Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > Community >  


The CWE/CAPEC t-shirt that many of you may have seen at conferences over the past year or so highlights the relationships between software weaknesses and their potential attacks, in the form of a code listing:

(Bad Code)
1 printf("<title>Blissfully Ignorant, Inc.</title>");
2 ftype = Get_Query_Param("MessageType");
3 strcpy(fname, "/home/cwe/");
4 strcat(fname, ftype);
5 strcat(fname, ".dat");
6 handle = fopen(fname, "r");
7 while(fgets(line, 512, handle)) {
if (strncmp(line,"<script>",8)) {
printf(line); } }
10 return(200);

This code represents an application that reads an untrusted file that was previously uploaded into a restricted directory. It selects the file depending on the value of the MessageType parameter, then displays the file as a web page.

It was developed with the following principles:

  • Use a very short code listing.
  • Make the code easy to follow by programmers familiar with the language.
  • The code should contain as many potential weaknesses as possible.
  • The code should demonstrate some functionality that is likely to appear in real-world software.

This code is called a Bug Barrel: there are so many bugs, finding them is as easy as shooting fish in a barrel (or, alternately, it's more fun to exploit than a barrel of monkeys).

On the front side, we used CWE IDs to list each weakness in the Bug Barrel. When a chain of weaknesses introduced a vulnerability, we would use a "->" (arrow) to indicate the relationships between the chain links.

CWE-24: Relative Path Traversal (2 -> 4 -> 6)
CWE-120: Classic buffer Overflow (2 -> 4 -> 10)
CWE-20: Improper Input Validation (2 & 8)
CWE-73: External Control of File Name or Path (2 -> 4 -> 6)
CWE-116: Improper Encoding or Escaping of Output (7 -> 9)
CWE-79: Failure to Preserve Web Page Structure (XSS) (7 --> 9)
CWE-404: Improper Resource Shutdown or Release (6 -> 10)
CWE-134: Uncontrolled Format String (7 -> 9)
CWE-252: Unchecked Return Value (2 > 4 -> 6)
CWE-476: NULL Pointer Dereference (6 -> 7)

On the back side, we used CAPEC IDs to list each attack that could be attempted against the Bug Barrel.

CAPEC-100: Overflow buffers
CAPEC-73: User-Controlled Filename
CAPEC-79: Using Slashes in Alternate Encoding
CAPEC-52: Embedding NULL Bytes
CAPEC-76: Manipulating Input to File System Calls
CAPEC-131: Resource Depletion Through Leak
CAPEC-63: Simple Script Injection (aka XSS)
CAPEC-18: Embedding Scripts in Nonscript Elements
CAPEC-104: Cross Zone Scripting

... and many, many more!

The yin/yang logo symbolizes the inter-relationships between attacks and weaknesses: each is dependent on the other.

2009 T-Shirt Front:

T-Shirt Front

2009 T-Shirt Back:

T-Shirt Back

More information is available — Please select a different filter.
Page Last Updated: January 04, 2017