CWE-451 – User Interface (UI) Misrepresentation of Critical Information

Read Time:3 Minute, 26 Second

Description

The user interface (UI) does not properly represent critical information to the user, allowing the information – or its source – to be obscured or spoofed. This is often a component in phishing attacks.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-684
CWE-221
CWE-346

 

Consequences

Non-Repudiation, Access Control: Hide Activities, Bypass Protection Mechanism

 

Potential Mitigations

Phase: Implementation

Description: 

Perform data validation (e.g. syntax, length, etc.) before interpreting the data.

Phase: Architecture and Design

Description: 

Create a strategy for presenting information, and plan for how to display unusual characters.

CVE References

  • CVE-2004-2227
    • Web browser’s filename selection dialog only shows the beginning portion of long filenames, which can trick users into launching executables with dangerous extensions.
  • CVE-2001-0398
    • Attachment with many spaces in filename bypasses “dangerous content” warning and uses different icon. Likely resultant.
  • CVE-2004-1104
    • Incorrect indicator: web browser can be tricked into presenting the wrong URL
  • CVE-2005-0143
    • Incorrect indicator: Lock icon displayed when an insecure page loads a binary file loaded from a trusted site.
  • CVE-2005-0144
    • Incorrect indicator: Secure “lock” icon is presented for one channel, while an insecure page is being simultaneously loaded in another channel.
  • CVE-2004-0761
    • Incorrect indicator: Certain redirect sequences cause security lock icon to appear in web browser, even when page is not encrypted.
  • CVE-2004-2219
    • Incorrect indicator: Spoofing via multi-step attack that causes incorrect information to be displayed in browser address bar.
  • CVE-2004-0537
    • Overlay: Wide “favorites” icon can overlay and obscure address bar
  • CVE-2005-2271
    • Visual distinction: Web browsers do not clearly associate a Javascript dialog box with the web page that generated it, allowing spoof of the source of the dialog. “origin validation error” of a sort?
  • CVE-2005-2272
    • Visual distinction: Web browsers do not clearly associate a Javascript dialog box with the web page that generated it, allowing spoof of the source of the dialog. “origin validation error” of a sort?
  • CVE-2005-2273
    • Visual distinction: Web browsers do not clearly associate a Javascript dialog box with the web page that generated it, allowing spoof of the source of the dialog. “origin validation error” of a sort?
  • CVE-2005-2274
    • Visual distinction: Web browsers do not clearly associate a Javascript dialog box with the web page that generated it, allowing spoof of the source of the dialog. “origin validation error” of a sort?
  • CVE-2001-1410
    • Visual distinction: Browser allows attackers to create chromeless windows and spoof victim’s display using unprotected Javascript method.
  • CVE-2002-0197
    • Visual distinction: Chat client allows remote attackers to spoof encrypted, trusted messages with lines that begin with a special sequence, which makes the message appear legitimate.
  • CVE-2005-0831
    • Visual distinction: Product allows spoofing names of other users by registering with a username containing hex-encoded characters.
  • CVE-2003-1025
    • Visual truncation: Special character in URL causes web browser to truncate the user portion of the “user@domain” URL, hiding real domain in the address bar.
  • CVE-2005-0243
    • Visual truncation: Chat client does not display long filenames in file dialog boxes, allowing dangerous extensions via manipulations including (1) many spaces and (2) multiple file extensions.
  • CVE-2005-1575
    • Visual truncation: Web browser file download type can be hidden using whitespace.
  • CVE-2004-2530
    • Visual truncation: Visual truncation in chat client using whitespace to hide dangerous file extension.
  • CVE-2005-0590
    • Visual truncation: Dialog box in web browser allows user to spoof the hostname via a long “user:pass” sequence in the URL, which appears before the real hostname.
  • CVE-2004-1451
    • Visual truncation: Null character in URL prevents entire URL from being displayed in web browser.
  • CVE-2004-2258
    • Miscellaneous — [step-based attack, GUI] — Password-protected tab can be bypassed by switching to another tab, then back to original tab.
  • CVE-2005-1678
    • Miscellaneous — Dangerous file extensions not displayed.
  • CVE-2002-0722
    • Miscellaneous — Web browser allows remote attackers to misrepresent the source of a file in the File Download dialog box.