CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > Community >  
ID

The CWE/CAPEC T-Shirt
The CWE/CAPEC T-Shirt

The CWE/CAPEC t-shirt that many of you may have seen at conferences over the past year or so highlights the relationships between software weaknesses and their potential attacks, in the form of a code listing:

(Bad Code)
  
1 printf("<title>Blissfully Ignorant, Inc.</title>");
2 ftype = Get_Query_Param("MessageType");
3 strcpy(fname, "/home/cwe/");
4 strcat(fname, ftype);
5 strcat(fname, ".dat");
6 handle = fopen(fname, "r");
7 while(fgets(line, 512, handle)) {
8
if (strncmp(line,"<script>",8)) {
9
printf(line); } }
10 return(200);

This code represents an application that reads an untrusted file that was previously uploaded into a restricted directory. It selects the file depending on the value of the MessageType parameter, then displays the file as a web page.

It was developed with the following principles:

  • Use a very short code listing.
  • Make the code easy to follow by programmers familiar with the language.
  • The code should contain as many potential weaknesses as possible.
  • The code should demonstrate some functionality that is likely to appear in real-world software.

This code is called a Bug Barrel: there are so many bugs, finding them is as easy as shooting fish in a barrel (or, alternately, it's more fun to exploit than a barrel of monkeys).

On the front side, we used CWE IDs to list each weakness in the Bug Barrel. When a chain of weaknesses introduced a vulnerability, we would use a "->" (arrow) to indicate the relationships between the chain links.

CWE-24: Relative Path Traversal (2 -> 4 -> 6)
CWE-120: Classic buffer Overflow (2 -> 4 -> 10)
CWE-20: Improper Input Validation (2 & 8)
CWE-73: External Control of File Name or Path (2 -> 4 -> 6)
CWE-116: Improper Encoding or Escaping of Output (7 -> 9)
CWE-79: Failure to Preserve Web Page Structure (XSS) (7 --> 9)
CWE-404: Improper Resource Shutdown or Release (6 -> 10)
CWE-134: Uncontrolled Format String (7 -> 9)
CWE-252: Unchecked Return Value (2 > 4 -> 6)
CWE-476: NULL Pointer Dereference (6 -> 7)

On the back side, we used CAPEC IDs to list each attack that could be attempted against the Bug Barrel.

CAPEC-100: Overflow buffers
CAPEC-73: User-Controlled Filename
CAPEC-79: Using Slashes in Alternate Encoding
CAPEC-52: Embedding NULL Bytes
CAPEC-76: Manipulating Input to File System Calls
CAPEC-131: Resource Depletion Through Leak
CAPEC-63: Simple Script Injection (aka XSS)
CAPEC-18: Embedding Scripts in Nonscript Elements
CAPEC-104: Cross Zone Scripting

... and many, many more!

The yin/yang logo symbolizes the inter-relationships between attacks and weaknesses: each is dependent on the other.

2009 T-Shirt Front:

T-Shirt Front

2009 T-Shirt Back:

T-Shirt Back

Page Last Updated: September 23, 2019
 

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.