Category Archives: CWE

CWE-481 – Assigning instead of Comparing

Read Time:42 Second

Description

The code uses an operator for assignment when the intention was to perform a comparison.

In many languages the compare statement is very close in appearance to the assignment statement and are often confused. This bug is generally the result of a typo and usually causes obvious problems with program execution. If the comparison is in an if statement, the if statement will usually evaluate the value of the right-hand side of the predicate.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-480
CWE-697

 

Consequences

Other: Alter Execution Logic

 

Potential Mitigations

Phase: Testing

Description: 

Many IDEs and static analysis products will detect this problem.

Phase: Implementation

Description: 

Place constants on the left. If one attempts to assign a constant with a variable, the compiler will produce an error.

CVE References

CWE-482 – Comparing instead of Assigning

Read Time:26 Second

Description

The code uses an operator for comparison when the intention was to perform an assignment.

In many languages, the compare statement is very close in appearance to the assignment statement; they are often confused.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-480

 

Consequences

Availability, Integrity: Unexpected State

The assignment will not take place, which should cause obvious program execution problems.

 

Potential Mitigations

Phase: Testing

Description: 

Many IDEs and static analysis products will detect this problem.

CVE References

CWE-444 – Inconsistent Interpretation of HTTP Requests (‘HTTP Request Smuggling’)

Read Time:1 Minute, 38 Second

Description

When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to “smuggle” a request to one device without the other device being aware of it.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-436
CWE-436

 

Consequences

Integrity, Non-Repudiation, Access Control: Unexpected State, Hide Activities, Bypass Protection Mechanism

An attacker could create a request to exploit a number of weaknesses including 1) the request can trick the web server to associate a URL with another URLs webpage and caching the contents of the webpage (web cache poisoning attack), 2) the request can be structured to bypass the firewall protection mechanisms and gain unauthorized access to a web application, and 3) the request can invoke a script or a page that returns client credentials (similar to a Cross Site Scripting attack).

 

Potential Mitigations

Phase: Implementation

Description: 

Use a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433].

Phase: Implementation

Description: 

Use only SSL communication.

Phase: Implementation

Description: 

Terminate the client session after each request.

Phase: System Configuration

Description: 

Turn all pages to non-cacheable.

CVE References

  • CVE-2005-2088
    • Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
  • CVE-2005-2089
    • Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
  • CVE-2005-2090
    • Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
  • CVE-2005-2091
    • Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
  • CVE-2005-2092
    • Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
  • CVE-2005-2093
    • Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
  • CVE-2005-2094
    • Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.

CWE-446 – UI Discrepancy for Security Feature

Read Time:42 Second

Description

The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feature is in a secure state.

When the user interface does not properly reflect what the user asks of it, then it can lead the user into a false sense of security. For example, the user might check a box to enable a security option to enable encrypted communications, but the software does not actually enable the encryption. Alternately, the user might provide a “restrict ALL'” access control rule, but the software only implements “restrict SOME”.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-684

 

Consequences

Other: Varies by Context

 

Potential Mitigations

CVE References

  • CVE-1999-1446
    • UI inconsistency; visited URLs list not cleared when “Clear History” option is selected.

CWE-447 – Unimplemented or Unsupported Feature in UI

Read Time:45 Second

Description

A UI function for a security feature appears to be supported and gives feedback to the user that suggests that it is supported, but the underlying functionality is not implemented.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-446
CWE-671

 

Consequences

Other: Varies by Context

 

Potential Mitigations

Phase: Testing

Description: 

Perform functionality testing before deploying the application.

CVE References

  • CVE-2000-0127
    • GUI configuration tool does not enable a security option when a checkbox is selected, although that option is honored when manually set in the configuration file.
  • CVE-2001-0863
    • Router does not implement a specific keyword when it is used in an ACL, allowing filter bypass.
  • CVE-2001-0865
    • Router does not implement a specific keyword when it is used in an ACL, allowing filter bypass.
  • CVE-2004-0979
    • Web browser does not properly modify security setting when the user sets it.

CWE-448 – Obsolete Feature in UI

Read Time:18 Second

Description

A UI function is obsolete and the product does not warn the user.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-446

 

Consequences

Other: Quality Degradation, Varies by Context

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Remove the obsolete feature from the UI. Warn the user that the feature is no longer supported.

CVE References

CWE-449 – The UI Performs the Wrong Action

Read Time:37 Second

Description

The UI performs the wrong action with respect to the user’s request.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-446

 

Consequences

Other: Quality Degradation, Varies by Context

 

Potential Mitigations

Phase: Testing

Description: 

Perform extensive functionality testing of the UI. The UI should behave as specified.

CVE References

  • CVE-2001-1387
    • Network firewall accidentally implements one command line option as if it were another, possibly leading to behavioral infoleak.
  • CVE-2001-0081
    • Command line option correctly suppresses a user prompt but does not properly disable a feature, although when the product prompts the user, the feature is properly disabled.
  • CVE-2002-1977
    • Product does not “time out” according to user specification, leaving sensitive data available after it has expired.

CWE-45 – Path Equivalence: ‘file…name’ (Multiple Internal Dot)

Read Time:21 Second

Description

A software system that accepts path input in the form of multiple internal dot (‘file…dir’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-44
CWE-165

 

Consequences

Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories

 

Potential Mitigations

CVE References

CWE-450 – Multiple Interpretations of UI Input

Read Time:30 Second

Description

The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-357

 

Consequences

Other: Varies by Context

 

Potential Mitigations

Phase: Implementation

Description: 

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References