Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors
Definition in a New Window
View ID: 750 (View: Graph)
Status: Incomplete
View Data
View Objective
CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25
Programming Errors.
View Metrics
CWEs in this view
Total CWEs
Total
28
out of
791
Views
0
out of
22
Categories
3
out of
106
Weaknesses
23
out of
651
Compound_Elements
2
out of
12
View Audience
Stakeholder
Description
Developers
By following the Top 25, developers will be able to significantly
reduce the number of weaknesses that occur in their software.
Software Customers
If a software developer claims to be following the Top 25, then
customers can search for the weaknesses in this view in order to
formulate independent evidence of that claim.
Educators
Educators can use this view in multiple ways. For example, if there is
a focus on teaching weaknesses, the educator could focus on the Top
25.
The software transmits sensitive or security-critical data in
cleartext in a communication channel that can be sniffed by unauthorized
actors.
Extended Description
Many communication channels can be "sniffed" by attackers during data
transmission. For example, network traffic can often be sniffed by any
attacker who has access to a network interface. This significantly lowers
the difficulty of exploitation by attackers.
Time of Introduction
Architecture and Design
Applicable Platforms
Languages
All
Common Consequences
Scope
Effect
Confidentiality
Anyone can read the contents of the message if they have access to any
channel being used for communication.
Product sends file with cleartext passwords in
e-mail message intended for diagnostic purposes.
Potential Mitigations
Phase
Description
Architecture and Design
Encrypt the data with a reliable encryption scheme before
transmitting.
Implementation
When using web applications with SSL, use SSL for the entire session
from login to logout, not just for the initial login page.
Testing
Use tools and techniques that require manual (human) analysis, such as
penetration testing, threat modeling, and interactive tools that allow
the tester to record and modify an active session. These may be more
effective than strictly automated techniques. This is especially the
case with weaknesses that are related to design and business
rules.
Testing
Use monitoring tools that examine the software's process as it
interacts with the operating system and the network. This technique is
useful in cases when source code is unavailable, if the software was not
developed by you, or if you want to verify that the build phase did not
introduce any new weaknesses. Examples include debuggers that directly
attach to the running process; system-call tracing utilities such as
truss (Solaris) and strace (Linux); system activity monitors such as
FileMon, RegMon, Process Monitor, and other Sysinternals utilities
(Windows); and sniffers and protocol analyzers that monitor network
traffic.
Attach the monitor to the process, trigger the feature that sends the
data, and look for the presence or absence of common cryptographic
functions in the call tree. Monitor the network and determine if the
data packets contain readable commands. Tools exist for detecting if
certain encodings are in use. If the traffic contains high entropy, this
might indicate the usage of encryption.
Operation
Configure servers to use encrypted channels for communication, which
may include SSL or other secure protocols.
The software is composed of a server that relies on the client
to implement a mechanism that is intended to protect the
server.
Extended Description
When the server relies on protection mechanisms placed on the client side,
an attacker can modify the client-side behavior to bypass the protection
mechanisms resulting in potentially unexpected interactions between the
client and server. The consequences will vary, depending on what the
mechanisms are trying to protect.
Time of Introduction
Architecture and Design
Applicable Platforms
Languages
All
Architectural Paradigms
Client-Server: (Sometimes)
Common Consequences
Scope
Effect
Integrity
Client-side validation checks can be easily bypassed, allowing
malformed or unexpected input to pass into the application, potentially
as trusted data. This may lead to unexpected states, behaviors and
possibly a resulting crash.
Access Control
Client-side checks for authentication can be easily bypassed, allowing
clients to escalate their access levels and perform unintended
actions.
Likelihood of Exploit
Medium
Enabling Factors for Exploitation
Consider a product that consists of two or more processes or nodes that
must interact closely, such as a client/server model. If the product uses
protection schemes in the client in order to defend from attacks against the
server, and the server does not use the same schemes, then an attacker could
modify the client in a way that bypasses those schemes. This is a
fundamental design flaw that is primary to many weaknesses.
Demonstrative Examples
Example 1
This example contains client-side code that checks if the user
authenticated successfully before sending a command. The server-side code
performs the authentication in one step, and executes the command in a
separate step.
CLIENT-SIDE (client.pl)
(Good Code)
Perl
$server = "server.example.com";
$username = AskForUserName();
$password = AskForPassword();
$address = AskForAddress();
$sock = OpenSocket($server, 1234);
writeSocket($sock, "AUTH $username $password\n");
$resp = readSocket($sock);
if ($resp eq "success") {
# username/pass is valid, go ahead and update the info!
writeSocket($sock, "FAILURE -- address is
malformed\n");
}
}
The server accepts 2 commands, "AUTH" which authenticates the user,
and "CHANGE-ADDRESS" which updates the address field for the username.
The client performs the authentication and only sends a CHANGE-ADDRESS
for that user if the authentication succeeds. Because the client has
already performed the authentication, the server assumes that the
username in the CHANGE-ADDRESS is the same as the authenticated user. An
attacker could modify the client by removing the code that sends the
"AUTH" command and simply executing the CHANGE-ADDRESS.
client allows server to modify client's
configuration and overwrite arbitrary files.
Potential Mitigations
Phase
Description
Architecture and Design
For any security checks that are performed on the client side, ensure
that these checks are duplicated on the server side. Attackers can
bypass the client-side checks by modifying values after the checks have
been performed, or by changing the client to remove the client-side
checks entirely. Then, these modified values would be submitted to the
server.
Even though client-side checks provide minimal benefits with respect
to server-side security, they are still useful. First, they can support
intrusion detection. If the server receives input that should have been
rejected by the client, then it may be an indication of an attack.
Second, client-side error-checking can provide helpful feedback to the
user about the expectations for valid input. Third, there may be a
reduction in server-side processing time for accidental input errors,
although this is typically a small savings.
Architecture and Design
If some degree of trust is required between the two entities, then use
integrity checking and strong authentication to ensure that the inputs
are coming from a trusted source. Design the product so that this trust
is managed in a centralized fashion, especially if there are complex or
numerous communication channels, in order to reduce the risks that the
implementer will mistakenly omit a check in a single code path.
Testing
Use dynamic tools and techniques that interact with the software using
large test suites with many diverse inputs, such as fuzz testing
(fuzzing), robustness testing, and fault injection. The software's
operation may slow down, but it should not become unstable, crash, or
generate incorrect results.
Testing
Use tools and techniques that require manual (human) analysis, such as
penetration testing, threat modeling, and interactive tools that allow
the tester to record and modify an active session. These may be more
effective than strictly automated techniques. This is especially the
case with weaknesses that are related to design and business
rules.
Weakness Ordinalities
Ordinality
Description
Primary
(where the
weakness exists independent of other weaknesses)
Server-side enforcement of client-side security is conceptually likely to
occur, but some architectures might have these strong dependencies as part
of legitimate behavior, such as thin clients.
updated Relationships, Other Notes, Taxonomy Mappings,
Weakness Ordinalities
2009-01-12
CWE Content Team
MITRE
Internal
updated Demonstrative Examples, Description,
Likelihood of Exploit, Name, Observed Examples, Other Notes,
Potential Mitigations, Relationships, Research Gaps,
Time of Introduction
2009-03-10
CWE Content Team
MITRE
Internal
updated Potential Mitigations
2009-05-27
CWE Content Team
MITRE
Internal
updated Demonstrative Examples
2009-07-27
CWE Content Team
MITRE
Internal
updated Related Attack Patterns,
Relationships
2009-10-29
CWE Content Team
MITRE
Internal
updated Applicable Platforms, Common Consequences,
Description
Compound Element ID: 352 (Compound Element Variant: Composite)
Status: Draft
Description
Description Summary
The web application does not, or can not, sufficiently verify
whether a well-formed, valid, consistent request was intentionally provided by
the user who submitted the request.
Extended Description
When a web server is designed to receive a request from a client without
any mechanism for verifying that it was intentionally sent, then it might be
possible for an attacker to trick a client into making an unintentional
request to the web server which will be treated as an authentic request.
This can be done via a URL, image load, XMLHttpRequest, etc. and can result
in data disclosure or unintended code execution.
Alternate Terms
Session Riding
Cross Site Reference Forgery
XSRF
Time of Introduction
Architecture and Design
Implementation
Applicable Platforms
Languages
All
Technology Classes
Web-Server
Likelihood of Exploit
High
Demonstrative Examples
Example 1
This example PHP code attempts to secure the form submission process
by validating that the user submitting the form has a valid session. A CSRF
attack would not be prevented by this countermeasure because the attacker
forges a request through the user's web browser in which a valid session
already exists.
The following HTML is intended to allow a user to update a
profile.
echo "Your profile has been successfully updated.";
}
This code may look protected since it checks for a valid session.
However, CSRF attacks can be staged from virtually any tag or HTML
construct, including image tags, links, embed or object tags, or other
attributes that load background images.
The attacker can then host code that will silently change the username
and email address of any user that visits the page while remaining
logged in to the target web application. The code might be an
innocent-looking web page such as:
Notice how the form contains hidden fields, so when it is loaded into
the browser, the user will not notice it. Because SendAttack() is
defined in the body's onload attribute, it will be automatically called
when the victim loads the web page.
Assuming that the user is already logged in to victim.example.com,
profile.php will see that a valid user session has been established,
then update the email address to the attacker's own address. At this
stage, the user's identity has been compromised, and messages sent
through this profile could be sent to the attacker's address.
Perform actions as administrator via a URL or an
img tag
Potential Mitigations
Phase
Description
Architecture and Design
Use anti-CSRF packages such as the OWASP CSRFGuard.
