|
|
|
|
CWE-227 Individual Dictionary Definition (Draft 9)
Weakness ID
| Status: Draft 227 (Weakness Class) | | Description | Summary The software uses an API in a manner contrary to its intended use. Extended Description
An API is a contract between a caller and a callee. The most common forms of API misuse are
caused by the caller failing to honor its end of this contract. For example, if a program fails
to call chdir() after calling chroot(), it violates the contract that specifies how to change
the active root directory in a secure fashion. Another good example of library abuse is
expecting the callee to return trustworthy DNS information to the caller. In this case, the
caller misuses the callee API by making certain assumptions about its behavior (that the return
value can be used for authentication purposes). One can also violate the caller-callee contract
from the other side. For example, if a coder subclasses SecureRandom and returns a non-random
value, the contract is violated.
| | Alternate Terms | API Abuse | | Potential Mitigations | Always utilize APIs in the specified manner. | | Observed Examples | | Reference | Description |
|---|
| CVE-2006-7140 | crypto implementation removes padding when they shouldn't, allowing forged
signatures | | CVE-2006-4339 | crypto implementation removes padding when they shouldn't, allowing forged
signatures |
| | Relationships | | | Source Taxonomies | 7 Pernicious Kingdoms - API Abuse | | Related Attack Patterns | | CAPEC-ID | Attack Pattern Name |
|---|
| 96 | Block Access to Libraries |
|
|
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated
