The software does not initialize critical variables, which causes the execution environment to use unexpected values.
Time of Introduction
Implementation
Applicable Platforms
Languages
Language-independent
Common Consequences
Scope
Effect
Integrity
Other
Technical Impact: Unexpected state; Quality degradation; Varies by context
The uninitialized data may be invalid, causing logic errors within the
program. In some cases, this could result in a security problem.
Demonstrative Examples
Example 1
Here, an uninitialized field in a Java class is used in a
seldom-called method, which would cause a NullPointerException to be
thrown.
(Bad Code)
Example
Language: Java
private User user;
public void someMethod() {
// Do something interesting.
...
// Throws NPE if user hasn't been properly
initialized.
String username = user.getName();
}
Example 2
This code first authenticates a user, then allows a delete command
if the user is an administrator.
(Bad Code)
Example
Language: PHP
if (authenticate($username,$password) &&
setAdmin($username)){
$isAdmin = true;
}
/.../
if ($isAdmin){
deleteUser($userToDelete);
}
The $isAdmin variable is set to true if the user is an admin, but is
uninitialized otherwise. If PHP's register_globals feature is enabled,
an attacker can set uninitialized variables like $isAdmin to arbitrary
values, in this case gaining administrator privileges by setting
$isAdmin to true.
Example 3
In the following Java code the BankManager class uses the user
variable of the class User to allow authorized users to perform bank manager
tasks. The user variable is initialized within the method setUser that
retrieves the User from the User database. The user is then authenticated as
unauthorized user through the method authenticateUser.
(Bad Code)
Example
Language: Java
public class BankManager {
// user allowed to perform bank manager tasks
private User user = null;
private boolean isUserAuthentic = false;
// constructor for BankManager class
public BankManager() {
...
}
// retrieve user from database of users
public User getUserFromUserDatabase(String username){
...
}
// set user variable using username
public void setUser(String username) {
this.user = getUserFromUserDatabase(username);
}
// authenticate user
public boolean authenticateUser(String username, String
password) {
if (username.equals(user.getUsername()) &&
password.equals(user.getPassword())) {
isUserAuthentic = true;
}
return isUserAuthentic;
}
// methods for performing bank manager tasks
...
}
However, if the method setUser is not called before authenticateUser
then the user variable will not have been initialized and will result in
a NullPointerException. The code should verify that the user variable
has been initialized before it is used, as in the following code.
(Good Code)
Example
Language: Java
public class BankManager {
// user allowed to perform bank manager tasks
private User user = null;
private boolean isUserAuthentic = false;
// constructor for BankManager class
public BankManager(String username) {
user = getUserFromUserDatabase(username);
}
// retrieve user from database of users
public User getUserFromUserDatabase(String username)
{...}
// authenticate user
public boolean authenticateUser(String username, String
password) {
if (user == null) {
System.out.println("Cannot find user " +
username);
This weakness is a major factor in a number of resultant weaknesses,
especially in web applications that allow global variable initialization
(such as PHP) with libraries that can be directly requested.
Research Gaps
It is highly likely that a large number of resultant weaknesses have
missing initialization as a primary factor, but researcher reports generally
do not provide this level of detail.
Taxonomy Mappings
Mapped Taxonomy Name
Node ID
Fit
Mapped Node Name
PLOVER
Missing Initialization
References
[REF-7] Mark Dowd, John McDonald
and Justin Schuh. "The Art of Software Security Assessment". Chapter 7, "Variable Initialization", Page
312.. 1st Edition. Addison Wesley. 2006.
Description
