CWE

CWE-821 – Incorrect Synchronization

Read Time:29 Second

Description

The software utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource.

If access to a shared resource is not correctly synchronized, then the resource may not be in a state that is expected by the software. This might lead to unexpected or insecure behaviors, especially if an attacker can influence the shared resource.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-662
CWE-662
CWE-662

 

Consequences

Integrity, Confidentiality, Other: Modify Application Data, Read Application Data, Alter Execution Logic

 

Potential Mitigations

CVE References

 

CWE

CWE-820 – Missing Synchronization

Read Time:29 Second

Description

The software utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.

If access to a shared resource is not synchronized, then the resource may not be in a state that is expected by the software. This might lead to unexpected or insecure behaviors, especially if an attacker can influence the shared resource.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-662
CWE-662
CWE-662

 

Consequences

Integrity, Confidentiality, Other: Modify Application Data, Read Application Data, Alter Execution Logic

 

Potential Mitigations

CVE References

 

CWE

CWE-82 – Improper Neutralization of Script in Attributes of IMG Tags in a Web Page

Read Time:1 Minute, 24 Second

Description

The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.

Attackers can embed XSS exploits into the values for IMG attributes (e.g. SRC) that is streamed and then executed in a victim’s browser. Note that when the page is loaded into a user’s browsers, the exploit will automatically execute.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-83

 

Consequences

Confidentiality, Integrity, Availability: Read Application Data, Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Phase: Implementation

Effectiveness: Defense in Depth

Description: 

To help mitigate XSS attacks against the user’s session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user’s session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

CVE References

 

  • CVE-2006-3211
    • Stored XSS in a guestbook application using a javascript: URI in a bbcode img tag.
CWE

CWE-81 – Improper Neutralization of Script in an Error Message Web Page

Read Time:1 Minute, 48 Second

Description

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters that could be interpreted as web-scripting elements when they are sent to an error page.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-79
CWE-209
CWE-390

 

Consequences

Confidentiality, Integrity, Availability: Read Application Data, Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Do not write user-controlled input to error pages.

Phase: Implementation

Effectiveness:

Description: 

Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.

Phase: Implementation

Effectiveness:

Description: 

Phase: Implementation

Effectiveness:

Description: 

With Struts, write all data from form beans with the bean’s filter attribute set to true.

Phase: Implementation

Effectiveness: Defense in Depth

Description: 

To help mitigate XSS attacks against the user’s session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user’s session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

CVE References

 

CWE

CWE-807 – Reliance on Untrusted Inputs in a Security Decision

Read Time:1 Minute, 48 Second

Description

The application uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: High

 

Related Weaknesses

CWE-693

 

Consequences

Confidentiality, Access Control, Availability, Other: Bypass Protection Mechanism, Gain Privileges or Assume Identity, Varies by Context

Attackers can bypass the security decision to access whatever is being protected. The consequences will depend on the associated functionality, but they can range from granting additional privileges to untrusted users to bypassing important security checks. Ultimately, this weakness may lead to exposure or modification of sensitive data, system crash, or execution of arbitrary code.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

Phase: Architecture and Design

Effectiveness:

Description: 

Phase: Architecture and Design

Effectiveness:

Description: 

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Phase: Operation, Implementation

Effectiveness:

Description: 

When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.

Phase: Architecture and Design, Implementation

Effectiveness:

Description: 

CVE References

 

  • CVE-2009-1549
    • Attacker can bypass authentication by setting a cookie to a specific value.
  • CVE-2009-1619
    • Attacker can bypass authentication and gain admin privileges by setting an “admin” cookie to 1.
  • CVE-2009-0864
    • Content management system allows admin privileges by setting a “login” cookie to “OK.”
  • CVE-2008-5784
    • e-dating application allows admin privileges by setting the admin cookie to 1.
  • CVE-2008-6291
    • Web-based email list manager allows attackers to gain admin privileges by setting a login cookie to “admin.”
CWE

CWE-806 – Buffer Access Using Size of Source Buffer

Read Time:2 Minute, 55 Second

Description

The software uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer.

When the size of the destination is smaller than the size of the source, a buffer overflow could occur.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-805

 

Consequences

Availability: Modify Memory, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU)

Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.

Integrity, Confidentiality, Availability: Read Memory, Modify Memory, Execute Unauthorized Code or Commands

Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program’s implicit security policy.

Access Control: Bypass Protection Mechanism

When the consequence is arbitrary code execution, this can often be used to subvert any other security service.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

Use an abstraction library to abstract away risky APIs. Examples include the Safe C String Library (SafeStr) by Viega, and the Strsafe.h library from Microsoft. This is not a complete solution, since many buffer overflows are not related to strings.

Phase: Build and Compilation

Effectiveness:

Description: 

Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. This is not necessarily a complete solution, since these canary-based mechanisms only detect certain types of overflows. In addition, the result is still a denial of service, since the typical response is to exit the application.

