All posts by rocco

Education

Vulnerabilities of the TLS Protocol

Read Time:2 Minute, 6 Second

Secure Socket Layer (SSL) and its successor, Transport Layer Security (TLS), are widely used protocols for secure online communication. They provide encryption and authentication between two applications over a network, ensuring the confidentiality and integrity of data transmitted between them.

However, SSL/TLS is not invulnerable, and over the years, several vulnerabilities have been discovered that can compromise the security of online transactions. One of the most significant vulnerabilities is the POODLE attack, discovered in 2014, which affects the older versions of SSL/TLS. This vulnerability allows an attacker to exploit the way SSL/TLS handles padding in the encryption process, enabling them to read encrypted information, including sensitive information such as passwords and credit card numbers.

Another vulnerability is the BEAST attack, which exploits a vulnerability in the way SSL/TLS handles block ciphers in older versions of the protocol. This attack allows an attacker to intercept and decrypt secure HTTPS cookies, potentially giving them access to sensitive data.

A third vulnerability is known as the DROWN attack, which can exploit weak encryption protocols such as SSLv2. The attack allows an attacker to read encrypted data transmitted over an SSL/TLS connection by exploiting a flaw in the SSLv2 protocol. Even though SSLv2 is now considered obsolete and no longer used, some older systems may still have it enabled, leaving them vulnerable to attack.

To ensure the maximum security of your online transactions, it’s essential to be aware of the potential vulnerabilities of SSL/TLS and to take necessary precautions. To start with, it’s recommended to use the latest version of TLS, which is currently TLS 1.3, and to disable support for older, insecure protocols like SSLv2 and SSLv3.

It’s also important to use strong encryption ciphers and to regularly test your TLS configuration for potential vulnerabilities. This can be done using tools like SSL Labs’ SSL Server Test, which can check the strength of your TLS configuration and identify any potential vulnerabilities.

Another crucial step is to regularly update your TLS certificates, which verify the identity of the server you’re communicating with and ensure that your data is not intercepted by an attacker. TLS certificates have an expiration date, so it’s essential to keep them up to date to ensure maximum security.

Finally, consider using other security measures like firewalls, antivirus software, and two-factor authentication to provide an additional layer of protection.

By taking these necessary precautions, you can significantly reduce the risk of SSL/TLS vulnerabilities and ensure the maximum security of your online transactions.

CWE, Education

CWE

Read Time:1 Minute, 11 Second

CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs.

The goal is to support all those methods (including automatic ones) to control and prevent software errors. It can be used at the development stage, during the Code Review activity, and later on during the penetration test activity to classify and communicate the vulnerability type to developers. The system is at version 4.7 and contains over 600 categories of weaknesses and vulnerabilities

The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications.
The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.

Please check our post about Vulnerability Analysis to learn more about CWE usage.

Please find a list of all the CWE below or use the search box above to find a specific CWE.

  • CWE-297 – Improper Validation of Certificate with Host Mismatch

    Description The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-923 CWE-295   Consequences Access Control: Gain Privileges or Assume Identity The data…

  • CWE-298 – Improper Validation of Certificate Expiration

    Description A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age. When the expiration of a certificate is not taken into account, no trust has necessarily been conveyed through it. Therefore, the validity of the certificate cannot be verified and all…

  • CWE-26 – Path Traversal: ‘/dir/../filename’

    Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize “/dir/../filename” sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation     Related Weaknesses CWE-23   Consequences Confidentiality, Integrity: Read Files or Directories,…

  • CWE-260 – Password in Configuration File

    Description The software stores a password in a configuration file that might be accessible to actors who do not know the password. This can result in compromise of the system for which the password is used. An attacker could gain access to this file and learn the stored password or worse yet, change the password…

  • CWE-261 – Weak Encoding for Password

    Description Obscuring a password with a trivial encoding does not protect the password. Password management issues occur when a password is stored in plaintext in an application’s properties or configuration file. A programmer can attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but…

  • CWE-262 – Not Using Password Aging

    Description If no mechanism is in place for managing password aging, users will have no incentive to update passwords in a timely manner. Security experts have often recommended that users change their passwords regularly and avoid reusing passwords. Although this can be an effective mitigation, if the expiration window is too short, it can cause…