Implementation
Ensure that your application is free of cross-site scripting issues
(CWE-79), because most CSRF defenses can be bypassed using
attacker-controlled script.
Architecture and Design
Generate a unique nonce for each form, place the nonce into the form,
and verify the nonce upon receipt of the form. Be sure that the nonce is
not predictable (CWE-330).
Note that this can be bypassed using XSS (CWE-79).
Architecture and Design
Identify especially dangerous operations. When the user performs a
dangerous operation, send a separate confirmation request to ensure that
the user intended to perform that operation.
Note that this can be bypassed using XSS (CWE-79).
Architecture and Design
Use the "double-submitted cookie" method as described by Felten and
Zeller.
Note that this can probably be bypassed using XSS (CWE-79).
Architecture and Design
Use the ESAPI Session Management control.
This control includes a component for CSRF.
Architecture and Design
Do not use the GET method for any request that triggers a state
change.
Implementation
Check the HTTP Referer header to see if the request originated from an
expected page. This could break legitimate functionality, because users
or proxies may have disabled sending the Referer for privacy
reasons.
Note that this can be bypassed using XSS (CWE-79). An attacker could
use XSS to generate a spoofed Referer, or to generate a malicious
request from a page whose Referer would be allowed.
Testing
Use tools and techniques that require manual (human) analysis, such as
penetration testing, threat modeling, and interactive tools that allow
the tester to record and modify an active session. These may be more
effective than strictly automated techniques. This is especially the
case with weaknesses that are related to design and business
rules.
Use OWASP CSRFTester to identify potential issues.
The product downloads source code or an executable from a
remote location and executes the code without sufficiently verifying the origin
and integrity of the code.
Extended Description
An attacker can execute malicious code by compromising the host server,
performing DNS spoofing, or modifying the code in transit.
Time of Introduction
Architecture and Design
Implementation
Applicable Platforms
Languages
All
Common Consequences
Scope
Effect
Availability
Executing untrusted code could result in a compromise of the
application and failure to function correctly for users.
Confidentiality
If an attacker can influence the untrusted code then, upon execution,
it may provide the attacker with access to sensitive files.
Integrity
Executing untrusted code could compromise the control flow of the
program, possibly also leading to the modification of sensitive
resources.
Likelihood of Exploit
Medium
Demonstrative Examples
Example 1
(Bad Code)
Java
URL[] classURLs= new URL[]{
new URL("file:subdir/")
};
URLClassLoader loader = new URLClassLoader(classURLs);
Class loadedClass = Class.forName("loadMe", true, loader);
VOIP phone downloads applications from web sites
without verifying integrity.
Potential Mitigations
Phase
Description
Implementation
Perform proper forward and reverse DNS lookups to detect DNS spoofing.
This is only a partial solution since it will not prevent your code from
being modified on the hosting site or in transit.
Architecture and Design
Operation
Encrypt the code with a reliable encryption scheme before
transmitting.
This will only be a partial solution, since it will not detect DNS
spoofing and it will not prevent your code from being modified on the
hosting site.
Architecture and Design
Use integrity checking on the transmitted code.
If you are providing the code that is to be downloaded, such as
for automatic updates of your software, then use cryptographic
signatures for your code and modify your download clients to verify
the signatures. Ensure that your implementation does not contain
CWE-295, CWE-320, CWE-347, and related weaknesses.
Use code signing technologies such as Authenticode. See
references.
Testing
Use tools and techniques that require manual (human) analysis, such as
penetration testing, threat modeling, and interactive tools that allow
the tester to record and modify an active session. These may be more
effective than strictly automated techniques. This is especially the
case with weaknesses that are related to design and business
rules.
Testing
Use monitoring tools that examine the software's process as it
interacts with the operating system and the network. This technique is
useful in cases when source code is unavailable, if the software was not
developed by you, or if you want to verify that the build phase did not
introduce any new weaknesses. Examples include debuggers that directly
attach to the running process; system-call tracing utilities such as
truss (Solaris) and strace (Linux); system activity monitors such as
FileMon, RegMon, Process Monitor, and other Sysinternals utilities
(Windows); and sniffers and protocol analyzers that monitor network
traffic.
Attach the monitor to the process and also sniff the network
connection. Trigger features related to product updates or plugin
installation, which is likely to force a code download. Monitor when
files are downloaded and separately executed, or if they are otherwise
read back into the process. Look for evidence of cryptographic library
calls that use integrity checking.
This is critical for mobile code, but it is likely to become more and more
common as developers continue to adopt automated, network-based product
distributions and upgrades. Software-as-a-Service (SaaS) might introduce
additional subtleties. Common exploitation scenarios may include ad server
compromises and bad upgrades.
updated Relationships, Other Notes,
Taxonomy Mappings
2009-01-12
CWE Content Team
MITRE
Internal
updated Applicable Platforms, Common Consequences,
Description, Name, Other Notes, Potential Mitigations, References,
Relationships, Research Gaps, Type
2009-03-10
CWE Content Team
MITRE
Internal
updated Potential Mitigations
2009-07-27
CWE Content Team
MITRE
Internal
updated Description, Observed Examples,
Related Attack Patterns
The software generates an error message that includes sensitive
information about its environment, users, or associated
data.
Extended Description
The sensitive information may be valuable information on its own (such as
a password), or it may be useful for launching other, more deadly attacks.
If an attack fails, an attacker may use error information provided by the
server to launch another more focused attack. For example, an attempt to
exploit a path traversal weakness (CWE-22) might yield the full pathname of
the installed application. In turn, this could be used to select the proper
number of ".." sequences to navigate to the targeted file. An attack using
SQL injection (CWE-89) might not initially succeed, but an error message
could reveal the malformed query, which would expose query logic and
possibly even passwords or other sensitive information used within the
query.
Time of Introduction
Architecture and Design
Implementation
System Configuration
Applicable Platforms
Languages
PHP: (Often)
All
Common Consequences
Scope
Effect
Confidentiality
Often this will either reveal sensitive information which may be used
for a later attack or private information stored in the server.
Likelihood of Exploit
High
Demonstrative Examples
Example 1
In the following example, you are passing much more data than is
needed.
(Bad Code)
Java
try {
/.../
}
catch (Exception e) {
System.out.println(e);
}
Another example is passing the SQL exceptions to a WebUser without
filtering.
Example 2
The following code generates an error message that leaks the full
pathname of the configuration file.
(Bad Code)
Perl
$ConfigDir = "/home/myprog/config";
$uname = GetUserInput("username");
# avoid CWE-22, CWE-78, others.
ExitError("Bad hacker!") if ($uname !~ /^\w+$/);
$file = "$ConfigDir/$uname.txt";
if (! (-e $file)) {
ExitError("Error: $file does not exist");
}
...
If this code is running on a server, such as a web application, then
the person making the request should not know what the full pathname of
the configuration directory is. By submitting a username that does not
produce a $file that exists, an attacker could get this pathname. It
could then be used to exploit path traversal or symbolic link following
problems that may exist elsewhere in the application.
Composite: application running with high
privileges allows user to specify a restricted file to process, which
generates a parsing error that leaks the contents of the
file.
Malformed input to login page causes leak of full
path when IMAP call fails.
Potential Mitigations
Phase
Description
Implementation
Ensure that error messages only contain minimal information that are
useful to their intended audience, and nobody else. The messages need to
strike the balance between being too cryptic and not being cryptic
enough. They should not necessarily reveal the methods that were used to
determine the error. Such detailed information can help an attacker
craft another attack that now will pass through the validation
filters.
If errors must be tracked in some detail, capture them in log messages
- but consider what could occur if the log messages can be viewed by
attackers. Avoid recording highly sensitive information such as
passwords in any form. Avoid inconsistent messaging that might
accidentally tip off an attacker about internal state, such as whether a
username is valid or not.
Implementation
Handle exceptions internally and do not display errors containing
potentially sensitive information to a user.
Build and Compilation
Debugging information should not make its way into a production
release.
Testing
Identify error conditions that are not likely to occur during normal
usage and trigger them. For example, run the program under low memory
conditions, run with insufficient privileges or permissions, interrupt a
transaction before it is completed, or disable connectivity to basic
network services such as DNS. Monitor the software for any unexpected
behavior. If you trigger an unhandled exception or similar error that
was discovered and handled by the application's environment, it may
still indicate unexpected conditions that were not handled by the
application itself.
Testing
Stress-test the software by calling it simultaneously from a large
number of threads or processes, and look for evidence of any unexpected
behavior. The software's operation may slow down, but it should not
become unstable, crash, or generate incorrect results.
System Configuration
Where available, configure the environment to use less verbose error
messages. For example, in PHP, disable the display_errors setting during
configuration, or at runtime using the error_reporting()
function.
System Configuration
Create default error pages or messages that do not leak any
information.
The software performs an operation at a privilege level that is
higher than the minimum level required, which creates new weaknesses or
amplifies the consequences of other weaknesses.
Extended Description
New weaknesses can be exposed because running with extra privileges, such
as root or Administrator, can disable the normal security checks being
performed by the operating system or surrounding environment. Other
pre-existing weaknesses can turn into security vulnerabilities if they occur
while operating at raised privileges.
Privilege management functions can behave in some less-than-obvious ways,
and they have different quirks on different platforms. These inconsistencies
are particularly pronounced if you are transitioning from one non-root user
to another. Signal handlers and spawned processes run at the privilege of
the owning process, so if a process is running as root when a signal fires
or a sub-process is executed, the signal handler or sub-process will operate
with root privileges.