Phase: Implementation

Effectiveness:

Description: 

Programmers should adhere to the following rules when allocating and managing their applications memory: Double check that your buffer is as large as you specify. When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string. Check buffer boundaries if calling this function in a loop and make sure there is no danger of writing past the allocated space. Truncate all input strings to a reasonable length before passing them to the copy and concatenation functions

Phase: Operation

Effectiveness: Defense in Depth

Description: 

This is not a complete solution. However, it forces the attacker to guess an unknown value that changes every program execution. In addition, an attack could still cause a denial of service, since the typical response is to exit the application.

Phase: Operation

Effectiveness: Defense in Depth

Description: 

Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-60] [REF-61].

This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software’s state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application.

Phase: Build and Compilation, Operation

Effectiveness:

Description: 

Most mitigating technologies at the compiler or OS level to date address only a subset of buffer overflow problems and rarely provide complete protection against even that subset. It is good practice to implement strategies to increase the workload of an attacker, such as leaving the attacker to guess an unknown value that changes every program execution.

CVE References

 

CWE

CWE-805 – Buffer Access with Incorrect Length Value

Read Time:3 Minute, 18 Second

Description

The software uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.

When the length value exceeds the size of the destination, a buffer overflow could occur.

Modes of Introduction:

– Implementation

Likelihood of Exploit: High

 

Related Weaknesses

CWE-119
CWE-119
CWE-119

 

Consequences

Integrity, Confidentiality, Availability: Read Memory, Modify Memory, Execute Unauthorized Code or Commands

Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program’s implicit security policy. This can often be used to subvert any other security service.

Availability: Modify Memory, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU)

Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.

 

Potential Mitigations

Phase: Requirements

Effectiveness:

Description: 

Phase: Architecture and Design

Effectiveness:

Description: 

This is not a complete solution, since many buffer overflows are not related to strings.

Phase: Build and Compilation

Effectiveness: Defense in Depth

Description: 

This is not necessarily a complete solution, since these mechanisms can only detect certain types of overflows. In addition, an attack could still cause a denial of service, since the typical response is to exit the application.

Phase: Implementation

Effectiveness:

Description: 

Phase: Architecture and Design

Effectiveness:

Description: 

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Phase: Operation

Effectiveness: Defense in Depth

Description: 

This is not a complete solution. However, it forces the attacker to guess an unknown value that changes every program execution. In addition, an attack could still cause a denial of service, since the typical response is to exit the application.

Phase: Operation

Effectiveness: Defense in Depth

Description: 

Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-60] [REF-61].

This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software’s state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application.

Phase: Architecture and Design, Operation

Effectiveness:

Description: 

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Phase: Architecture and Design, Operation

Effectiveness: Limited

Description: 

The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed.

CVE References

 

  • CVE-2011-1959
    • Chain: large length value causes buffer over-read (CWE-126)
  • CVE-2011-1848
    • Use of packet length field to make a calculation, then copy into a fixed-size buffer
  • CVE-2011-0105
    • Chain: retrieval of length value from an uninitialized memory location
  • CVE-2011-0606
    • Crafted length value in document reader leads to buffer overflow
  • CVE-2011-0651
    • SSL server overflow when the sum of multiple length fields exceeds a given value
  • CVE-2010-4156
    • Language interpreter API function doesn’t validate length argument, leading to information exposure
CWE

CWE-804 – Guessable CAPTCHA

Read Time:27 Second

Description

The software uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-863
CWE-287
CWE-330

 

Consequences

Access Control, Other: Bypass Protection Mechanism, Other

When authorization, authentication, or another protection mechanism relies on CAPTCHA entities to ensure that only human actors can access certain functionality, then an automated attacker such as a bot may access the restricted functionality by guessing the CAPTCHA.

 

Potential Mitigations

CVE References

 

CWE

CWE-80 – Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Read Time:2 Minute, 5 Second

Description

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as ““, and “&” that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

This may allow such characters to be treated as control characters, which are executed client-side in the context of the user’s session. Although this can be classified as an injection problem, the more pertinent issue is the improper conversion of such special characters to respective context-appropriate entities before displaying them to the user.

Modes of Introduction:

– Implementation

Likelihood of Exploit: High

 

Related Weaknesses

CWE-79

 

Consequences

Confidentiality, Integrity, Availability: Read Application Data, Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.

Phase: Implementation

Effectiveness:

Description: 

Phase: Implementation

Effectiveness:

Description: 

With Struts, write all data from form beans with the bean’s filter attribute set to true.

Phase: Implementation

Effectiveness: Defense in Depth

Description: 

To help mitigate XSS attacks against the user’s session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user’s session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

CVE References

 

  • CVE-2002-1495
    • XSS in web-based email product via attachment filenames.
CWE

CWE-8 – J2EE Misconfiguration: Entity Bean Declared Remote

Read Time:37 Second

Description

When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean’s data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application’s expectations, potentially leading to other vulnerabilities.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-668

 

Consequences

Confidentiality, Integrity: Read Application Data, Modify Application Data

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Declare Java beans “local” when possible. When a bean must be remotely accessible, make sure that sensitive information is not exposed, and ensure that the application logic performs appropriate validation of any data that might be modified by an attacker.

CVE References

 

News, Advisories and much more

Exit mobile version