  • CWE-263 – Password Aging with Long Expiration

    Description Allowing password aging to occur unchecked can result in the possibility of diminished password integrity. Just as neglecting to include functionality for the management of password aging is dangerous, so is allowing password aging to continue unchecked. Passwords must be given a maximum life span, after which a user is required to update with…

  • CWE-266 – Incorrect Privilege Assignment

    Description A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-269 CWE-286   Consequences Access Control: Gain Privileges or Assume Identity A user can access restricted functionality and/or sensitive information that may include administrative…

  • CWE-267 – Privilege Defined With Unsafe Actions

    Description A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-269   Consequences Access Control: Gain Privileges or Assume Identity A user can access restricted functionality…

  • CWE-268 – Privilege Chaining

    Description Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-269   Consequences Access Control: Gain Privileges or Assume Identity…

  • CWE-269 – Improper Privilege Management

    Description The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: Medium   Related Weaknesses CWE-284   Consequences Access Control: Gain Privileges or Assume Identity   Potential Mitigations Phase: Architecture and…

  • CWE-27 – Path Traversal: ‘dir/../../filename’

    Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal “../” sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation     Related Weaknesses CWE-23   Consequences Confidentiality, Integrity: Read Files…

  • CWE-270 – Privilege Context Switching Error

    Description The software does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-269   Consequences Access Control: Gain Privileges or Assume Identity A user can assume the identity of another user with separate…

  • CWE-271 – Privilege Dropping / Lowering Errors

    Description The software does not drop privileges before passing control of a resource to an actor that does not have those privileges. In some contexts, a system executing with elevated permissions will hand off a process/file/etc. to another process or user. If the privileges of an entity are not reduced, then elevated privileges are spread…

  • CWE-272 – Least Privilege Violation

    Description The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-271   Consequences Access Control, Confidentiality: Gain Privileges or Assume Identity, Read Application Data, Read Files or Directories An attacker may be able…

  • CWE-273 – Improper Check for Dropped Privileges

    Description The software attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded. If the drop fails, the software will continue to run with the raised privileges, which might provide additional access to unprivileged users. In Windows based environments that have access control, impersonation is used so that…

  • CWE-274 – Improper Handling of Insufficient Privileges

    Description The software does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-703 CWE-269 CWE-271 CWE-280   Consequences Other: Other, Alter Execution Logic   Potential Mitigations CVE References CVE-2001-1564 System limits are not properly…

  • CWE-276 – Incorrect Default Permissions

    Description During installation, installed file permissions are set to allow anyone to modify those files. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: Medium   Related Weaknesses CWE-732 CWE-732   Consequences Confidentiality, Integrity: Read Application Data, Modify Application Data   Potential Mitigations Phase: Architecture and Design, Operation Description:  The architecture needs to…

  • CWE-277 – Insecure Inherited Permissions

    Description A product defines a set of insecure permissions that are inherited by objects that are created by the program. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-732   Consequences Confidentiality, Integrity: Read Application Data, Modify Application Data   Potential Mitigations Phase: Architecture and Design, Operation Description:  Very carefully manage the…

  • CWE-278 – Insecure Preserved Inherited Permissions

    Description A product inherits a set of insecure permissions for an object, e.g. when copying from an archive file, without user awareness or involvement. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-732   Consequences Confidentiality, Integrity: Read Application Data, Modify Application Data   Potential Mitigations Phase: Architecture and Design, Operation Description: …

  • CWE-279 – Incorrect Execution-Assigned Permissions

    Description While it is executing, the software sets the permissions of an object in a way that violates the intended permissions that have been specified by the user. Modes of Introduction: – Implementation     Related Weaknesses CWE-732   Consequences Confidentiality, Integrity: Read Application Data, Modify Application Data   Potential Mitigations Phase: Architecture and Design,…

  • CWE-28 – Path Traversal: ‘..filedir’

    Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize “..” sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation     Related Weaknesses CWE-23   Consequences Confidentiality, Integrity: Read Files or Directories,…