Time of Introduction
Installation
Architecture and Design
Operation
Applicable Platforms
Languages
All
Modes of Introduction
If an application has this design problem, then it can be easier for the
developer to make implementation-related errors such as CWE-271 (Privilege
Dropping / Lowering Errors). In addition, the consequences of Privilege
Chaining (CWE-268) can become more severe.
Common Consequences
Scope
Effect
Confidentiality
Integrity
Availability
An attacker will be able to gain access to any resources that are
allowed by the extra privileges. Common results include executing code,
disabling services, and reading restricted data.
FTP client program on a certain OS runs with
setuid privileges and has a buffer overflow. Most clients do not need extra
privileges, so an overflow is not a vulnerability for those clients.
Composite: application running with high
privileges allows user to specify a restricted file to process, which
generates a parsing error that leaks the contents of the file.
Installation script installs some programs as
setuid when they shouldn't be.
Potential Mitigations
Phase
Description
Architecture and Design
Identify the functionality that requires additional privileges, such
as access to privileged operating system resources. Wrap and centralize
this functionality if possible, and isolate the privileged code as much
as possible from other code. Raise your privileges as late as possible,
and drop them as soon as possible. Avoid weaknesses such as CWE-288 and
CWE-420 by protecting all possible communication channels that could
interact with your privileged code, such as a secondary socket that you
only intend to be accessed by administrators.
Implementation
Perform extensive input validation for any privileged code that must
be exposed to the user and reject anything that does not fit your strict
requirements.
Implementation
Ensure that you drop privileges as soon as possible (CWE-271), and
make sure that you check to ensure that privileges have been dropped
successfully (CWE-273).
Implementation
If circumstances force you to run with extra privileges, then
determine the minimum access level necessary. First identify the
different permissions that the software and its users will need to
perform their actions, such as file read and write permissions, network
socket permissions, and so forth. Then explicitly allow those actions
while denying all else. Perform extensive input validation and
canonicalization to minimize the chances of introducing a separate
vulnerability. This mitigation is much more prone to error than dropping
the privileges in the first place.
Testing
Use tools and techniques that require manual (human) analysis, such as
penetration testing, threat modeling, and interactive tools that allow
the tester to record and modify an active session. These may be more
effective than strictly automated techniques. This is especially the
case with weaknesses that are related to design and business
rules.
Testing
Use monitoring tools that examine the software's process as it
interacts with the operating system and the network. This technique is
useful in cases when source code is unavailable, if the software was not
developed by you, or if you want to verify that the build phase did not
introduce any new weaknesses. Examples include debuggers that directly
attach to the running process; system-call tracing utilities such as
truss (Solaris) and strace (Linux); system activity monitors such as
FileMon, RegMon, Process Monitor, and other Sysinternals utilities
(Windows); and sniffers and protocol analyzers that monitor network
traffic.
Attach the monitor to the process and perform a login. Look for
library functions and system calls that indicate when privileges are
being raised or dropped. Look for accesses of resources that are
restricted to normal users.
Note that this technique is only useful for privilege issues related
to system resources. It is not likely to detect application-level
business rules that are related to privileges, such as if a blog system
allows a user to delete a blog entry without first checking that the
user has administrator privileges.
Testing
System Configuration
Ensure that your software runs properly under the Federal Desktop Core
Configuration (FDCC) or an equivalent hardening configuration guide,
which many organizations use to limit the attack surface and potential
risk of deployed software.
Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)750
Relationship Notes
There is a close association with CWE-653 (Insufficient Separation of
Privileges). CWE-653 is about providing separate components for each
privilege; CWE-250 is about ensuring that each component has the least
amount of privileges possible.
CWE-271, CWE-272, and CWE-250 are all closely related and possibly
overlapping. CWE-271 is probably better suited as a category. Both CWE-272
and CWE-250 are in active use by the community. The "least privilege" phrase
has multiple interpretations.
Content History
Submissions
Submission Date
Submitter
Organization
Source
7 Pernicious Kingdoms
Externally Mined
Modifications
Modification Date
Modifier
Organization
Source
2008-09-08
CWE Content Team
MITRE
Internal
updated Description, Modes of Introduction, Relationships,
Other Notes, Relationship Notes, Taxonomy Mappings
2008-10-14
CWE Content Team
MITRE
Internal
updated Description,
Maintenance Notes
2009-01-12
CWE Content Team
MITRE
Internal
updated Common Consequences, Description,
Likelihood of Exploit, Maintenance Notes, Name, Observed Examples,
Other Notes, Potential Mitigations, Relationships,
Time of Introduction
The software stores security-critical state information about
its users, or the software itself, in a location that is accessible to
unauthorized actors.
Extended Description
If an attacker can modify the state information without detection, then it
could be used to perform unauthorized actions or access unexpected
resources, since the application programmer does not expect that the state
can be changed.
State information can be stored in various locations such as a cookie, in
a hidden web form field, input parameter or argument, an environment
variable, a database record, within a settings file, etc. All of these
locations have the potential to be modified by an attacker. When this state
information is used to control security or determine resource usage, then it
may create a vulnerability. For example, an application may perform
authentication, then save the state in an "authenticated=true" cookie. An
attacker may simply create this cookie in order to bypass the
authentication.
Time of Introduction
Architecture and Design
Implementation
Applicable Platforms
Languages
All
Technology Classes
Web-Server: (Often)
Common Consequences
Scope
Effect
Integrity
An attacker could potentially modify the state in malicious ways. If
the state is related to the privileges or level of authentication that
the user has, then state modification might allow the user to bypass
authentication or elevate privileges.
Confidentiality
The state variables may contain sensitive information that should not
be known by the client.
Availability
By modifying state variables, the attacker could violate the
application's expectations for the contents of the state, leading to a
denial of service due to an unexpected error condition.
Likelihood of Exploit
High
Enabling Factors for Exploitation
An application maintains its own state and/or user state (i.e. application
is stateful).
State information can be affected by the user of an application through
some means other than the legitimate state transitions (e.g. logging into
the system, purchasing an item, making a payment, etc.)
An application does not have means to detect state tampering and behave in
a fail safe manner.
Demonstrative Examples
Example 1
In the following example, an authentication flag is read from a
browser cookie, thus allowing for external control of user state
data.
(Bad Code)
Java
Cookie[] cookies = request.getCookies();
for (int i =0; i< cookies.length; i++) {
Cookie c = cookies[i];
if (c.getName().equals("authenticated") &&
Boolean.TRUE.equals(c.getValue())) {
authenticated = true;
}
}
Example 2
The following code segment implements a basic server that uses the
"ls" program to perform a directory listing of the directory that is listed
in the "HOMEDIR" environment variable. The code intends to allow the user to
specify an alternate "LANG" environment variable. This causes "ls" to
customize its output based on a given language, which is an important
capability when supporting internationalization.
(Bad Code)
Perl
$ENV{"HOMEDIR"} = "/home/mydir/public/";
my $stream = AcceptUntrustedInputStream();
while (<$stream>) {
chomp;
if (/^ENV ([\w\_]+) (.*)/) {
$ENV{$1} = $2;
}
elsif (/^QUIT/) { ... }
elsif (/^LIST/) {
open($fh, "/bin/ls -l $ENV{HOMEDIR}|");
while (<$fh>) {
SendOutput($stream, "FILEINFO: $_");
}
close($fh);
}
}
The programmer takes care to call a specific "ls" program and sets the
HOMEDIR to a fixed value. However, an attacker can use a command such as
"ENV HOMEDIR /secret/directory" to specify an alternate directory,
enabling a path traversal attack (CWE-22). At the same time, other
attacks are enabled as well, such as OS command injection (CWE-78) by
setting HOMEDIR to a value such as "/tmp; rm -rf /". In this case, the
programmer never intends for HOMEDIR to be modified, so input validation
for HOMEDIR is not the solution. A partial solution would be a whitelist
that only allows the LANG variable to be specified in the ENV command.
Alternately, assuming this is an authenticated user, the language could
be stored in a local file so that no ENV command at all would be
needed.
While this example may not appear realistic, this type of problem
shows up in code fairly frequently. See CVE-1999-0073 in the observed
examples for a real-world example with similar behaviors.
Server allows client to specify the search path,
which can be modified to point to a program that the client has
uploaded.
Potential Mitigations
Phase
Description
Architecture and Design
Understand all the potential locations that are accessible to
attackers. For example, some programmers assume that cookies and hidden
form fields cannot be modified by an attacker, or they may not consider
that environment variables can be modified before a privileged program
is invoked.
Architecture and Design
Do not keep state information on the client without using encryption
and integrity checking, or otherwise having a mechanism on the server
side to catch state tampering. Use a message authentication code (MAC)
algorithm, such as Hash Message Authentication Code (HMAC). Apply this
against the state data that you have to expose, which can guarantee the
integrity of the data - i.e., that the data has not been modified.
Ensure that you use an algorithm with a strong hash function
(CWE-328).
Architecture and Design
Store state information on the server side only. Ensure that the
system definitively and unambiguously keeps track of its own state and
user state and has rules defined for legitimate state transitions. Do
not allow any application user to affect state directly in any way other
than through legitimate actions leading to state transitions.
Architecture and Design
With a stateless protocol such as HTTP, use a framework that maintains
the state for you.
Examples include ASP.NET View State and the OWASP ESAPI Session
Management feature.
Be careful of language features that provide state support, since
these might be provided as a convenience to the programmer and may not
be considering security.
