CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  
ID

CWE-223: Omission of Security-relevant Information

Weakness ID: 223
Abstraction: Base
Status: Draft
Presentation Filter:
+ Description

Description Summary

The application does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.
+ Time of Introduction
  • Architecture and Design
  • Implementation
  • Operation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Non-Repudiation

Technical Impact: Hide activities

The source of an attack will be difficult or impossible to determine. This can allow attacks to the system to continue without notice.

+ Demonstrative Examples

Example 1

This code logs suspicious multiple login attempts.

(Bad Code)
Example Language: PHP 
function login($userName,$password){
if(authenticate($userName,$password)){
return True;
}
else{
incrementLoginAttempts($userName);
if(recentLoginAttempts($userName) > 5){
writeLog("Failed login attempt by User: " . $userName . " at " + date('r') );
}
}
}

This code only logs failed login attempts when a certain limit is reached. If an attacker knows this limit, he or she can stop his attack from being discovered by avoiding the limit.

+ Observed Examples
ReferenceDescription
Login attempts not recorded if user disconnects before maximum number of tries.
Sender's IP address not recorded in outgoing e-mail.
Failed authentication attempt not recorded if later attempt succeeds.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class221Information Loss or Omission
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory997SFP Secondary Cluster: Information Loss
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base778Insufficient Logging
Development Concepts (primary)699
Research Concepts (primary)1000
MemberOfViewView884CWE Cross-section
CWE Cross-section (primary)884
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVEROmission of Security-relevant Information
+ References
[REF-7] Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 2, "Accountability", Page 40.. 1st Edition. Addison Wesley. 2006.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
2009-07-27CWE Content TeamMITREInternal
updated Relationships
2011-03-29CWE Content TeamMITREInternal
updated Demonstrative_Examples
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Common_Consequences, References, Relationships
2014-07-30CWE Content TeamMITREInternal
updated Relationships

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017