CWE
Home > CWE List > Reports > Chains and Composites   View the CWE List

Chains and Composites
Chains and Composites

Introduction
Introduction

This report lists several chains and composites, as represented by various relationships within CWE. They help to illustrate how weaknesses can be combined to create software vulnerabilities, and they help to expose existing problems with classification and terminology.

A Chain is a sequence of two or more separate weaknesses that can be closely linked together within software. One weakness, X, can directly create the conditions that are necessary to cause another weakness, Y, to enter a vulnerable condition. When this happens, CWE refers to X as "primary" to Y, and Y is "resultant" from X. For example, in the named chain CWE-691, an integer overflow (CWE-190) can lead to a buffer overflow (CWE-120) if an integer overflow occurs while calculating the amount of memory to allocate. In this case, the integer overflow would be primary to the buffer overflow. Chains can involve more than two weaknesses, and in some cases, they might have a tree-like structure.

In the schema for CWE Draft 9, the "CanPrecede" relationship is used to identify when the weakness is primary to others, and "CanFollow" is used to identify when a weakness is resultant from others.

While Draft 9 primarily contains "implicit" chaining relationships, there are several chains that are so common that they were assigned their own CWE identifiers. These are called Named Chains.

A Composite is a combination of two or more separate weaknesses that can create a vulnerability, but only if they all occur all the same time. One weakness, X, can be "broken down" into component weaknesses Y and Z. For example, Symlink Following (CWE-61) is only possible through a combination of several component weaknesses, including predictability (CWE-340), inadequate permissions (CWE-275), and race conditions (CWE-362). By eliminating any single component, a developer can prevent the composite from becoming exploitable. There can be cases in which one weakness might not be essential to a composite, but changes the nature of the composite when it becomes a vulnerability; for example, NUL byte interaction errors (CWE-626) can widen the scope of path traversal weaknesses (CWE-22), which often limit which files could be accessed due to idiosyncacies in filename generation.

In the schema for CWE Draft 9, the "Requires" relationship is used by a composite to identify its component weaknesses, and the "IsRequiredBy" relationship is used by the components of that composite.

Both chains and composites might explain some of the existing differences in security code scanners. For example, one scanner might report the primary part of a chain, and a different scanner might report the resultant part. Both scanners would be correct, but they would be reporting different CWE identifiers in different portions of the code. It is suspected that chains have a correspondence to some aspects of artifact labels as used in vulnerability theory (primarily in crossover and trigger points), but this has not been actively explored in Draft 9.

In general, both chains and composites pose challenges for vulnerability classification and terminology. Sometimes a researcher is only focusing on one weak in the chain, or one component of the composite. Attempts to create a hierarchical organization of "vulnerabilities" can be complicated, because vulnerabilities can contain multiple weaknesses. The CWE team is actively researching these concepts. Some early discussion is found in the CWE Research List archives.