Architecture and Design
For any security checks that are performed on the client side, ensure
that these checks are duplicated on the server side, in order to avoid
CWE-602. Attackers can bypass the client-side checks by modifying values
after the checks have been performed, or by changing the client to
remove the client-side checks entirely. Then, these modified values
would be submitted to the server.
Operation
Implementation
If you are using PHP, configure your application so that it does not
use register_globals. During implementation, develop your application so
that it does not rely on this feature, but be wary of implementing a
register_globals emulation that is subject to weaknesses such as CWE-95,
CWE-621, and similar issues.
Testing
Use automated static analysis tools that target this type of weakness.
Many modern techniques use data flow analysis to minimize the number of
false positives. This is not a perfect solution, since 100% accuracy and
coverage are not feasible.
Testing
Use dynamic tools and techniques that interact with the software using
large test suites with many diverse inputs, such as fuzz testing
(fuzzing), robustness testing, and fault injection. The software's
operation may slow down, but it should not become unstable, crash, or
generate incorrect results.
Testing
Use tools and techniques that require manual (human) analysis, such as
penetration testing, threat modeling, and interactive tools that allow
the tester to record and modify an active session. These may be more
effective than strictly automated techniques. This is especially the
case with weaknesses that are related to design and business
rules.
The software allows user input to control or influence paths or
file names that are used in filesystem operations.
Extended Description
This could allow an attacker to access or modify system files or other
files that are critical to the application.
Path manipulation errors occur when the following two conditions are
met:
1. An attacker can specify a path used in an operation on the
filesystem.
2. By specifying the resource, the attacker gains a capability that
would not otherwise be permitted.
For example, the program may give the attacker the ability to overwrite
the specified file or run with a configuration controlled by the attacker.
Time of Introduction
Architecture and Design
Implementation
Operation
Applicable Platforms
Languages
All
Operating Systems
UNIX: (Often)
Windows: (Often)
Mac OS: (Often)
Common Consequences
Scope
Effect
Confidentiality
The application can operate on unexpected files. Confidentiality is
violated when the targeted filename is not directly readable by the
attacker.
Integrity
The application can operate on unexpected files. This may violate
integrity if the filename is written to, or if the filename is for a
program or other form of executable code.
Availability
The application can operate on unexpected files. Availability can be
violated if the attacker specifies an unexpected file that the
application modifies. Availability can also be affected if the attacker
specifies a filename for a large file, or points to a special device or
a file that does not have the format that the application
expects.
Likelihood of Exploit
High to Very High
Demonstrative Examples
Example 1
The following code uses input from an HTTP request to create a file
name. The programmer has not considered the possibility that an attacker
could provide a file name such as "../../tomcat/conf/server.xml", which
causes the application to delete one of its own configuration files
(CWE-22).
File rFile = new File("/usr/local/apfr/reports/" + rName);
...
rFile.delete();
Example 2
The following code uses input from a configuration file to determine
which file to open and echo back to the user. If the program runs with
privileges and malicious users can change the configuration file, they can
use the program to read any file on the system that ends with the extension
.txt.
(Bad Code)
Java
fis = new FileInputStream(cfg.getProperty("sub")+".txt");
Chain: external control of user's target language
enables remote file inclusion.
Potential Mitigations
Phase
Description
Architecture and Design
When the set of filenames is limited or known, create a mapping from a
set of fixed input values (such as numeric IDs) to the actual filenames,
and reject all other inputs. For example, ID 1 could map to "inbox.txt"
and ID 2 could map to "profile.txt". Features such as the ESAPI
AccessReferenceMap provide this capability.
Architecture and Design
Operation
Run your code in a "jail" or similar sandbox environment that enforces
strict boundaries between the process and the operating system. This may
effectively restrict all access to files within a particular
directory.
Examples include the Unix chroot jail and AppArmor. In general,
managed code may provide some protection.
This may not be a feasible solution, and it only limits the impact to
the operating system; the rest of your application may still be subject
to compromise.
Be careful to avoid CWE-243 and other weaknesses related to jails.
Architecture and Design
For any security checks that are performed on the client side, ensure
that these checks are duplicated on the server side, in order to avoid
CWE-602. Attackers can bypass the client-side checks by modifying values
after the checks have been performed, or by changing the client to
remove the client-side checks entirely. Then, these modified values
would be submitted to the server.
Implementation
Assume all input is malicious. Use an "accept known good" input
validation strategy (i.e., use a whitelist). Reject any input that does
not strictly conform to specifications, or transform it into something
that does. Use a blacklist to reject any unexpected inputs and detect
potential attacks.
For filenames, use stringent whitelists that limit the character set
to be used. If feasible, only allow a single "." character in the
filename to avoid weaknesses such as CWE-23, and exclude directory
separators such as "/" to avoid CWE-36. Use a whitelist of allowable
file extensions, which will help to avoid CWE-434.
Implementation
Use a built-in path canonicalization function (such as realpath() in
C) that produces the canonical version of the pathname, which
effectively removes ".." sequences and symbolic links (CWE-23,
CWE-59).
Installation
Operation
Use OS-level permissions and run as a low-privileged user to limit the
scope of any successful attack.
Operation
Implementation
If you are using PHP, configure your application so that it does not
use register_globals. During implementation, develop your application so
that it does not rely on this feature, but be wary of implementing a
register_globals emulation that is subject to weaknesses such as CWE-95,
CWE-621, and similar issues.
Testing
Use automated static analysis tools that target this type of weakness.
Many modern techniques use data flow analysis to minimize the number of
false positives. This is not a perfect solution, since 100% accuracy and
coverage are not feasible.
Testing
Use dynamic tools and techniques that interact with the software using
large test suites with many diverse inputs, such as fuzz testing
(fuzzing), robustness testing, and fault injection. The software's
operation may slow down, but it should not become unstable, crash, or
generate incorrect results.
Testing
Use tools and techniques that require manual (human) analysis, such as
penetration testing, threat modeling, and interactive tools that allow
the tester to record and modify an active session. These may be more
effective than strictly automated techniques. This is especially the
case with weaknesses that are related to design and business
rules.
Weakness Ordinalities
Ordinality
Description
Primary
(where the
weakness exists independent of other weaknesses)
The external control of filenames can be the primary link in chains with
other file-related weaknesses, as seen in the CanPrecede relationships. This
is because software systems use files for many different purposes: to
execute programs, load code libraries, to store application data, to store
configuration settings, record temporary data, act as signals or semaphores
to other processes, etc.
However, those weaknesses do not always require external control. For
example, link-following weaknesses (CWE-59) often involve pathnames that are
not controllable by the attacker at all.
The external control can be resultant from other issues. For example, in
PHP applications, the register_globals setting can allow an attacker to
modify variables that the programmer thought were immutable, enabling file
inclusion (CWE-98) and path traversal (CWE-22). Operating with excessive
privileges (CWE-250) might allow an attacker to specify an input filename
that is not directly readable by the attacker, but is accessible to the
privileged program. A buffer overflow (CWE-119) might give an attacker
control over nearby memory locations that are related to pathnames, but were
not directly modifiable by the attacker.
Failure to Constrain Operations within the Bounds of a Memory Buffer
Definition in a New Window
Weakness ID: 119 (Weakness Class)
Status: Usable
Description
Description Summary
The software performs operations on a memory buffer, but it can
read from or write to a memory location that is outside of the intended boundary
of the buffer.
Extended Description
Certain languages allow direct addressing of memory locations and do not
automatically ensure that these locations are valid for the memory buffer
that is being referenced. This can cause read or write operations to be
performed on memory locations that may be associated with other variables,
data structures, or internal program data.
As a result, an attacker may be able to execute arbitrary code, alter the
intended control flow, read sensitive information, or cause the system to
crash.
Time of Introduction
Architecture and Design
Implementation
Operation
Applicable Platforms
Languages
C: (Often)
C++: (Often)
All
Platform Notes
It is possible in many programming languages to attempt an operation
outside of the bounds of a memory buffer, but the consequences will vary
widely depending on the language, platform, and chip architecture.
Common Consequences
Scope
Effect
Integrity
If the memory accessible by the attacker can be effectively
controlled, it may be possible to execute arbitrary code, as with a
standard buffer overflow.
If the attacker can overwrite a pointer's worth of memory (usually 32
or 64 bits), he can redirect a function pointer to his own malicious
code. Even when the attacker can only modify a single byte arbitrary
code execution can be possible. Sometimes this is because the same
problem can be exploited repeatedly to the same effect. Other times it
is because the attacker can overwrite security-critical
application-specific data -- such as a flag indicating whether the user
is an administrator.
Availability
Out of bounds memory access will very likely result in the corruption
of relevant memory, and perhaps instructions, possibly leading to a
crash. Other attacks leading to lack of availability are possible,
including putting the program into an infinite loop.
Confidentiality
In the case of an out-of-bounds read, the attacker may have access to
sensitive information. If the sensitive information contains system
details, such as the current buffers position in memory, this knowledge
can be used to craft further attacks, possibly with more severe
consequences.
Likelihood of Exploit
High
Demonstrative Examples
Example 1
This example takes an IP address from a user, verifies that it is
well formed and then looks up the hostname and copies it into a
buffer.
(Bad Code)
C
void host_lookup(char *user_supplied_addr){
struct hostent *hp;
in_addr_t *addr;
char hostname[64];
in_addr_t inet_addr(const char *cp);
/*routine that ensures user_supply_addr is in the right format
for conversion */
validate_addr_form(user_supplied_addr);
addr = inet_addr(user_supplied_addr);
hp = gethostbyaddr( addr, sizeof(struct in_addr),
AF_INET);
strcpy(&hostname, hp->h_name);
}
This function allocates a buffer of 64 bytes to store the hostname,
however there is no guarantee that the hostname will not be larger than
64 bytes. If an attacker specifies an address which resolves to a very
large hostname, then we may overwrite sensitive data or even relinquish
control flow to the attacker.
