Chains and Composites
Chains and Composites
Introduction
Introduction
This report lists several chains and composites, as represented by
various relationships within CWE. They help to illustrate how
weaknesses can be combined to create software vulnerabilities, and
they help to expose existing problems with classification and
terminology.
A Chain is a sequence of two or more separate weaknesses that
can be closely linked together within software. One weakness, X, can
directly create the conditions that are necessary to cause another
weakness, Y, to enter a vulnerable condition. When this happens, CWE
refers to X as "primary" to Y, and Y is "resultant" from X. For
example, in the named chain CWE-691, an integer overflow (CWE-190) can
lead to a buffer overflow (CWE-120) if an integer overflow occurs
while calculating the amount of memory to allocate. In this case, the
integer overflow would be primary to the buffer overflow. Chains can
involve more than two weaknesses, and in some cases, they might have a
tree-like structure.
In the schema for CWE Draft 9, the "CanPrecede" relationship is used
to identify when the weakness is primary to others, and
"CanFollow" is used to identify when a weakness is resultant
from others.
While Draft 9 primarily contains "implicit" chaining relationships,
there are several chains that are so common that they were assigned
their own CWE identifiers. These are called Named Chains.
A Composite is a combination of two or more separate weaknesses
that can create a vulnerability, but only if they all occur all the
same time. One weakness, X, can be "broken down" into component
weaknesses Y and Z. For example, Symlink Following (CWE-61) is only
possible through a combination of several component weaknesses,
including predictability (CWE-340), inadequate permissions (CWE-275),
and race conditions (CWE-362). By eliminating any single component, a
developer can prevent the composite from becoming exploitable. There
can be cases in which one weakness might not be essential to a
composite, but changes the nature of the composite when it becomes a
vulnerability; for example, NUL byte interaction errors (CWE-626) can
widen the scope of path traversal weaknesses (CWE-22), which often
limit which files could be accessed due to idiosyncacies in filename
generation.
In the schema for CWE Draft 9, the "Requires" relationship is used by
a composite to identify its component weaknesses, and the
"IsRequiredBy" relationship is used by the components of that
composite.
Both chains and composites might explain some of the existing
differences in security code scanners. For example, one scanner might
report the primary part of a chain, and a different scanner might
report the resultant part. Both scanners would be correct, but they
would be reporting different CWE identifiers in different portions of
the code. It is suspected that chains have a correspondence to some
aspects of artifact labels as used in vulnerability theory (primarily
in crossover and trigger points), but this has not been actively
explored in Draft 9.
In general, both chains and composites pose challenges for
vulnerability classification and terminology. Sometimes a researcher
is only focusing on one weak in the chain, or one component of the
composite. Attempts to create a hierarchical organization of
"vulnerabilities" can be complicated, because vulnerabilities can
contain multiple weaknesses. The CWE team is actively researching
these concepts. Some early discussion is found in the
CWE
Research List archives.
|
| CWE-46 Path Equivalence: 'filename ' (Trailing Space) |
 |
CWE-289 Authentication Bypass by Alternate Name |
|
| CWE-52 Path Equivalence: '/multiple/trailing/slash//' |
|
CWE-289 Authentication Bypass by Alternate Name |
|
| CWE-93 Failure to Sanitize CRLF Sequences (aka 'CRLF Injection') |
|
CWE-117 Incorrect Output Sanitization for Logs |
|
| CWE-113 Failure to Sanitize CRLF Sequences in HTTP Headers (aka 'HTTP Response Splitting') |
|
CWE-79 Failure to Sanitize Directives in a Web Page (aka 'Cross-site scripting' (XSS)) |
|
|
CWE-494 Download of Untrusted Mobile Code Without Integrity Check |
|
|
CWE-692 Incomplete Blacklist to Cross-Site Scripting |
|
| CWE-171 Cleansing, Canonicalization, and Comparison Errors |
