All posts by rocco

CWE

CWE-524 – Use of Cache Containing Sensitive Information

Read Time:43 Second

Description

The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.

Applications may use caches to improve efficiency when communicating with remote entities or performing intensive calculations. A cache maintains a pool of objects, threads, connections, pages, financial data, passwords, or other resources to minimize the time it takes to initialize and access these resources. If the cache is accessible to unauthorized actors, attackers can read the cache and obtain this sensitive information.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-668

 

Consequences

Confidentiality: Read Application Data

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Protect information stored in cache.

Phase: Architecture and Design

Description: 

Do not store unnecessarily sensitive information in the cache.

Phase: Architecture and Design

Description: 

Consider using encryption in the cache.

CVE References

CWE

CWE-525 – Use of Web Browser Cache Containing Sensitive Information

Read Time:45 Second

Description

The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-524

 

Consequences

Confidentiality: Read Application Data

Browsers often store information in a client-side cache, which can leave behind sensitive information for other users to find and exploit, such as passwords or credit card numbers. The locations at most risk include public terminals, such as those in libraries and Internet cafes.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Protect information stored in cache.

Phase: Architecture and Design, Implementation

Description: 

Use a restrictive caching policy for forms and web pages that potentially contain sensitive information.

Phase: Architecture and Design

Description: 

Do not store unnecessarily sensitive information in the cache.

Phase: Architecture and Design

Description: 

Consider using encryption in the cache.

CVE References

CWE

CWE-526 – Exposure of Sensitive Information Through Environmental Variables

Read Time:15 Second

Description

Environmental variables may contain sensitive information about a remote server.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-497

 

Consequences

Confidentiality: Read Application Data

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Protect information stored in environment variable from being exposed to the user.

CVE References

CWE

CWE-483 – Incorrect Block Delimitation

Read Time:1 Minute, 1 Second

Description

The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.

In some languages, braces (or other delimiters) are optional for blocks. When the delimiter is omitted, it is possible to insert a logic error in which a statement is thought to be in a block but is not. In some cases, the logic error can have security implications.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-670

 

Consequences

Confidentiality, Integrity, Availability: Alter Execution Logic

This is a general logic error which will often lead to obviously-incorrect behaviors that are quickly noticed and fixed. In lightly tested or untested code, this error may be introduced it into a production environment and provide additional attack vectors by creating a control flow path leading to an unexpected state in the application. The consequences will depend on the types of behaviors that are being incorrectly executed.

 

Potential Mitigations

Phase: Implementation

Description: 

Always use explicit block delimitation and use static-analysis technologies to enforce this practice.

CVE References

  • CVE-2014-1266
    • incorrect indentation of “goto” statement makes it more difficult to detect an incorrect goto (Apple’s “goto fail”)
CWE

CWE-484 – Omitted Break Statement in Switch

Read Time:50 Second

Description

The program omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.

This can lead to critical code executing in situations where it should not.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-710
CWE-670

 

Consequences

Other: Alter Execution Logic

This weakness can cause unintended logic to be executed and other unexpected application behavior.

 

Potential Mitigations

Phase: Implementation

Description: 

Omitting a break statement so that one may fall through is often indistinguishable from an error, and therefore should be avoided. If you need to use fall-through capabilities, make sure that you have clearly documented this within the switch statement, and ensure that you have examined all the logical possibilities.

Phase: Implementation

Description: 

The functionality of omitting a break statement could be clarified with an if statement. This method is much safer.

CVE References

CWE

CWE-486 – Comparison of Classes by Name

Read Time:46 Second

Description

The program compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.

If the decision to trust the methods and data of an object is based on the name of a class, it is possible for malicious users to send objects of the same name as trusted classes and thereby gain the trust afforded to known classes and types.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-1025

 

Consequences

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands

If a program relies solely on the name of an object to determine identity, it may execute the incorrect or unintended code.

 

Potential Mitigations

Phase: Implementation

Description: 

Use class equivalency to determine type. Rather than use the class name to determine if an object is of a given type, use the getClass() method, and == operator.

CVE References

CWE

CWE-487 – Reliance on Package-level Scope

Read Time:44 Second

Description

Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.

The purpose of package scope is to prevent accidental access by other parts of a program. This is an ease-of-software-development feature but not a security feature.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-664

 

Consequences

Confidentiality: Read Application Data

Any data in a Java package can be accessed outside of the Java framework if the package is distributed.

Integrity: Modify Application Data

The data in a Java class can be modified by anyone outside of the Java framework if the packages is distributed.

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Description: 

Data should be private static and final whenever possible. This will assure that your code is protected by instantiating early, preventing access and tampering.

CVE References

CWE

CWE-488 – Exposure of Data Element to Wrong Session

Read Time:38 Second

Description

The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-668

 

Consequences

Confidentiality: Read Application Data

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Protect the application’s sessions from information leakage. Make sure that a session’s data is not used or visible by other sessions.

Phase: Testing

Description: 

Use a static analysis tool to scan the code for information leakage vulnerabilities (e.g. Singleton Member Field).

Phase: Architecture and Design

Description: 

In a multithreading environment, storing user data in Servlet member fields introduces a data access race condition. Do not use member fields to store information in the Servlet.

CVE References

CWE

CWE-489 – Active Debug Code

Read Time:1 Minute, 0 Second

Description

The application is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

A common development practice is to add “back door” code specifically designed for debugging or testing purposes that is not intended to be shipped or deployed with the application. These back door entry points create security risks because they are not considered during design or testing and fall outside of the expected operating conditions of the application.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-710
CWE-215

 

Consequences

Confidentiality, Integrity, Availability, Access Control, Other: Bypass Protection Mechanism, Read Application Data, Gain Privileges or Assume Identity, Varies by Context

The severity of the exposed debug application will depend on the particular instance. At the least, it will give an attacker sensitive information about the settings and mechanics of web applications on the server. At worst, as is often the case, the debug application will allow an attacker complete control over the web application and server, as well as confidential information that either of these access.

 

Potential Mitigations

Phase: Build and Compilation, Distribution

Description: 

Remove debug code before deploying the application.

CVE References

CWE

CWE-49 – Path Equivalence: ‘filename/’ (Trailing Slash)

Read Time:51 Second

Description

A software system that accepts path input in the form of trailing slash (‘filedir/’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-41
CWE-162

 

Consequences

Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories

 

Potential Mitigations

CVE References

  • CVE-2001-0446
    • Application server allows remote attackers to read source code for .jsp files by appending a / to the requested URL.
  • CVE-2004-0334
    • Bypass Basic Authentication for files using trailing “/”
  • CVE-2001-0892
    • Web server allows remote attackers to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing /.
  • CVE-2004-1814
    • Directory traversal vulnerability in server allows remote attackers to read protected files via .. (dot dot) sequences in an HTTP request.