  • CWE-239 – Failure to Handle Incomplete Element

    Description The software does not properly handle when a particular element is not completely specified. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-237 CWE-404   Consequences Integrity, Other: Varies by Context, Unexpected State   Potential Mitigations CVE References CVE-2002-1532 HTTP GET without rnrn CRLF sequences causes product to wait indefinitely and…

  • CWE-24 – Path Traversal: ‘../filedir’

    Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize “../” sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-23   Consequences Confidentiality, Integrity: Read Files…

  • CWE-240 – Improper Handling of Inconsistent Structural Elements

    Description The software does not handle or incorrectly handles when two or more structural elements should be consistent, but are not. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-237 CWE-707   Consequences Integrity, Other: Varies by Context, Unexpected State   Potential Mitigations CVE References

  • CWE-241 – Improper Handling of Unexpected Data Type

    Description The software does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z). Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-228   Consequences Integrity, Other: Varies by Context, Unexpected State   Potential Mitigations…

  • CWE-242 – Use of Inherently Dangerous Function

    Description The program calls a function that can never be guaranteed to work safely. Certain functions behave in dangerous ways regardless of how they are used. Functions in this category were often implemented without taking security concerns into account. The gets() function is unsafe because it does not perform bounds checking on the size of…

  • CWE-243 – Creation of chroot Jail Without Changing Working Directory

    Description The program uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail. Improper use of chroot() may allow attackers to escape from the chroot jail. The chroot() function call does not change the process’s current working…

  • CWE-244 – Improper Clearing of Heap Memory Before Release (‘Heap Inspection’)

    Description Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory. When sensitive data such as a password or an encryption key is not removed from memory, it could be exposed to an attacker using a “heap inspection” attack that reads…

  • CWE-245 – J2EE Bad Practices: Direct Management of Connections

    Description The J2EE application directly manages connections, instead of using the container’s connection management facilities. The J2EE standard forbids the direct management of connections. It requires that applications use the container’s resource management facilities to obtain connections to resources. Every major web application container provides pooled database connection management as part of its resource management…

  • CWE-246 – J2EE Bad Practices: Direct Use of Sockets

    Description The J2EE application directly uses sockets instead of using framework method calls. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-695   Consequences Other: Quality Degradation   Potential Mitigations Phase: Architecture and Design Description:  Use framework method calls instead of using sockets directly. CVE References

  • CWE-247 – DEPRECATED: Reliance on DNS Lookups in a Security Decision

    Description This entry has been deprecated because it was a duplicate of CWE-350. All content has been transferred to CWE-350. Modes of Introduction:     Related Weaknesses   Consequences   Potential Mitigations CVE References

  • CWE-248 – Uncaught Exception

    Description An exception is thrown from a function, but it is not caught. When an exception is not caught, it may cause the program to crash or expose sensitive information. Modes of Introduction: – Implementation     Related Weaknesses CWE-705 CWE-703 CWE-703 CWE-703   Consequences Availability, Confidentiality: DoS: Crash, Exit, or Restart, Read Application Data…

  • CWE-249 – DEPRECATED: Often Misused: Path Manipulation

    Description This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785. This entry was deprecated for several reasons. The primary reason is over-loading of the “path manipulation” term and the description. The original description for this entry was the same…

  • CWE-25 – Path Traversal: ‘/../filedir’

    Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize “/../” sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation     Related Weaknesses CWE-23   Consequences Confidentiality, Integrity: Read Files or Directories,…

  • CWE-250 – Execution with Unnecessary Privileges

    Description The software performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. Modes of Introduction: – Implementation   Likelihood of Exploit: Medium   Related Weaknesses CWE-657 CWE-269   Consequences Confidentiality, Integrity, Availability, Access Control: Gain Privileges or Assume…

  • CWE-252 – Unchecked Return Value

    Description The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. Two common programmer assumptions are “this function call can never fail” and “it doesn’t matter if this function call fails”. If an attacker can force the function to fail or otherwise…

  • CWE-253 – Incorrect Check of Function Return Value

    Description The software incorrectly checks a return value from a function, which prevents the software from detecting errors or exceptional conditions. Important and common functions will return some value about the success of its actions. This will alert the program whether or not to handle any errors caused by that function. Modes of Introduction: –…