|
CWE-289 Authentication Bypass by Alternate Name |
|
| CWE-173 Failure to Handle Alternate Encoding |
|
CWE-289 Authentication Bypass by Alternate Name |
|
| CWE-178 Failure to Resolve Case Sensitivity |
|
CWE-433 Unparsed Raw Web Content Delivery |
|
CWE-289 Authentication Bypass by Alternate Name |
|
| CWE-184 Incomplete Blacklist |
|
CWE-79 Failure to Sanitize Directives in a Web Page (aka 'Cross-site scripting' (XSS)) |
|
CWE-78 Failure to Sanitize Data into an OS Command (aka 'OS Command Injection') |
|
CWE-434 Unrestricted File Upload (also a composite) |
|
CWE-98 Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion') (also a composite) |
|
| CWE-190 Integer Overflow (Wrap or Wraparound) |
|
CWE-120 Unbounded Transfer ('Classic Buffer Overflow') (also a composite) |
|
|
CWE-123 Write-what-where Condition |
|
|
CWE-680 Integer Overflow to Buffer Overflow |
|
CWE-122 Heap-based Buffer Overflow |
|
| CWE-193 Off-by-one Error |
|
CWE-617 Reachable Assertion |
|
CWE-170 Improper Null Termination |
|
|
CWE-120 Unbounded Transfer ('Classic Buffer Overflow') (also a composite) |
|
| CWE-195 Signed to Unsigned Conversion Error |
|
CWE-122 Heap-based Buffer Overflow |
|
| CWE-252 Unchecked Return Value |
|
CWE-476 NULL Pointer Dereference |
|
|
CWE-690 Unchecked Return Value to NULL Pointer Dereference |
|
| CWE-390 Detection of Error Condition Without Action |
|
CWE-401 Failure to Release Memory Before Removing Last Reference (aka 'Memory Leak') |
|
| CWE-416 Use After Free |
|
CWE-120 Unbounded Transfer ('Classic Buffer Overflow') (also a composite) |
|
CWE-123 Write-what-where Condition |
|
| CWE-456 Missing Initialization |
|
CWE-89 Failure to Sanitize Data into SQL Queries (aka 'SQL Injection') |
|
CWE-120 Unbounded Transfer ('Classic Buffer Overflow') (also a composite) |
|
| CWE-473 PHP External Variable Modification |
|
CWE-98 Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion') (also a composite) |
|
| CWE-600 Failure to Catch All Exceptions (Missing Catch Block) |
|
CWE-209 Error Message Information Leaks |
|
| CWE-602 Design Principle Violation: Client-Side Enforcement of Server-Side Security |
|
CWE-471 Modification of Assumed-Immutable Data (MAID) |
|
| CWE-656 Design Principle Violation: Reliance on Security through Obscurity |
|
CWE-259 Hard-Coded Password |
|
CWE-321 Use of Hard-coded Cryptographic Key |
|
CWE-472 External Control of Assumed-Immutable Web Parameter |
Named Chains
Named Chains
|
CWE-680 | Integer Overflow to Buffer Overflow |
|
CWE-690 | Unchecked Return Value to NULL Pointer Dereference |
|
CWE-692 | Incomplete Blacklist to Cross-Site Scripting |
|
CWE-61 UNIX Symbolic Link (Symlink) Following |
|
- CWE-362 Race Condition
- CWE-340 Predictability Problems
- CWE-216 Containment Errors (Container Errors)
- CWE-386 Symbolic Name not Mapping to Correct Object
- CWE-275 Permission Issues
|
|
CWE-98 Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion') (also a chain link)
|
|
- CWE-456 Missing Initialization
(also a chain link)
- CWE-473 PHP External Variable Modification
(also a chain link)
- CWE-425 Direct Request ('Forced Browsing')
- CWE-216 Containment Errors (Container Errors)
|
|
CWE-120 Unbounded Transfer ('Classic Buffer Overflow') (also a chain link)
|
|
- CWE-227 Failure to Fulfill API Contract (aka 'API Abuse')
- CWE-242 Use of Inherently Dangerous Function
|
|
CWE-291 Trusting Self-reported IP Address |
|
- CWE-348 Use of Less Trusted Source
- CWE-471 Modification of Assumed-Immutable Data (MAID)
(also a chain link)
|
|
CWE-352 Cross-Site Request Forgery (CSRF) |
|
- CWE-346 Origin Validation Error
- CWE-441 Unintended Proxy/Intermediary
- CWE-642 External Control of User State Data
- CWE-613 Insufficient Session Expiration
|
|
CWE-384 Session Fixation |
|
- CWE-346 Origin Validation Error
- CWE-472 External Control of Assumed-Immutable Web Parameter
(also a chain link)
- CWE-441 Unintended Proxy/Intermediary
|
|
CWE-426 Untrusted Search Path |
|
- CWE-216 Containment Errors (Container Errors)
- CWE-275 Permission Issues
- CWE-471 Modification of Assumed-Immutable Data (MAID)
(also a chain link)
|
|
CWE-434 Unrestricted File Upload (also a chain link)
|
|
|
|
CWE-689 Permission Race Condition During Resource Copy |
|
|
|