Example 2
This example applies an encoding procedure to an input string and
stores it into a buffer.
The programmer attempts to encode the ampersand character in the
user-controlled string, however the length of the string is validated
before the encoding procedure is applied. Furthermore, the programmer
assumes encoding expansion will only expand a given character by a
factor of 4, while the encoding of the ampersand expands by 5. As a
result, when the encoding procedure expands the string it is possible to
overflow the destination buffer if the attacker provides a string of
many ampersands.
Example 3
The following example asks a user for an offset into an array to
select an item.
The programmer allows the user to specify which element in the list to
select, however an attacker can provide an out-of-bounds offset,
resulting in a buffer over-read (CWE-126).
OS kernel trusts userland-supplied length value,
allowing reading of sensitive information
Potential Mitigations
Phase
Description
Requirements
Use a language with features that can automatically mitigate or
eliminate buffer overflows.
For example, many languages that perform their own memory management,
such as Java and Perl, are not subject to buffer overflows. Other
languages, such as Ada and C#, typically provide overflow protection,
but the protection can be disabled by the programmer.
Be wary that a language's interface to native code may still be
subject to overflows, even if the language itself is theoretically safe.
Architecture and Design
Use languages, libraries, or frameworks that make it easier to manage
buffers without exceeding their boundaries.
Examples include the Safe C String Library (SafeStr) by Messier and
Viega, and the Strsafe.h library from Microsoft. These libraries provide
safer versions of overflow-prone string-handling functions. This is not
a complete solution, since many buffer overflows are not related to
strings.
Build and Compilation
Run or compile your software using features or extensions that
automatically provide a protection mechanism that mitigates or
eliminates buffer overflows.
For example, certain compilers and extensions provide automatic buffer
overflow detection mechanisms that are built into the compiled code.
Examples include the Microsoft Visual Studio /GS flag, Fedora/Red Hat
FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice.
This is not necessarily a complete solution, since these mechanisms
can only detect certain types of overflows. In addition, a buffer
overflow attack can still cause a denial of service, since the typical
response is to exit the application.
Implementation
Programmers should adhere to the following rules when allocating and
managing their application's memory:
Double check that your buffer is as large as you specify.
When using functions that accept a number of bytes to copy, such
as strncpy(), be aware that if the destination buffer size is equal
to the source buffer size, it may not NULL-terminate the
string.
Check buffer boundaries if calling this function in a loop and
make sure you are not in danger of writing past the allocated
space.
If necessary, truncate all input strings to a reasonable length
before passing them to the copy and concatenation functions.
Testing
Use automated static analysis tools that target this type of weakness.
Many modern techniques use data flow analysis to minimize the number of
false positives. This is not a perfect solution, since 100% accuracy and
coverage are not feasible.
Testing
Use dynamic tools and techniques that interact with the software using
large test suites with many diverse inputs, such as fuzz testing
(fuzzing), robustness testing, and fault injection. The software's
operation may slow down, but it should not become unstable, crash, or
generate incorrect results.
Operation
Use a feature like Address Space Layout Randomization (ASLR). This is
not a complete solution. However, it forces the attacker to guess an
unknown value that changes every program execution.
Operation
Use a CPU and operating system that offers Data Execution Protection
(NX) or its equivalent. This is not a complete solution, since buffer
overflows could be used to overwrite nearby variables to modify the
software's state in dangerous ways. In addition, it cannot be used in
cases in which self-modifying code is required.
Failure to Control Generation of Code ('Code Injection')
Definition in a New Window
Weakness ID: 94 (Weakness Class)
Status: Draft
Description
Description Summary
The product does not sufficiently filter code (control-plane)
syntax from user-controlled input (data plane) when that input is used within
code that the product generates.
Extended Description
When software allows a user's input to contain code syntax, it might be
possible for an attacker to craft the code in such a way that it will alter
the intended control flow of the software. Such an alteration could lead to
arbitrary code execution.
Injection problems encompass a wide variety of issues -- all mitigated in
very different ways. For this reason, the most effective way to discuss
these weaknesses is to note the distinct features which classify them as
injection weaknesses. The most important issue to note is that all injection
problems share one thing in common -- i.e., they allow for the injection of
control plane data into the user-controlled data plane. This means that the
execution of the process may be altered by sending code in through
legitimate data channels, using no other mechanism. While buffer overflows,
and many other flaws, involve the use of some further issue to gain
execution, injection problems need only for the data to be parsed. The most
classic instantiations of this category of weakness are SQL injection and
format string vulnerabilities.
Time of Introduction
Architecture and Design
Implementation
Applicable Platforms
Languages
Interpreted languages: (Sometimes)
Common Consequences
Scope
Effect
Confidentiality
The injected code could access restricted data / files
Authentication
In some cases, injectable code controls authentication; this may lead
to a remote vulnerability
Access Control
Injected code can access resources that the attacker is directly
prevented from accessing
Integrity
Code injection attacks can lead to loss of data integrity in nearly
all cases as the control-plane data injected is always incidental to
data recall or writing. Additionally, code injection can often result in
the execution of arbitrary code.
Accountability
Often the actions performed by injected control code are
unlogged.
Likelihood of Exploit
Medium
Demonstrative Examples
Example 1
This example attempts to write user messages to a message file and
allow users to view them.
While the programmer intends for the MessageFile to only include data,
an attacker can provide a message such as:
(Attack)
name=h4x0r
message=%3C?php%20system(%22/bin/ls%20-l%22);?%3E
which will decode to the following:
(Attack)
<?php system("/bin/ls -l");?>
The programmer thought they were just including the contents of a
regular data file, but PHP parsed it and executed the code. Now, this
code is executed any time people view messages.
Notice that XSS (CWE-79) is also possible in this situation.
Potential Mitigations
Phase
Description
Architecture and Design
Refactor your program so that you do not have to dynamically generate
code.
Architecture and Design
Run your code in a "jail" or similar sandbox environment that enforces
strict boundaries between the process and the operating system. This may
effectively restrict which code can be executed by your software.
Examples include the Unix chroot jail and AppArmor. In general,
managed code may provide some protection.
This may not be a feasible solution, and it only limits the impact to
the operating system; the rest of your application may still be subject
to compromise.
Be careful to avoid CWE-243 and other weaknesses related to jails.
Implementation
Assume all input is malicious. Use an "accept known good" input
validation strategy (i.e., use a whitelist). Reject any input that does
not strictly conform to specifications, or transform it into something
that does. Use a blacklist to reject any unexpected inputs and detect
potential attacks.
To reduce the likelihood of code injection, use stringent whitelists
that limit which constructs are allowed. If you are dynamically
constructing code that invokes a function, then verifying that the input
is alphanumeric might be insufficient. An attacker might still be able
to reference a dangerous function that you did not intend to allow, such
as system(), exec(), or exit().
Testing
Use automated static analysis tools that target this type of weakness.
Many modern techniques use data flow analysis to minimize the number of
false positives. This is not a perfect solution, since 100% accuracy and
coverage are not feasible.
Testing
Use dynamic tools and techniques that interact with the software using
large test suites with many diverse inputs, such as fuzz testing
(fuzzing), robustness testing, and fault injection. The software's
operation may slow down, but it should not become unstable, crash, or
generate incorrect results.
Operation
Run the code in an environment that performs automatic taint
propagation and prevents any command execution that uses tainted
variables, such as Perl's "-T" switch. This will force you to perform
validation steps that remove the taint, although you must be careful to
correctly validate your inputs so that you do not accidentally mark
dangerous inputs as untainted (see CWE-183 and CWE-184).
Failure to Preserve Web Page Structure ('Cross-site Scripting')
Definition in a New Window
Weakness ID: 79 (Weakness Base)
Status: Usable
Description
Description Summary
The software does not sufficiently validate, filter, escape,
and encode user-controllable input before it is placed in output that is used as
a web page that is served to other users.
1. Untrusted data enters a web application, typically from a web
request.
2. The web application dynamically generates a web page that contains
this untrusted data.
3. During page generation, the application does not prevent the data
from containing content that is executable by a web browser, such as
JavaScript, HTML tags, HTML attributes, mouse events, Flash, ActiveX,
etc.
4. A victim visits the generated web page through a web browser, which
contains malicious script that was injected using the untrusted
data.
5. Since the script comes from a web page that was sent by the web
server, the web browser executes the malicious script in the context of
the web server's domain.
6. This effectively violates the intention of the web browser's
same-origin policy, which states that scripts in one domain should not
be able to access resources or run code in a different domain.
There are three main kinds of XSS:
Type 1: Reflected XSS (or Non-Persistent)
The server reads data directly from the HTTP request and reflects it
back in the HTTP response. Reflected XSS exploits occur when an attacker
causes a user to supply dangerous content to a vulnerable web
application, which is then reflected back to the user and executed by
the web browser. The most common mechanism for delivering malicious
content is to include it as a parameter in a URL that is posted publicly
or e-mailed directly to victims. URLs constructed in this manner
constitute the core of many phishing schemes, whereby an attacker
convinces victims to visit a URL that refers to a vulnerable site. After
the site reflects the attacker's content back to the user, the content
is executed and proceeds to transfer private information, such as
cookies that may include session information, from the user's machine to
the attacker or perform other nefarious activities.