  • CWE-256 – Plaintext Storage of a Password

    Description Storing a password in plaintext may result in a system compromise. Password management issues occur when a password is stored in plaintext in an application’s properties, configuration file, or memory. Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource. In some contexts, even…

  • CWE-257 – Storing Passwords in a Recoverable Format

    Description The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system…

  • CWE-258 – Empty Password in Configuration File

    Description Using an empty string as a password is insecure. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-260 CWE-521   Consequences Access Control: Gain Privileges or Assume Identity   Potential Mitigations Phase: System Configuration Description:  Passwords should be at least eight characters long — the longer the…

  • CWE-259 – Use of Hard-coded Password

    Description The software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. Modes of Introduction: – Implementation   Likelihood of Exploit: High   Related Weaknesses CWE-798 CWE-798 CWE-798 CWE-321 CWE-257   Consequences Access Control: Gain Privileges or Assume Identity If hard-coded passwords are used, it…

  • CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

    Description The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted…

  • CWE-220 – Storage of File With Sensitive Data Under FTP Root

    Description The application stores sensitive data under the FTP server root with insufficient access control, which might make it accessible to untrusted parties. Various Unix FTP servers require a password file that is under the FTP root, due to use of chroot. Modes of Introduction: – Operation     Related Weaknesses CWE-552   Consequences Confidentiality:…

  • CWE-221 – Information Loss or Omission

    Description The software does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis. This can be resultant, e.g. a buffer overflow might trigger a crash before the product can log the event. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-664   Consequences Non-Repudiation:…

  • CWE-222 – Truncation of Security-relevant Information

    Description The application truncates the display, recording, or processing of security-relevant information in a way that can obscure the source or nature of an attack. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-221   Consequences Non-Repudiation: Hide Activities The source of an attack will be difficult or impossible to determine. This…

  • CWE-223 – Omission of Security-relevant Information

    Description The application does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-221   Consequences Non-Repudiation: Hide Activities The source of an attack will be difficult or…

  • CWE-224 – Obscured Security-relevant Information by Alternate Name

    Description The software records security-relevant information according to an alternate name of the affected entity, instead of the canonical name. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-221   Consequences Non-Repudiation, Access Control: Hide Activities, Gain Privileges or Assume Identity   Potential Mitigations CVE References CVE-2002-0725 Attacker performs malicious actions on…

  • CWE-225 – DEPRECATED: General Information Management Problems

    Description This weakness can be found at CWE-199. Modes of Introduction:     Related Weaknesses   Consequences   Potential Mitigations CVE References

  • CWE-226 – Sensitive Information in Resource Not Removed Before Reuse

    Description The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or “zeroize” the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities. Modes of Introduction:…

  • CWE-228 – Improper Handling of Syntactically Invalid Structure

    Description The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification. Modes of Introduction: – Implementation     Related Weaknesses CWE-703 CWE-707   Consequences Integrity, Availability: Unexpected State, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU) If an input is syntactically invalid, then processing…

  • CWE-229 – Improper Handling of Values

    Description The software does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-228   Consequences Integrity: Unexpected State   Potential Mitigations CVE References

  • CWE-23 – Relative Path Traversal

    Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as “..” that can resolve to a location that is outside of that directory. This allows attackers to traverse the file system to access files or directories that are outside…

  • CWE-230 – Improper Handling of Missing Values

    Description The software does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null. Modes of Introduction: – Implementation     Related Weaknesses CWE-229   Consequences Integrity: Unexpected State   Potential Mitigations CVE References CVE-2002-0422 Blank Host header…

  • CWE-231 – Improper Handling of Extra Values

    Description The software does not handle or incorrectly handles when more values are provided than expected. Modes of Introduction: – Implementation     Related Weaknesses CWE-229 CWE-120   Consequences Integrity: Unexpected State   Potential Mitigations CVE References

  • CWE-232 – Improper Handling of Undefined Values

    Description The software does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-229   Consequences Integrity: Unexpected State   Potential Mitigations CVE References CVE-2000-1003 Client crash when server returns unknown driver…

  • CWE-233 – Improper Handling of Parameters

    Description The software does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-228   Consequences Integrity: Unexpected State   Potential Mitigations CVE References

  • CWE-234 – Failure to Handle Missing Parameter

    Description If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-233   Consequences…

  • CWE-235 – Improper Handling of Extra Parameters

    Description The software does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount. Modes of Introduction: – Implementation     Related Weaknesses CWE-233   Consequences Integrity: Unexpected State   Potential Mitigations CVE References CVE-2003-1014 MIE. multiple gateway/security products allow restriction bypass using multiple…

  • CWE-236 – Improper Handling of Undefined Parameters

    Description The software does not handle or incorrectly handles when a particular parameter, field, or argument name is not defined or supported by the product. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-233   Consequences Integrity: Unexpected State   Potential Mitigations CVE References CVE-2002-1488 Crash in IRC client via PART message…

  • CWE-237 – Improper Handling of Structural Elements

    Description The software does not handle or incorrectly handles inputs that are related to complex structures. Modes of Introduction:     Related Weaknesses CWE-228   Consequences Integrity: Unexpected State   Potential Mitigations CVE References

  • CWE-238 – Improper Handling of Incomplete Structural Elements

    Description The software does not handle or incorrectly handles when a particular structural element is not completely specified. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-237   Consequences Integrity: Unexpected State   Potential Mitigations CVE References

  • CWE-200 – Exposure of Sensitive Information to an Unauthorized Actor

    Description The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-668   Consequences Confidentiality: Read Application Data   Potential Mitigations Phase: Architecture and Design Description:  CVE References CVE-2001-1483 Enumeration of…

  • CWE-201 – Insertion of Sensitive Information Into Sent Data

    Description The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. Sensitive information could include data that is sensitive in and of itself (such as credentials or private messages), or otherwise useful in the further exploitation of the system (such as…

  • CWE-202 – Exposure of Sensitive Information Through Data Queries

    Description When trying to keep information confidential, an attacker can often infer some of the information by using statistics. In situations where data should not be tied to individual users, but a large number of users should be able to make queries that “scrub” the identity of users, it may be possible to get information…

  • CWE-203 – Observable Discrepancy

    Description The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. Discrepancies can take many forms, and variations may be detectable in timing, control…

  • CWE-204 – Observable Response Discrepancy

    Description The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. This issue frequently occurs during authentication, where a difference in failed-login messages could allow an attacker to determine if the username is valid or not. These exposures can…

  • CWE-205 – Observable Behavioral Discrepancy

    Description The product’s behaviors indicate important differences that may be observed by unauthorized actors in a way that reveals (1) its internal state or decision process, or (2) differences from other products with equivalent functionality. Ideally, a product should provide as little information about its internal operations as possible. Otherwise, attackers could use knowledge of…

  • CWE-206 – Observable Internal Behavioral Discrepancy

    Description The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points. Ideally, a product should provide as little information as possible to an attacker. Any hints that the attacker may be…

  • CWE-207 – Observable Behavioral Discrepancy With Equivalent Products

    Description The product operates in an environment in which its existence or specific identity should not be known, but it behaves differently than other products with equivalent functionality, in a way that is observable to an attacker. For many kinds of products, multiple products may be available that perform the same functionality, such as a…

  • CWE-208 – Observable Timing Discrepancy

    Description Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. In security-relevant contexts, even small variations in timing can be exploited by…

  • CWE-209 – Generation of Error Message Containing Sensitive Information

    Description The software generates an error message that includes sensitive information about its environment, users, or associated data. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-200 CWE-200 CWE-755   Consequences Confidentiality: Read Application Data Often this will either reveal sensitive information which may be used for a…

  • CWE-210 – Self-generated Error Message Containing Sensitive Information

    Description The software identifies an error condition and creates its own diagnostic or error messages that contain sensitive information. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-209   Consequences Confidentiality: Read Application Data   Potential Mitigations Phase: Implementation, Build and Compilation Description:  Debugging information should not make its way into a…

  • CWE-211 – Externally-Generated Error Message Containing Sensitive Information

    Description The application performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the application, such as an error generated by the programming language interpreter that the software uses. The error can contain sensitive system information. Modes of Introduction: – Architecture and Design     Related…

