CWE
Home > CWE List > VIEW SLICE: CWE-709: Named Chains (1.6)  

CWE-709: Named Chains

 
Named Chains
Definition in a New Window Definition in a New Window
View ID: 709 (View: Graph)Status: Incomplete
+ View Data

View Objective

This view (graph) displays Named Chains and their components.

View Filter: .//@Compound_Element_Structure='Chain'

+ View Metrics
CWEs in this viewTotal CWEs
Total3out of791
Views0out of22
Categories0out of106
Weaknesses0out of651
Compound_Elements3out of12
more
View Components
View Components
A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z
 
Incomplete Blacklist to Cross-Site Scripting
Definition in a New Window Definition in a New Window
Compound Element ID: 692 (Compound Element Base: Chain)Status: Draft
+ Description

Description Summary

The product uses a blacklist-based protection mechanism to defend against XSS attacks, but the blacklist is incomplete, allowing XSS variants to succeed.
+ Applicable Platforms

Languages

C

C++

All

+ Observed Examples
ReferenceDescription
CVE-2007-5727Blacklist only removes <SCRIPT> tag.
CVE-2006-3617Blacklist only removes <SCRIPT> tag.
CVE-2006-4308Blacklist only checks "javascript:" tag
+ Other Notes

While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a blacklist cannot keep track of all the variations. The "XSS Cheat Sheet" (see references) contains a large number of attacks that are intended to bypass incomplete blacklists.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)Named Chain(s) this relationship pertains toChain(s)
ChildOfWeakness ClassWeakness Class20Improper Input Validation
Research Concepts (primary)1000
StartsWithWeakness BaseWeakness Base184Incomplete Blacklist
Named Chains (primary)709
Incomplete Blacklist to Cross-Site Scripting692
+ Relevant Properties
  • Validity
+ References
S. Christey. "Blacklist defenses as a breeding ground for vulnerability variants". February 2006. <http://seclists.org/fulldisclosure/2006/Feb/0040.html>.
+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Applicable Platforms, Relationships, Other Notes
2008-09-24CWE Content TeamMITREInternal
added Language Class "All"
2008-10-14CWE Content TeamMITREInternal
updated Applicable Platforms
2009-03-10CWE Content TeamMITREInternal
updated Related Attack Patterns
Back to top
 
Integer Overflow to Buffer Overflow
Definition in a New Window Definition in a New Window
Compound Element ID: 680 (Compound Element Base: Chain)Status: Draft
+ Description

Description Summary

The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.
+ Applicable Platforms

Languages

All

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)Named Chain(s) this relationship pertains toChain(s)
ChildOfWeakness ClassWeakness Class20Improper Input Validation
Research Concepts (primary)1000
StartsWithWeakness BaseWeakness Base190Integer Overflow or Wraparound
Named Chains (primary)709
Integer Overflow to Buffer Overflow680
+ Relevant Properties
  • Validity
+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships
2009-03-10CWE Content TeamMITREInternal
updated Related Attack Patterns
Back to top
 
Unchecked Return Value to NULL Pointer Dereference
Definition in a New Window Definition in a New Window
Compound Element ID: 690 (Compound Element Base: Chain)Status: Draft
+ Description

Description Summary

The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.

Extended Description

While unchecked return value weaknesses are not limited to returns of NULL pointers (see the examples in CWE-252), functions often return NULL to indicate an error status. When this error condition is not checked, a NULL pointer dereference can occur.

+ Applicable Platforms

Languages

C

C++

+ Detection Factors
Black Box:

This typically occurs in rarely-triggered error conditions, reducing the chances of detection during black box testing.

White Box:

Code analysis can require knowledge of API behaviors for library functions that might return NULL, reducing the chances of detection when unknown libraries are used.

+ Demonstrative Examples

Example 1

The code below makes a call to the getUserName() function but doesn't check the return value before dereferencing (which may cause a NullPointerException).

(Bad Code)
Java
String username = getUserName();
if (username.equals(ADMIN_USER)) {
...
}
+ Observed Examples
ReferenceDescription
CVE-2008-1052Large Content-Length value leads to NULL pointer dereference when malloc fails.
CVE-2006-6227Large message length field leads to NULL pointer dereference when malloc fails.
CVE-2006-2555Parsing routine encounters NULL dereference when input is missing a colon separator.
CVE-2003-1054URI parsing API sets argument to NULL when a parsing failure occurs, such as when the Referer header is missing a hostname, leading to NULL dereference.
+ Other Notes

A typical occurrence of this weakness occurs when an application includes user-controlled input to a malloc() call. The related code might be correct with respect to preventing buffer overflows, but if a large value is provided, the malloc() will fail due to insufficient memory. This problem also frequently occurs when a parsing routine expects that certain elements will always be present. If malformed input is provided, the parser might return NULL. For example, strtok() can return NULL.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)Named Chain(s) this relationship pertains toChain(s)
ChildOfWeakness ClassWeakness Class20Improper Input Validation
Research Concepts (primary)1000
StartsWithWeakness BaseWeakness Base252Unchecked Return Value
Named Chains (primary)709
Unchecked Return Value to NULL Pointer Dereference690
+ Relevant Properties
  • Validity
+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Applicable Platforms, Description, Detection Factors, Relationships, Other Notes
Back to top
Page Last Updated: October 29, 2009
 

CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us