All posts by rocco

CWE-792 – Incomplete Filtering of One or More Instances of Special Elements

Read Time:15 Second

Description

The software receives data from an upstream component, but does not completely filter one or more instances of special elements before sending it to a downstream component.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-791

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

CVE References

 

CWE-793 – Only Filtering One Instance of a Special Element

Read Time:20 Second

Description

The software receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component.

Incomplete filtering of this nature may be location-dependent, as in only the first or last element is filtered.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-792

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

CVE References

 

CWE-794 – Incomplete Filtering of Multiple Instances of Special Elements

Read Time:15 Second

Description

The software receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-792

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

CVE References

 

CWE-795 – Only Filtering Special Elements at a Specified Location

Read Time:17 Second

Description

The software receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special elements that may exist before sending it to a downstream component.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-791

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

CVE References

 

CWE-796 – Only Filtering Special Elements Relative to a Marker

Read Time:21 Second

Description

The software receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. “at the beginning/end of a string; the second argument”), thereby missing remaining special elements that may exist before sending it to a downstream component.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-795

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

CVE References

 

CWE-797 – Only Filtering Special Elements at an Absolute Position

Read Time:18 Second

Description

The software receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. “byte number 10”), thereby missing remaining special elements that may exist before sending it to a downstream component.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-795

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

CVE References

 

CWE-798 – Use of Hard-coded Credentials

Read Time:2 Minute, 15 Second

Description

The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: High

 

Related Weaknesses

CWE-287
CWE-287
CWE-344
CWE-671
CWE-257

 

Consequences

Access Control: Bypass Protection Mechanism

If hard-coded passwords are used, it is almost certain that malicious users will gain access to the account in question.

Integrity, Confidentiality, Availability, Access Control, Other: Read Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands, Other

This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

Phase: Architecture and Design

Effectiveness:

Description: 

For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a “first login” mode that requires the user to enter a unique strong password or key.

Phase: Architecture and Design

Effectiveness:

Description: 

If the software must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.

Phase: Architecture and Design

Effectiveness:

Description: 

Phase: Architecture and Design

Effectiveness:

Description: 

CVE References

 

  • CVE-2010-2772
    • SCADA system uses a hard-coded password to protect back-end database containing authorization information, exploited by Stuxnet worm
  • CVE-2010-2073
    • FTP server library uses hard-coded usernames and passwords for three default accounts
  • CVE-2010-1573
    • Chain: Router firmware uses hard-coded username and password for access to debug functionality, which can be used to execute arbitrary code
  • CVE-2008-0961
    • Backup product uses hard-coded username and password, allowing attackers to bypass authentication via the RPC interface
  • CVE-2008-1160
    • Security appliance uses hard-coded password allowing attackers to gain root access
  • CVE-2006-7142
    • Drive encryption product stores hard-coded cryptographic keys for encrypted configuration files in executable programs
  • CVE-2005-3716
    • VoIP product uses unchangeable hard-coded public credentials that cannot be changed, which allows attackers to obtain sensitive information
  • CVE-2005-3803
    • VoIP product uses hard coded public and private SNMP community strings that cannot be changed, which allows remote attackers to obtain sensitive information
  • CVE-2005-0496
    • Backup product contains hard-coded credentials that effectively serve as a back door, which allows remote attackers to access the file system

CWE-799 – Improper Control of Interaction Frequency

Read Time:51 Second

Description

The software does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.

This can allow the actor to perform actions more frequently than expected. The actor could be a human or an automated process such as a virus or bot. This could be used to cause a denial of service, compromise program logic (such as limiting humans to a single vote), or other consequences. For example, an authentication routine might not limit the number of times an attacker can guess a password. Or, a web site might conduct a poll but only expect humans to vote a maximum of once a day.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-691

 

Consequences

Availability, Access Control, Other: DoS: Resource Consumption (Other), Bypass Protection Mechanism, Other

 

Potential Mitigations

CVE References

 

  • CVE-2002-1876
    • Mail server allows attackers to prevent other users from accessing mail by sending large number of rapid requests.

CWE-8 – J2EE Misconfiguration: Entity Bean Declared Remote

Read Time:37 Second

Description

When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean’s data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application’s expectations, potentially leading to other vulnerabilities.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-668

 

Consequences

Confidentiality, Integrity: Read Application Data, Modify Application Data

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Declare Java beans “local” when possible. When a bean must be remotely accessible, make sure that sensitive information is not exposed, and ensure that the application logic performs appropriate validation of any data that might be modified by an attacker.

CVE References

 

CWE-80 – Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Read Time:2 Minute, 5 Second

Description

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as ““, and “&” that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

This may allow such characters to be treated as control characters, which are executed client-side in the context of the user’s session. Although this can be classified as an injection problem, the more pertinent issue is the improper conversion of such special characters to respective context-appropriate entities before displaying them to the user.

Modes of Introduction:

– Implementation

Likelihood of Exploit: High

 

Related Weaknesses

CWE-79

 

Consequences

Confidentiality, Integrity, Availability: Read Application Data, Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.

Phase: Implementation

Effectiveness:

Description: 

Phase: Implementation

Effectiveness:

Description: 

With Struts, write all data from form beans with the bean’s filter attribute set to true.

Phase: Implementation

Effectiveness: Defense in Depth

Description: 

To help mitigate XSS attacks against the user’s session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user’s session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

CVE References

 

  • CVE-2002-1495
    • XSS in web-based email product via attachment filenames.