  • CWE-212 – Improper Removal of Sensitive Information Before Storage or Transfer

    Description The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-669 CWE-669 CWE-201   Consequences Confidentiality: Read Files or Directories, Read Application Data…

  • CWE-213 – Exposure of Sensitive Information Due to Incompatible Policies

    Description The product’s intended functionality exposes information to certain actors in accordance with the developer’s security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product’s administrator, users, or others whose information is being processed. Modes of Introduction: – Policy     Related Weaknesses…

  • CWE-214 – Invocation of Process Using Visible Sensitive Information

    Description A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system. Many operating systems allow a user to list information about processes that are owned by other users. Other users could see information such as command line arguments or environment variable…

  • CWE-215 – Insertion of Sensitive Information Into Debugging Code

    Description The application inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production. When debugging, it may be necessary to report detailed information to the programmer. However, if the debugging code is not disabled when the application is operating in a production environment, then this…

  • CWE-216 – DEPRECATED: Containment Errors (Container Errors)

    Description This entry has been deprecated, as it was not effective as a weakness and was structured more like a category. In addition, the name is inappropriate, since the “container” term is widely understood by developers in different ways than originally intended by PLOVER, the original source for this entry. Modes of Introduction:    …

  • CWE-217 – DEPRECATED: Failure to Protect Stored Data from Modification

    Description This entry has been deprecated because it incorporated and confused multiple weaknesses. The issues formerly covered in this entry can be found at CWE-766 and CWE-767. Modes of Introduction:     Related Weaknesses   Consequences   Potential Mitigations CVE References

  • CWE-218 – DEPRECATED: Failure to provide confidentiality for stored data

    Description This weakness has been deprecated because it was a duplicate of CWE-493. All content has been transferred to CWE-493. Modes of Introduction:     Related Weaknesses   Consequences   Potential Mitigations CVE References

  • CWE-219 – Storage of File with Sensitive Data Under Web Root

    Description The application stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties. Besides public-facing web pages and code, applications may store sensitive data, code that is not directly invoked, or other files under the web document root of the web server. If the server…

  • CWE-179 – Incorrect Behavior Order: Early Validation

    Description The software validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification. Software needs to validate data at the proper time, after data has been canonicalized and cleansed. Early validation is susceptible to various manipulations that…

  • CWE-180 – Incorrect Behavior Order: Validate Before Canonicalize

    Description The software validates input before it is canonicalized, which prevents the software from detecting data that becomes invalid after the canonicalization step. This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection. Modes of Introduction: – Implementation    …

  • CWE-181 – Incorrect Behavior Order: Validate Before Filter

    Description The software validates data before it has been filtered, which prevents the software from detecting data that becomes invalid after the filtering step. This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection. Modes of Introduction: – Implementation  …

  • CWE-182 – Collapse of Data into Unsafe Value

    Description The software filters data in a way that causes it to be reduced or “collapsed” into an unsafe value that violates an expected security property. Modes of Introduction: – Implementation     Related Weaknesses CWE-693 CWE-33 CWE-34 CWE-35   Consequences Access Control: Bypass Protection Mechanism   Potential Mitigations Phase: Architecture and Design Description:  Avoid…

  • CWE-183 – Permissive List of Allowed Inputs

    Description The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive – that is, it allows an input that is unsafe, leading to resultant weaknesses. Modes of Introduction:…

  • CWE-184 – Incomplete List of Disallowed Inputs

    Description The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses. Developers often try to protect their products against malicious input…

  • CWE-185 – Incorrect Regular Expression

    Description The software specifies a regular expression in a way that causes data to be improperly matched or compared. When the regular expression is used in protection mechanisms such as filtering or validation, this may allow an attacker to bypass the intended restrictions on the incoming data. Modes of Introduction: – Implementation     Related…

  • CWE-186 – Overly Restrictive Regular Expression

    Description A regular expression is overly restrictive, which prevents dangerous values from being detected. This weakness is not about regular expression complexity. Rather, it is about a regular expression that does not match all values that are intended. Consider the use of a regexp to identify acceptable values or to spot unwanted terms. An overly…

  • CWE-187 – Partial String Comparison

    Description The software performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses. For example, an attacker might succeed in authentication by providing a small password that matches the associated portion of the larger, correct password. Modes of Introduction:…

  • CWE-188 – Reliance on Data/Memory Layout

    Description The software makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: Low   Related Weaknesses CWE-1105 CWE-435   Consequences Integrity, Confidentiality: Modify Memory, Read Memory Can result in unintended modifications or exposure…

  • CWE-190 – Integer Overflow or Wraparound

    Description The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. An integer overflow or wraparound occurs when an integer…

  • CWE-191 – Integer Underflow (Wrap or Wraparound)

    Description The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. This can happen in signed and unsigned cases. Modes of Introduction: – Implementation     Related Weaknesses CWE-682 CWE-682   Consequences Availability: DoS:…

  • CWE-192 – Integer Coercion Error

    Description Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types. Several flaws fall under the category of integer coercion errors. For the most part, these errors in and of themselves result only in availability and data integrity issues. However, in some circumstances, they may…

  • CWE-193 – Off-by-one Error

    Description A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. Modes of Introduction: – Implementation     Related Weaknesses CWE-682 CWE-682 CWE-617 CWE-170 CWE-119   Consequences Availability: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Instability…

  • CWE-194 – Unexpected Sign Extension

    Description The software performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses. Modes of Introduction: – Implementation   Likelihood of Exploit: High   Related Weaknesses CWE-681…

  • CWE-195 – Signed to Unsigned Conversion Error

    Description The software uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive. Modes of Introduction: – Implementation     Related Weaknesses CWE-681 CWE-681 CWE-681 CWE-119   Consequences Integrity: Unexpected State Conversion…

  • CWE-196 – Unsigned to Signed Conversion Error

    Description The software uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive. Although less frequent an issue than signed-to-unsigned conversion, unsigned-to-signed conversion can be the perfect precursor to dangerous buffer underwrite…

  • CWE-197 – Numeric Truncation Error

    Description Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion. When a primitive is cast to a smaller primitive, the high order bits of the large value are lost in the conversion, potentially resulting in an unexpected value that is not equal…

CWE

CWE-669 – Incorrect Resource Transfer Between Spheres

Read Time:49 Second

Description

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

A “control sphere” is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product’s security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for “administrators” who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be “users who are authenticated to the operating system on which the product is installed.” Each sphere has different sets of actors and allowable behaviors.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-664

 

Consequences

Confidentiality, Integrity: Read Application Data, Modify Application Data, Unexpected State

 

Potential Mitigations

CVE References

CWE

CWE-67 – Improper Handling of Windows Device Names

Read Time:2 Minute, 22 Second

Description

The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.

Not properly handling virtual filenames (e.g. AUX, CON, PRN, COM1, LPT1) can result in different types of vulnerabilities. In some cases an attacker can request a device via injection of a virtual filename in a URL, which may cause an error that leads to a denial of service or an error page that reveals sensitive information. A software system that allows device names to bypass filtering runs the risk of an attacker injecting malicious code in a file with the name of a device.

Historically, there was a bug in the Windows operating system that caused a blue screen of death. Even after that issue was fixed DOS device names continue to be a factor.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-66

 

Consequences

Availability, Confidentiality, Other: DoS: Crash, Exit, or Restart, Read Application Data, Other

 

Potential Mitigations

Phase: Implementation

Description: 

Be familiar with the device names in the operating system where your system is deployed. Check input for these device names.

CVE References

  • CVE-2002-0106
    • Server allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name.
  • CVE-2002-0200
    • Server allows remote attackers to cause a denial of service via an HTTP request for an MS-DOS device name.
  • CVE-2002-1052
    • Product allows remote attackers to use MS-DOS device names in HTTP requests to cause a denial of service or obtain the physical path of the server.
  • CVE-2001-0493
    • Server allows remote attackers to cause a denial of service via a URL that contains an MS-DOS device name.
  • CVE-2001-0558
    • Server allows a remote attacker to create a denial of service via a URL request which includes a MS-DOS device name.
  • CVE-2000-0168
    • Microsoft Windows 9x operating systems allow an attacker to cause a denial of service via a pathname that includes file device names, aka the “DOS Device in Path Name” vulnerability.
  • CVE-2001-0492
    • Server allows remote attackers to determine the physical path of the server via a URL containing MS-DOS device names.
  • CVE-2004-0552
    • Product does not properly handle files whose names contain reserved MS-DOS device names, which can allow malicious code to bypass detection when it is installed, copied, or executed.
  • CVE-2005-2195
    • Server allows remote attackers to cause a denial of service (application crash) via a URL with a filename containing a .cgi extension and an MS-DOS device name.
CWE

