CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.8)  

Presentation Filter:

CWE-275: Permission Issues

 
Permission Issues
Category ID: 275 (Category)Status: Draft
+ Description

Description Summary

Weaknesses in this category are related to improper assignment or handling of permissions.
+ Detection Methods

Automated Static Analysis - Binary / Bytecode

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

  • Inter-application Flow Analysis

Effectiveness: SOAR Partial

Manual Static Analysis - Binary / Bytecode

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

  • Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies

Effectiveness: SOAR Partial

Dynamic Analysis with automated results interpretation

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

  • Host-based Vulnerability Scanners – Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria

  • Web Application Scanner

  • Web Services Scanner

  • Database Scanners

Effectiveness: SOAR Partial

Dynamic Analysis with manual results interpretation

According to SOAR, the following detection techniques may be useful:

Highly cost effective:

  • Host Application Interface Scanner

Cost effective for partial coverage:

  • Fuzz Tester

  • Framework-based Fuzzer

  • Automated Monitored Execution

  • Forced Path Execution

Effectiveness: SOAR High

Manual Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Highly cost effective:

  • Manual Source Code Review (not inspections)

Cost effective for partial coverage:

  • Focused Manual Spotcheck - Focused manual analysis of source

Effectiveness: SOAR High

Automated Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

  • Context-configured Source Code Weakness Analyzer

Effectiveness: SOAR Partial

Automated Static Analysis

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

  • Configuration Checker

Effectiveness: SOAR Partial

Architecture / Design Review

According to SOAR, the following detection techniques may be useful:

Highly cost effective:

  • Formal Methods / Correct-By-Construction

Cost effective for partial coverage:

  • Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)

Effectiveness: SOAR High

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory264Permissions, Privileges, and Access Controls
Development Concepts (primary)699
ChildOfCategoryCategory632Weaknesses that Affect Files or Directories
Resource-specific Weaknesses (primary)631
ChildOfCategoryCategory723OWASP Top Ten 2004 Category A2 - Broken Access Control
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfCategoryCategory731OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
Weaknesses in OWASP Top Ten (2004)711
RequiredByCompound Element: CompositeCompound Element: Composite61UNIX Symbolic Link (Symlink) Following
Research Concepts1000
RequiredByCompound Element: CompositeCompound Element: Composite426Untrusted Search Path
Research Concepts1000
ParentOfWeakness VariantWeakness Variant276Incorrect Default Permissions
Development Concepts (primary)699
ParentOfWeakness VariantWeakness Variant277Insecure Inherited Permissions
Development Concepts (primary)699
ParentOfWeakness VariantWeakness Variant278Insecure Preserved Inherited Permissions
Development Concepts (primary)699
ParentOfWeakness VariantWeakness Variant279Incorrect Execution-Assigned Permissions
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base280Improper Handling of Insufficient Permissions or Privileges
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base281Improper Preservation of Permissions
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base618Exposed Unsafe ActiveX Method
Development Concepts (primary)699
ParentOfCompound Element: CompositeCompound Element: Composite689Permission Race Condition During Resource Copy
Development Concepts (primary)699
ParentOfWeakness ClassWeakness Class732Incorrect Permission Assignment for Critical Resource
Development Concepts (primary)699
+ Affected Resources
  • File/Directory
+ Functional Areas
  • File processing, non-specific.
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERPermission errors
OWASP Top Ten 2004A2CWE More SpecificBroken Access Control
OWASP Top Ten 2004A10CWE More SpecificInsecure Configuration Management
+ References
[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 17: Failure to Protect Stored Data." Page 253. McGraw-Hill. 2010.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
2009-01-12CWE Content TeamMITREInternal
updated Relationships
2012-05-11CWE Content TeamMITREInternal
updated References
2014-07-30CWE Content TeamMITREInternal
updated Detection_Factors
Page Last Updated: July 30, 2014