Type 2: Stored XSS (or Persistent)
The application stores dangerous data in a database, message forum,
visitor log, or other trusted data store. The dangerous data is
subsequently read back into the application and included in dynamic
content. Stored XSS exploits occur when an attacker injects dangerous
content into a data store that is later read and included in dynamic
content. From an attacker's perspective, the optimal place to inject
malicious content is in an area that is displayed to either many users
or particularly interesting users. Interesting users typically have
elevated privileges in the application or interact with sensitive data
that is valuable to the attacker. If one of these users executes
malicious content, the attacker may be able to perform privileged
operations on behalf of the user or gain access to sensitive data
belonging to the user. For example, the attacker might inject XSS into a
log message, which might not be handled properly when an administrator
views the logs.
Type 0: DOM-Based XSS
In DOM-based XSS, the client performs the injection of XSS into the
page; in the other types, the server performs the injection. DOM-based
XSS generally involves server-controlled, trusted script that is sent to
the client, such as Javascript that performs sanity checks on a form
before the user submits it. If the server-supplied script processes
user-supplied data and then injects it back into the web page (such as
with dynamic HTML), then DOM-based XSS is possible.
In many cases, the attack can be launched without the victim even being
aware of it. Even with careful users, attackers frequently use a variety of
methods to encode the malicious portion of the attack, such as URL encoding
or Unicode, so the request looks less suspicious.
Alternate Terms
XSS
CSS:
"CSS" was once used as the acronym for this problem, but this could
cause confusion with "Cascading Style Sheets," so usage of this acronym
has declined significantly.
Time of Introduction
Architecture and Design
Implementation
Applicable Platforms
Languages
All
Architectural Paradigms
Web-based: (Often)
Technology Classes
Web-Server: (Often)
Platform Notes
XSS flaws are very common in web applications since they require a great
deal of developer discipline to avoid them.
Common Consequences
Scope
Effect
Confidentiality
The most common attack performed with cross-site scripting involves
the disclosure of information stored in user cookies. Typically, a
malicious user will craft a client-side script, which -- when parsed by
a web browser -- performs some activity (such as sending all site
cookies to a given E-mail address). This script will be loaded and run
by each user visiting the web site. Since the site requesting to run the
script has access to the cookies in question, the malicious script does
also.
Access Control
In some circumstances it may be possible to run arbitrary code on a
victim's computer when cross-site scripting is combined with other
flaws.
Confidentiality
Integrity
Availability
The consequence of an XSS attack is the same regardless of whether it
is stored or reflected. The difference is in how the payload arrives at
the server.
XSS can cause a variety of problems for the end user that range in
severity from an annoyance to complete account compromise. Some
cross-site scripting vulnerabilities can be exploited to manipulate or
steal cookies, create requests that can be mistaken for those of a valid
user, compromise confidential information, or execute malicious code on
the end user systems for a variety of nefarious purposes. Other damaging
attacks include the disclosure of end user files, installation of Trojan
horse programs, redirecting the user to some other page or site, running
"Active X" controls (under Microsoft Internet Explorer) from sites that
a user perceives as trustworthy, and modifying presentation of
content.
Likelihood of Exploit
High to Very High
Enabling Factors for Exploitation
Cross-site scripting attacks may occur anywhere that possibly malicious
users are allowed to post unregulated material to a trusted web site for the
consumption of other valid users, commonly on places such as bulletin-board
web sites which provide web based mailing list-style functionality.
Detection Factors
It is relatively easy for an attacker to find XSS vulnerabilities.
Some of these vulnerabilities can be found using scanners, and some
exist in older web application servers.
Demonstrative Examples
Example 1
This example covers a Reflected XSS (Type 1) scenario.
The following JSP code segment reads an employee ID, eid, from an HTTP
request and displays it to the user.
(Bad Code)
JSP
<% String eid = request.getParameter("eid");
%>
...
Employee ID: <%= eid %>
The following ASP.NET code segment reads an employee ID number from an
HTTP request and displays it to the user.
The code in this example operates correctly if the Employee ID
variable contains only standard alphanumeric text. If it has a value
that includes meta-characters or source code, then the code will be
executed by the web browser as it displays the HTTP response. Initially
this might not appear to be much of a vulnerability. After all, why
would someone enter a URL that causes malicious code to run on their own
computer? The real danger is that an attacker will create the malicious
URL, then use e-mail or social engineering tricks to lure victims into
visiting a link to the URL. When victims click the link, they
unwittingly reflect the malicious content through the vulnerable web
application back to their own computers. This mechanism of exploiting
vulnerable web applications is known as Reflected XSS.
Example 2
This example covers a Stored XSS (Type 2) scenario.
The following JSP code segment queries a database for an employee with
a given ID and prints the corresponding employee's name.
(Bad Code)
JSP
<%
...
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery("select * from emp where
id="+eid);
if (rs != null) {
rs.next();
String name = rs.getString("name");
%>
Employee Name: <%= name %>
The following ASP.NET code segment queries a database for an employee
with a given employee ID and prints the name corresponding with the
ID.
string query = "select * from emp where id=" + eid;
sda = new SqlDataAdapter(query, conn);
sda.Fill(dt);
string name = dt.Rows[0]["Name"];
...
EmployeeName.Text = name;
This code functions correctly when the values of name are
well-behaved, but it does nothing to prevent exploits if they are not.
This code can appear less dangerous because the value of name is read
from a database, whose contents are apparently managed by the
application. However, if the value of name originates from user-supplied
data, then the database can be a conduit for malicious content. Without
proper input validation on all data stored in the database, an attacker
can execute malicious commands in the user's web browser. This type of
exploit, known as Stored XSS, is particularly insidious because the
indirection caused by the data store makes it more difficult to identify
the threat and increases the possibility that the attack will affect
multiple users.
XSS got its start in this form with web sites that offered a
"guestbook" to visitors. Attackers would include JavaScript in their
guestbook entries, and all subsequent visitors to the guestbook page
would execute the malicious code. As the examples demonstrate, XSS
vulnerabilities are caused by code that includes unvalidated data in an
HTTP response. To summarize the basic points of Stored XSS:
A source outside the application stores dangerous data in a
database or other data store
The dangerous data is subsequently read back into the application
as trusted data
Use languages, libraries, or frameworks that make it easier to
generate properly encoded output.
Examples include Microsoft's Anti-XSS library, the OWASP ESAPI
Encoding module, and Apache Wicket.
Architecture and Design
For any security checks that are performed on the client side, ensure
that these checks are duplicated on the server side, in order to avoid
CWE-602. Attackers can bypass the client-side checks by modifying values
after the checks have been performed, or by changing the client to
remove the client-side checks entirely. Then, these modified values
would be submitted to the server.
Implementation
Architecture and Design
Understand the context in which your data will be used and the
encoding that will be expected. This is especially important when
transmitting data between different components, or when generating
outputs that can contain multiple encodings at the same time, such as
web pages or multi-part mail messages. Study all expected communication
protocols and data representations to determine the required encoding
strategies.
For any data that will be output to another web page, especially any
data that was received from external inputs, use the appropriate
encoding on all non-alphanumeric characters. This encoding will vary
depending on whether the output is part of the HTML body, element
attributes, URIs, JavaScript sections, Cascading Style Sheets, etc. Note
that HTML Entity Encoding is only appropriate for the HTML body.
Implementation
Use and specify a strong character encoding such as ISO-8859-1 or
UTF-8. When an encoding is not specified, the web browser may choose a
different encoding by guessing which encoding is actually being used by
the web page. This can open you up to subtle XSS attacks related to that
encoding. See CWE-116 for more mitigations related to
encoding/escaping.
Implementation
With Struts, you should write all data from form beans with the bean's
filter attribute set to true.
Implementation
To help mitigate XSS attacks against the user's session cookie, set
the session cookie to be HttpOnly. In browsers that support the HttpOnly
feature (such as more recent versions of Internet Explorer and Firefox),
this attribute can prevent the user's session cookie from being
accessible to malicious client-side scripts that use document.cookie.
This is not a complete solution, since HttpOnly is not supported by all
browsers. More importantly, XMLHTTPRequest and other powerful browser
technologies provide read access to HTTP headers, including the
Set-Cookie header in which the HttpOnly flag is set.
Implementation
Assume all input is malicious. Use an "accept known good" input
validation strategy (i.e., use a whitelist). Reject any input that does
not strictly conform to specifications, or transform it into something
that does. Use a blacklist to reject any unexpected inputs and detect
potential attacks.
Use a standard input validation mechanism to validate all input for
length, type, syntax, and business rules before accepting the input for
further processing. As an example of business rule logic, "boat" may be
syntactically valid because it only contains alphanumeric characters,
but it is not valid if you are expecting colors such as "red" or
"blue."
When dynamically constructing web pages, use stringent whitelists that
limit the character set based on the expected value of the parameter in
the request. All input should be validated and cleansed, not just
parameters that the user is supposed to specify, but all data in the
request, including hidden fields, cookies, headers, the URL itself, and
so forth. A common mistake that leads to continuing XSS vulnerabilities
is to validate only fields that are expected to be redisplayed by the
site. It is common to see data from the request that is reflected by the
application server or the application that the development team did not
anticipate. Also, a field that is not currently reflected may be used by
a future developer. Therefore, validating ALL parts of the HTTP request
is recommended.
