CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  
ID

CWE-356: Product UI does not Warn User of Unsafe Actions

Weakness ID: 356
Abstraction: Base
Status: Incomplete
Presentation Filter:
+ Description

Description Summary

The software's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system.

Extended Description

Software systems should warn users that a potentially dangerous action may occur if the user proceeds. For example, if the user downloads a file from an unknown source and attempts to execute the file on their machine, then the application's GUI can indicate that the file is unsafe.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Non-Repudiation

Technical Impact: Hide activities

+ Observed Examples
ReferenceDescription
Product does not warn user when document contains certain dangerous functions or macros.
Product does not warn user when document contains certain dangerous functions or macros.
Product does not warn user when document contains certain dangerous functions or macros.
Product does not warn user about a certificate if it has already been accepted for a different site. Possibly resultant.
File extractor does not warn user it setuid/setgid files could be extracted. Overlaps privileges/permissions.
E-mail client allows bypass of warning for dangerous attachments via a Windows .LNK file that refers to the attachment.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class221Information Loss or Omission
Research Concepts (primary)1000
ChildOfCategoryCategory355User Interface Security Issues
Development Concepts (primary)699
ChildOfCategoryCategory996SFP Secondary Cluster: Security
Software Fault Pattern (SFP) Clusters (primary)888
+ Relationship Notes

Often resultant, e.g. in unhandled error conditions.

Can overlap privilege errors, conceptually at least.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERProduct UI does not warn user of unsafe actions
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Relationship_Notes, Taxonomy_Mappings
2008-10-14CWE Content TeamMITREInternal
updated Description
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Relationships
2014-07-30CWE Content TeamMITREInternal
updated Relationships

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017