CWE-670 – Always-Incorrect Control Flow Implementation

Read Time:49 Second

Description

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

This weakness captures cases in which a particular code segment is always incorrect with respect to the algorithm that it is implementing. For example, if a C programmer intends to include multiple statements in a single block but does not include the enclosing braces (CWE-483), then the logic is always incorrect. This issue is in contrast to most weaknesses in which the code usually behaves correctly, except when it is externally manipulated in malicious ways.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-691

 

Consequences

Other: Other, Alter Execution Logic

 

Potential Mitigations

CVE References

  • CVE-2021-3011
    • virtual interrupt controller in a virtualization product allows crash of host by writing a certain invalid value to a register, which triggers a fatal error instead of returning an error code
CWE

CWE-671 – Lack of Administrator Control over Security

Read Time:39 Second

Description

The product uses security features in a way that prevents the product’s administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.

If the product’s administrator does not have the ability to manage security-related decisions at all times, then protecting the product from outside threats – including the product’s developer – can become impossible. For example, a hard-coded account name and password cannot be changed by the administrator, thus exposing that product to attacks that the administrator can not prevent.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-657

 

Consequences

Other: Varies by Context

 

Potential Mitigations

CVE References

CWE

CWE-672 – Operation on a Resource after Expiration or Release

Read Time:41 Second

Description

The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-666

 

Consequences

Integrity, Confidentiality: Modify Application Data, Read Application Data

If a released resource is subsequently reused or reallocated, then an attempt to use the original resource might allow access to sensitive data that is associated with a different user or entity.

Other, Availability: Other, DoS: Crash, Exit, or Restart

When a resource is released it might not be in an expected state, later attempts to access the resource may lead to resultant errors that may lead to a crash.

 

Potential Mitigations

CVE References

  • CVE-2009-3547
    • chain: race condition might allow resource to be released before operating on it, leading to NULL dereference
CWE

CWE-673 – External Influence of Sphere Definition

Read Time:22 Second

Description

The product does not prevent the definition of control spheres from external actors.

Typically, a product defines its control sphere within the code itself, or through configuration by the product’s administrator. In some cases, an external party can change the definition of the control sphere. This is typically a resultant weakness.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-664

 

Consequences

Other: Other

 

Potential Mitigations

CVE References

CWE

CWE-674 – Uncontrolled Recursion

Read Time:1 Minute, 29 Second

Description

The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-691

 

Consequences

Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)

Resources including CPU, memory, and stack memory could be rapidly consumed or exhausted, eventually leading to an exit or crash.

Confidentiality: Read Application Data

In some cases, an application’s interpreter might kill a process or thread that appears to be consuming too much resources, such as with PHP’s memory_limit setting. When the interpreter kills the process/thread, it might report an error containing detailed information such as the application’s installation path.

 

Potential Mitigations

Phase: Implementation

Effectiveness: Moderate

Description: 

Ensure an end condition will be reached under all logic conditions. The end condition may include testing against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.

Phase: Implementation

Effectiveness: Limited

Description: 

Increase the stack size.

Increasing the stack size might only be a temporary measure, since the stack typically is still not very large, and it might remain easy for attackers to cause an out-of-stack fault.

CVE References

  • CVE-2007-3409
    • Self-referencing pointers create infinite loop and resultant stack exhaustion.
  • CVE-2016-10707
    • Javascript application accidentally changes input in a way that prevents a recursive call from detecting an exit condition.
  • CVE-2016-3627
    • An attempt to recover a corrupted XML file infinite recursion protection counter was not always incremented missing the exit condition.
  • CVE-2019-15118
    • USB-audio driver’s descriptor code parsing allows unlimited recursion leading to stack exhaustion.