Chains
Chains
CWE-46 Path Equivalence: 'filename ' (Trailing Space)
--> CWE-289 Authentication Bypass by Alternate Name
CWE-52 Path Equivalence: '/multiple/trailing/slash//'
--> CWE-289 Authentication Bypass by Alternate Name
CWE-93 Failure to Sanitize CRLF Sequences (aka 'CRLF Injection')
--> CWE-117 Incorrect Output Sanitization for Logs
CWE-113 Failure to Sanitize CRLF Sequences in HTTP Headers (aka 'HTTP Response Splitting')
--> CWE-79 Failure to Sanitize Directives in a Web Page (aka 'Cross-site scripting' (XSS))
--> CWE-494 Download of Untrusted Mobile Code Without Integrity Check
--> CWE-692 Incomplete Blacklist to Cross-Site Scripting
CWE-171 Cleansing, Canonicalization, and Comparison Errors
--> CWE-289 Authentication Bypass by Alternate Name
CWE-173 Failure to Handle Alternate Encoding
--> CWE-289 Authentication Bypass by Alternate Name
CWE-178 Failure to Resolve Case Sensitivity
--> CWE-433 Unparsed Raw Web Content Delivery
--> CWE-289 Authentication Bypass by Alternate Name
CWE-184 Incomplete Blacklist
--> CWE-79 Failure to Sanitize Directives in a Web Page (aka 'Cross-site scripting' (XSS))
--> CWE-78 Failure to Sanitize Data into an OS Command (aka 'OS Command Injection')
--> CWE-434 Unrestricted File Upload (also a composite)
--> CWE-98 Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion') (also a composite)
CWE-190 Integer Overflow (Wrap or Wraparound)
--> CWE-120 Unbounded Transfer ('Classic Buffer Overflow') (also a composite)
--> CWE-123 Write-what-where Condition
--> CWE-680 Integer Overflow to Buffer Overflow
--> CWE-122 Heap-based Buffer Overflow
CWE-193 Off-by-one Error
--> CWE-617 Reachable Assertion
--> CWE-170 Improper Null Termination
--> CWE-120 Unbounded Transfer ('Classic Buffer Overflow') (also a composite)
CWE-195 Signed to Unsigned Conversion Error
--> CWE-122 Heap-based Buffer Overflow
CWE-252 Unchecked Return Value
--> CWE-476 NULL Pointer Dereference
--> CWE-690 Unchecked Return Value to NULL Pointer Dereference
CWE-390 Detection of Error Condition Without Action
--> CWE-401 Failure to Release Memory Before Removing Last Reference (aka 'Memory Leak')
CWE-416 Use After Free
--> CWE-120 Unbounded Transfer ('Classic Buffer Overflow') (also a composite)
--> CWE-123 Write-what-where Condition
CWE-456 Missing Initialization
--> CWE-89 Failure to Sanitize Data into SQL Queries (aka 'SQL Injection')
--> CWE-120 Unbounded Transfer ('Classic Buffer Overflow') (also a composite)
CWE-473 PHP External Variable Modification
--> CWE-98 Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion') (also a composite)
CWE-600 Failure to Catch All Exceptions (Missing Catch Block)
--> CWE-209 Error Message Information Leaks
CWE-602 Design Principle Violation: Client-Side Enforcement of Server-Side Security
--> CWE-471 Modification of Assumed-Immutable Data (MAID)
CWE-656 Design Principle Violation: Reliance on Security through Obscurity
--> CWE-259 Hard-Coded Password
--> CWE-321 Use of Hard-coded Cryptographic Key
--> CWE-472 External Control of Assumed-Immutable Web Parameter
Named Chains
Named Chains
CWE-680Integer Overflow to Buffer Overflow
CWE-690Unchecked Return Value to NULL Pointer Dereference
CWE-692Incomplete Blacklist to Cross-Site Scripting
Composites
Composites
CWE-61 UNIX Symbolic Link (Symlink) Following
  • CWE-362 Race Condition
  • CWE-340 Predictability Problems
  • CWE-216 Containment Errors (Container Errors)
  • CWE-386 Symbolic Name not Mapping to Correct Object
  • CWE-275 Permission Issues
CWE-98 Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion') (also a chain link)
  • CWE-456 Missing Initialization (also a chain link)
  • CWE-473 PHP External Variable Modification (also a chain link)
  • CWE-425 Direct Request ('Forced Browsing')
  • CWE-216 Containment Errors (Container Errors)
CWE-120 Unbounded Transfer ('Classic Buffer Overflow') (also a chain link)
  • CWE-227 Failure to Fulfill API Contract (aka 'API Abuse')
  • CWE-242 Use of Inherently Dangerous Function
CWE-291 Trusting Self-reported IP Address
  • CWE-348 Use of Less Trusted Source
  • CWE-471 Modification of Assumed-Immutable Data (MAID) (also a chain link)
CWE-352 Cross-Site Request Forgery (CSRF)
  • CWE-346 Origin Validation Error
  • CWE-441 Unintended Proxy/Intermediary
  • CWE-642 External Control of User State Data
  • CWE-613 Insufficient Session Expiration
CWE-384 Session Fixation
  • CWE-346 Origin Validation Error
  • CWE-472 External Control of Assumed-Immutable Web Parameter (also a chain link)
  • CWE-441 Unintended Proxy/Intermediary
CWE-426 Untrusted Search Path
  • CWE-216 Containment Errors (Container Errors)
  • CWE-275 Permission Issues
  • CWE-471 Modification of Assumed-Immutable Data (MAID) (also a chain link)
CWE-434 Unrestricted File Upload (also a chain link)
  • CWE-351 Insufficient Type Distinction
  • CWE-436 Interpretation Conflict
CWE-689 Permission Race Condition During Resource Copy
  • CWE-362 Race Condition
  • CWE-276 Insecure Default Permissions
  • CWE-668 Exposure of Resource to Wrong Sphere
Page Last Updated: April 11, 2008