Note that proper output encoding, escaping, and quoting is the most
effective solution for preventing XSS, although input validation may
provide some defense-in-depth. This is because it effectively limits
what will appear in output. Input validation will not always prevent
XSS, especially if you are required to support free-form text fields
that could contain arbitrary characters. For example, in a chat
application, the heart emoticon ("<3") would likely pass the
validation step, since it is commonly used. However, it cannot be
directly inserted into the web page because it contains the "<"
character, which would need to be escaped or otherwise handled. In this
case, stripping the "<" might reduce the risk of XSS, but it
would produce incorrect behavior because the emoticon would not be
recorded. This might seem to be a minor inconvenience, but it would be
more important in a mathematical forum that wants to represent
inequalities.
Even if you make a mistake in your validation (such as forgetting one
out of 100 input fields), appropriate encoding is still likely to
protect you from injection-based attacks. As long as it is not done in
isolation, input validation is still a useful technique, since it may
significantly reduce your attack surface, allow you to detect some
attacks, and provide other security benefits that proper encoding does
not address.
Ensure that you perform input validation at well-defined interfaces
within the application. This will help protect the application even if a
component is reused or moved elsewhere.
Testing
Implementation
Use automated static analysis tools that target this type of weakness.
Many modern techniques use data flow analysis to minimize the number of
false positives. This is not a perfect solution, since 100% accuracy and
coverage are not feasible.
Testing
Use dynamic tools and techniques that interact with the software using
large test suites with many diverse inputs, such as fuzz testing
(fuzzing), robustness testing, and fault injection. The software's
operation may slow down, but it should not become unstable, crash, or
generate incorrect results.
Testing
Use the XSS Cheat Sheet (see references) to launch a wide variety of
attacks against your web application. The Cheat Sheet contains many
subtle XSS variations that are specifically targeted against weak XSS
defenses.
Operation
Use an application firewall that can detect attacks against this
weakness. This might not catch all attacks, and it might require some
effort for customization. However, it can be beneficial in cases in
which the code cannot be fixed (because it is controlled by a third
party), as an emergency prevention measure while more comprehensive
software assurance measures are applied, or to provide defense in
depth.
Background Details
Same Origin Policy
The same origin policy states that browsers should limit the resources
accessible to scripts running on a given web site , or "origin", to the
resources associated with that web site on the client-side, and not the
client-side resources of any other sites or "origins". The goal is to
prevent one site from being able to modify or read the contents of an
unrelated site. Since the World Wide Web involves interactions between many
sites, this policy is important for browsers to enforce.
Domain
The Domain of a website when referring to XSS is roughly equivalent to the
resources associated with that website on the client-side of the connection.
That is, the domain can be thought of as all resources the browser is
storing for the user's interactions with this particular site.
Weakness Ordinalities
Ordinality
Description
Resultant
(where the
weakness is typically related to the presence of some other
weaknesses)
The software contains a hard-coded password, which it uses for
its own inbound authentication or for outbound communication to external
components.
Extended Description
A hard-coded password typically leads to a significant authentication
failure that can be difficult for the system administrator to detect. Once
detected, it can be difficult to fix, so the administrator maybe forced into
disabling the product entirely. There are two main variations:
Inbound: the software contains an authentication mechanism that checks
for a hard-coded password.
Outbound: the software connects to another system or component, and it
contains hard-coded password for connecting to that component.
In the Inbound variant, a default administration account is created, and a
simple password is hard-coded into the product and associated with that
account. This hard-coded password is the same for each installation of the
product, and it usually cannot be changed or disabled by system
administrators without manually modifying the program, or otherwise patching
the software. If the password is ever discovered or published (a common
occurrence on the Internet), then anybody with knowledge of this password
can access the product. Finally, since all installations of the software
will have the same password, even across different organizations, this
enables massive attacks such as worms to take place.
The Outbound variant applies to front-end systems that authenticate with a
back-end service. The back-end service may require a fixed password which
can be easily discovered. The programmer may simply hard-code those back-end
credentials into the front-end software. Any user of that program may be
able to extract the password. Client-side systems with hard-coded passwords
pose even more of a threat, since the extraction of a password from a binary
is usually very simple.
Time of Introduction
Implementation
Architecture and Design
Applicable Platforms
Languages
All
Common Consequences
Scope
Effect
Authentication
If hard-coded passwords are used, it is almost certain that malicious
users will gain access through the account in question.
Likelihood of Exploit
Very High
Demonstrative Examples
Example 1
The following code uses a hard-coded password to connect to a
database:
This is an example of an external hard-coded password on the
client-side of a connection. This code will run successfully, but anyone
who has access to it will have access to the password. Once the program
has shipped, there is no going back from the database user "scott" with
a password of "tiger" unless the program is patched. A devious employee
with access to this information can use it to break into the system.
Even worse, if attackers have access to the bytecode for application,
they can use the javap -c command to access the disassembled code, which
will contain the values of the passwords used. The result of this
operation might look something like the following for the example
above:
(Attack)
javap -c ConnMngr.class
22: ldc #36; //String jdbc:mysql://ixne.com/rxsql
24: ldc #38; //String scott
26: ldc #17; //String tiger
Example 2
The following code is an example of an internal hard-coded password
in the back-end:
(Bad Code)
C and C++
int VerifyAdmin(char *password) {
if (strcmp(password, "Mew!")) {
printf("Incorrect Password!\n");
return(0)
}
printf("Entering Diagnostic Mode...\n");
return(1);
}
(Bad Code)
Java
int VerifyAdmin(String password) {
if (passwd.Equals("Mew!")) {
return(0)
}
//Diagnostic Mode
return(1);
}
Every instance of this program can be placed into diagnostic mode with
the same password. Even worse is the fact that if this program is
distributed as a binary-only distribution, it is very difficult to
change that password or disable this "functionality."
Potential Mitigations
Phase
Description
Architecture and Design
For outbound authentication: store passwords outside of the code in a
strongly-protected, encrypted configuration file or database that is
protected from access by all outsiders, including other local users on
the same system. Properly protect the key (CWE-320). If you cannot use
encryption to protect the file, then make sure that the permissions are
as restrictive as possible.
Architecture and Design
For inbound authentication: Rather than hard-code a default username
and password for first time logins, utilize a "first login" mode that
requires the user to enter a unique strong password.
Architecture and Design
Perform access control checks and limit which entities can access the
feature that requires the hard-coded password. For example, a feature
might only be enabled through the system console instead of through a
network connection.
Architecture and Design
For inbound authentication: apply strong one-way hashes to your
passwords and store those hashes in a configuration file or database
with appropriate access control. That way, theft of the file/database
still requires the attacker to try to crack the password. When handling
an incoming password during authentication, take the hash of the
password and compare it to the hash that you have saved.
Use randomly assigned salts for each separate hash that you generate.
This increases the amount of computation that an attacker needs to
conduct a brute-force attack, possibly limiting the effectiveness of the
rainbow table method.
Architecture and Design
For front-end to back-end connections: Three solutions are possible,
although none are complete.
The first suggestion involves the use of generated passwords which
are changed automatically and must be entered at given time
intervals by a system administrator. These passwords will be held in
memory and only be valid for the time intervals.
Next, the passwords used should be limited at the back end to only
performing actions valid for the front end, as opposed to having
full access.
Finally, the messages sent should be tagged and checksummed with
time sensitive values so as to prevent replay style attacks.
Testing
Use tools and techniques that require manual (human) analysis, such as
penetration testing, threat modeling, and interactive tools that allow
the tester to record and modify an active session. These may be more
effective than strictly automated techniques. This is especially the
case with weaknesses that are related to design and business
rules.
Testing
Use monitoring tools that examine the software's process as it
interacts with the operating system and the network. This technique is
useful in cases when source code is unavailable, if the software was not
developed by you, or if you want to verify that the build phase did not
introduce any new weaknesses. Examples include debuggers that directly
attach to the running process; system-call tracing utilities such as
truss (Solaris) and strace (Linux); system activity monitors such as
FileMon, RegMon, Process Monitor, and other Sysinternals utilities
(Windows); and sniffers and protocol analyzers that monitor network
traffic.
Attach the monitor to the process and perform a login. Using
disassembled code, look at the associated instructions and see if any of
them appear to be comparing the input to a fixed string or value.
Weakness Ordinalities
Ordinality
Description
Primary
(where the
weakness exists independent of other weaknesses)
Lifting credential(s)/key material embedded in client distributions (thick or thin)
White Box Definitions
Definition: A weakness where code path has:
1. end statement that passes a data item to a password function
2. value of the data item is a constant
Maintenance Notes
This entry should probably be split into multiple variants: an inbound
variant (as seen in the second demonstrative example) and an outbound
variant (as seen in the first demonstrative example). These variants are
likely to have different consequences, detectability, etc. See extended
description.
Content History
Submissions
Submission Date
Submitter
Organization
Source
7 Pernicious Kingdoms
Externally Mined
Modifications
Modification Date
Modifier
Organization
Source
2008-07-01
Eric Dalci
Cigital
External
updated Time of Introduction
2008-08-01
KDM Analytics
External
added/updated white box definitions
2008-08-15
Veracode
External
Suggested OWASP Top Ten 2004
mapping
2008-09-08
CWE Content Team
MITRE
Internal
updated Common Consequences, Relationships, Other Notes,
Taxonomy Mappings, Weakness Ordinalities
2008-10-14
CWE Content Team
MITRE
Internal
updated Description,
Potential Mitigations
2008-11-13
CWE Content Team
MITRE
Internal
Significant description modifications to emphasize
different variants.
2008-11-24
CWE Content Team
MITRE
Internal
updated Demonstrative Examples, Description,
Maintenance Notes, Other Notes, Potential Mitigations
The software does not perform or incorrectly performs access
control checks across all potential execution paths.
