The software uses a function, library, or third party component
that has been explicitly prohibited, whether by the developer or
the customer.
Modes of Introduction:
– Architecture and Design
Other: Reduce Maintainability
The program performs CPU computations using
algorithms that are not as efficient as they could be for the
needs of the developer, i.e., the computations can be
optimized further.
Modes of Introduction:
– Architecture and Design
Availability: DoS: Resource Consumption (CPU)
Other: Reduce Performance
The ASP.NET application does not use, or incorrectly uses, the model validation framework.
Modes of Introduction:
– Architecture and Design
Integrity: Unexpected State
Unchecked input leads to cross-site scripting, process control, and SQL injection vulnerabilities, among others.
The application does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library.
Many modern coding languages provide developers with input validation frameworks to make the task of input validation easier and less error-prone. These frameworks will automatically check all input against specified criteria and direct execution to error handlers when invalid input is received. The improper use (i.e., an incorrect implementation or missing altogether) of these frameworks is not directly exploitable, but can lead to an exploitable condition if proper input validation is not performed later in the application. Not using provided input validation frameworks can also hurt the maintainability of code as future developers may not recognize the downstream input validation being used in the place of the validation framework.
Modes of Introduction:
– Architecture and Design
Integrity: Unexpected State
Unchecked input leads to cross-site scripting, process control, and SQL injection vulnerabilities, among others.
Phase: Implementation
Description:
Properly use provided input validation frameworks.
The software does not neutralize or incorrectly neutralizes output that is written to logs.
Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information.
Modes of Introduction:
– Implementation
Likelihood of Exploit: Medium
Integrity, Confidentiality, Availability, Non-Repudiation: Modify Application Data, Hide Activities, Execute Unauthorized Code or Commands
Interpretation of the log files may be hindered or misdirected if an attacker can supply data to the application that is subsequently logged verbatim. In the most benign case, an attacker may be able to insert false entries into the log file by providing the application with input that includes appropriate characters. Forged or otherwise corrupted log files can be used to cover an attacker’s tracks, possibly by skewing statistics, or even to implicate another party in the commission of a malicious act. If the log file is processed automatically, the attacker can render the file unusable by corrupting the format of the file or injecting unexpected characters. An attacker may inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility.
Phase: Implementation
Description:
Phase: Implementation
Description:
Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
Phase: Implementation
Description:
Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
The program contains code that is not essential for execution,
i.e. makes no state changes and has no side effects that alter
data or control flow, such that removal of the code would have no impact
to functionality or correctness.
Modes of Introduction:
Other: Reduce Reliability
Other: Reduce Performance
The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Modes of Introduction:
– Architecture and Design
Likelihood of Exploit: High
Integrity: Modify Application Data
The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted.
Integrity, Confidentiality, Availability, Access Control: Execute Unauthorized Code or Commands
The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted.
Confidentiality: Bypass Protection Mechanism
The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted.
Phase: Architecture and Design
Description:
Phase: Architecture and Design
Description:
Phase: Architecture and Design, Implementation
Description:
Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.
Phase: Architecture and Design
Description:
In some cases, input validation may be an important strategy when output encoding is not a complete solution. For example, you may be providing the same output that will be processed by multiple consumers that use different encodings or representations. In other cases, you may be required to allow user-supplied input to contain control information, such as limited HTML tags that support formatting in a wiki or bulletin board. When this type of requirement must be met, use an extremely strict allowlist to limit which control sequences can be used. Verify that the resulting syntactic structure is what you expect. Use your normal encoding methods for the remainder of the input.
Phase: Architecture and Design
Description:
Use input validation as a defense-in-depth measure to reduce the likelihood of output encoding errors (see CWE-20).
Phase: Requirements
Description:
Fully specify which encodings are required by components that will be communicating with each other.
Phase: Implementation
Description:
When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.
The software misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.
Modes of Introduction:
– Architecture and Design
Integrity: Unexpected State
Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker.
Process control vulnerabilities take two forms: 1. An attacker can change the command that the program executes: the attacker explicitly controls what the command is. 2. An attacker can change the environment in which the command executes: the attacker implicitly controls what the command means. Process control vulnerabilities of the first type occur when either data enters the application from an untrusted source and the data is used as part of a string representing a command that is executed by the application. By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have.
Modes of Introduction:
– Implementation
Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands
Phase: Architecture and Design
Description:
Libraries that are loaded should be well understood and come from a trusted source. The application can execute code contained in the native libraries, which often contain calls that are susceptible to other security problems, such as buffer overflows or command injection. All native libraries should be validated to determine if the application requires the use of the library. It is very difficult to determine what these native libraries actually do, and the potential for malicious code is high. In addition, the potential for an inadvertent mistake in these native libraries is also high, as many are written in C or C++ and may be susceptible to buffer overflow or race condition problems. To help prevent buffer overflow attacks, validate all input to native calls for content and length. If the native library does not come from a trusted source, review the source code of the library. The library should be built from the reviewed source before using it.
The software receives data from an upstream component, but does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
Modes of Introduction:
– Implementation
Integrity, Access Control: Modify Application Data, Gain Privileges or Assume Identity
CR and LF characters in an HTTP header may give attackers control of the remaining headers and body of the response the application intends to send, as well as allowing them to create additional responses entirely under their control.
Phase: Implementation
Description:
Construct HTTP headers very carefully, avoiding the use of non-validated input data.
Phase: Implementation
Description:
Phase: Implementation
Description:
Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
Phase: Implementation
Description:
Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.