy for attackers to cause an out-of-stack fault.

CVE References

  • CVE-2007-3409
    • Self-referencing pointers create infinite loop and resultant stack exhaustion.
  • CVE-2016-10707
    • Javascript application accidentally changes input in a way that prevents a recursive call from detecting an exit condition.
  • CVE-2016-3627
    • An attempt to recover a corrupted XML file infinite recursion protection counter was not always incremented missing the exit condition.
  • CVE-2019-15118
    • USB-audio driver’s descriptor code parsing allows unlimited recursion leading to stack exhaustion.