Extended Description
When access control checks are not applied consistently - or not at all -
users are able to access data or perform actions that they should not be
allowed to perform. This can lead to a wide range of problems, including
information leaks, denial of service, and arbitrary code execution.
Time of Introduction
Architecture and Design
Implementation
Operation
Applicable Platforms
Languages
All
Common Consequences
Scope
Effect
Availability
Confidentiality
Integrity
Allowing access to unauthorized users can result in an attacker
gaining access to the sensitive resources being protected, possibly
modifying or removing them, or performing unauthorized actions.
Likelihood of Exploit
High
Potential Mitigations
Phase
Description
Architecture and Design
Divide your application into anonymous, normal, privileged, and
administrative areas. Reduce the attack surface by carefully mapping
roles with data and functionality. Use role-based access control (RBAC)
to enforce the roles at the appropriate boundaries.
Note that this approach may not protect against horizontal
authorization, i.e., it will not protect a user from attacking others
with the same role.
Architecture and Design
Ensure that you perform access control checks related to your business
logic. These may be different than the access control checks that you
apply to the resources that support your business logic.
Architecture and Design
Use authorization frameworks such as the JAAS Authorization Framework
and the OWASP ESAPI Access Control feature.
Architecture and Design
For web applications, make sure that the access control mechanism is
enforced correctly at the server side on every page. Users should not be
able to access any unauthorized functionality or information by simply
requesting direct access to that page.
One way to do this is to ensure that all pages containing sensitive
information are not cached, and that all such pages restrict access to
requests that are accompanied by an active and authenticated session
token associated with a user who has the required permissions to access
that page.
Testing
Use tools and techniques that require manual (human) analysis, such as
penetration testing, threat modeling, and interactive tools that allow
the tester to record and modify an active session. These may be more
effective than strictly automated techniques. This is especially the
case with weaknesses that are related to design and business
rules.
System Configuration
Installation
Use the access control capabilities of your operating system and
server environment and define your access control lists accordingly. Use
a "default deny" policy when defining these ACLs.
The software prepares a structured message for communication
with another component, but encoding or escaping of the data is either missing
or done incorrectly. As a result, the intended structure of the message is not
preserved.
Extended Description
Improper encoding or escaping can allow attackers to change the commands
that are sent to another component, inserting malicious commands
instead.
Most software follows a certain protocol that uses structured messages for
communication between components, such as queries or commands. These
structured messages can contain raw data interspersed with metadata or
control information. For example, "GET /index.html HTTP/1.1" is a structured
message containing a command ("GET") with a single argument ("/index.html")
and metadata about which protocol version is being used ("HTTP/1.1").
If an application uses attacker-supplied inputs to construct a structured
message without properly encoding or escaping, then the attacker could
insert special characters that will cause the data to be interpreted as
control information or metadata. Consequently, the component that receives
the output will perform the wrong operations, or otherwise interpret the
data incorrectly.
Alternate Terms
Output Sanitization
Output Validation
Output Encoding
Terminology Notes
The usage of the "encoding" and "escaping" terms varies widely. For
example, in some programming languages, the terms are used interchangeably,
while other languages provide APIs that use both terms for different tasks.
This overlapping usage extends to the Web, such as the "escape" JavaScript
function whose purpose is stated to be encoding. Of course, the concepts of
encoding and escaping predate the Web by decades. Given such a context, it
is difficult for CWE to adopt a consistent vocabulary that will not be
misinterpreted by some constituency.
Time of Introduction
Architecture and Design
Implementation
Operation
Applicable Platforms
Languages
All
Technology Classes
Database-Server: (Often)
Web-Server: (Often)
Common Consequences
Scope
Effect
Integrity
Confidentiality
Authorization
The communications between components can be modified in unexpected
ways. Unexpected commands can be executed, bypassing other security
mechanisms. Incoming data can be misinterpreted
Likelihood of Exploit
Very High
Demonstrative Examples
Example 1
Here a value read from an HTML form parameter is reflected back to
the client browser without having been encoded prior to output.
Consider a chat application in which a front-end web application
communicates with a back-end server. The back-end is legacy code that does
not perform authentication or authorization, so the front-end must implement
it. The chat protocol supports two commands, SAY and BAN, although only
administrators can use the BAN command. Each argument must be separated by a
single space. The raw inputs are URL-encoded. The messaging protocol allows
multiple commands to be specified on the same line if they are separated by
a "|" character.
Back End: Command Processor Code
(Bad Code)
Perl
$inputString = readLineFromFileHandle($serverFH);
# generate an array of strings separated by the "|"
character.
@commands = split(/\|/, $inputString);
foreach $cmd (@commands) {
# separate the operator from its arguments based on a single
whitespace
($operator, $args) = split(/ /, $cmd, 2);
$args = UrlDecode($args);
if ($operator eq "BAN") {
ExecuteBan($args);
}
elsif ($operator eq "SAY") {
ExecuteSay($args);
}
}
Front End: Web Application
In this code, the web application receives a command, encodes it for
sending to the server, performs the authorization check, and sends the
command to the server.
(Bad Code)
Perl
$inputString = GetUntrustedArgument("command");
($cmd, $argstr) = split(/\s+/, $inputString, 2);
# removes extra whitespace and also changes CRLF's to
spaces
$argstr =~ s/\s+/ /gs;
$argstr = UrlEncode($argstr);
if (($cmd eq "BAN") && (!
IsAdministrator($username))) {
die "Error: you are not the admin.\n";
}
# communicate with file server using a file handle
$fh = GetServerFileHandle("myserver");
print $fh "$cmd $argstr\n";
Diagnosis
It is clear that, while the protocol and back-end allow multiple
commands to be sent in a single request, the front end only intends to
send a single command. However, the UrlEncode function could leave the
"|" character intact. If an attacker provides:
(Attack)
SAY hello world|BAN user12
then the front end will see this is a "SAY" command, and the $argstr
will look like "hello world | BAN user12". Since the command is "SAY",
the check for the "BAN" command will fail, and the front end will send
the URL-encoded command to the back end:
SAY hello%20world|BAN%20user12
The back end, however, will treat these as two separate commands: "SAY
hello world" and "BAN user12". Notice, however, that if the front end
properly encodes the "|" with "%7C", then the back end will only process
a single command.
Example 3
This example takes user input, passes it through an encoding scheme
and then creates a directory specified by the user.
(Bad Code)
Perl
sub GetUntrustedInput {
return($ARGV[0]);
}
sub encode {
my($str) = @_;
$str =~ s/\&/\&/gs;
$str =~ s/\"/\"/gs;
$str =~ s/\'/\'/gs;
$str =~ s/\</\</gs;
$str =~ s/\>/\>/gs;
return($str);
}
sub doit {
my $uname = encode(GetUntrustedInput("username"));
print "<b>Welcome,
$uname!</b><p>\n";
system("cd /home/$uname; /bin/ls -l");
}
The programmer attempts to encode dangerous characters, however the
blacklist for encoding is incomplete (CWE-184) and an attacker can still
pass a semicolon, resulting in a chain with command injection
(CWE-77).
Additionally, the encoding routine is used inappropriately with
command execution. An attacker doesn't even need to insert their own
semicolon. The attacker can instead leverage the encoding routine to
provide the semicolon to separate the commands. If an attacker supplies
a string of the form:
(Attack)
' pwd
then the program will encode the apostrophe and insert the semicolon,
which functions as a command separator when passed to the system
function. This allows the attacker to complete the command
injection.
OS command injection in backup software using
shell metacharacters in a filename; correct behavior would require that this
filename could not be changed.
Web application does not set the charset when
sending a page to a browser, allowing for XSS exploitation when a browser
chooses an unexpected encoding.
Cross-site scripting in chat application via a
message, which normally might be allowed to contain arbitrary
content.
Potential Mitigations
Phase
Description
Architecture and Design
Use languages, libraries, or frameworks that make it easier to
generate properly encoded output.
Examples include the ESAPI Encoding control.
Alternately, use built-in functions, but consider using wrappers in
case those functions are discovered to have a vulnerability.
Architecture and Design
If available, use structured mechanisms that automatically enforce the
separation between data and code. These mechanisms may be able to
provide the relevant quoting, encoding, and validation automatically,
instead of relying on the developer to provide this capability at every
point where output is generated.
For example, stored procedures can enforce database query structure
and reduce the likelihood of SQL injection.
Architecture and Design
Implementation
Understand the context in which your data will be used and the
encoding that will be expected. This is especially important when
transmitting data between different components, or when generating
outputs that can contain multiple encodings at the same time, such as
web pages or multi-part mail messages. Study all expected communication
protocols and data representations to determine the required encoding
strategies.
Architecture and Design
In some cases, input validation may be an important strategy when
output encoding is not a complete solution. For example, you may be
providing the same output that will be processed by multiple consumers
that use different encodings or representations. In other cases, you may
be required to allow user-supplied input to contain control information,
such as limited HTML tags that support formatting in a wiki or bulletin
board. When this type of requirement must be met, use an extremely
strict whitelist to limit which control sequences can be used. Verify
that the resulting syntactic structure is what you expect. Use your
normal encoding methods for the remainder of the input.
Architecture and Design
Use input validation as a defense-in-depth measure to reduce the
likelihood of output encoding errors (see CWE-20).
Requirements
Fully specify which encodings are required by components that will be
communicating with each other.
Implementation
When exchanging data between components, ensure that both components
are using the same character encoding. Ensure that the proper encoding
is applied at each interface. Explicitly set the encoding you are using
whenever the protocol allows you to do so.
Testing
Implementation
Use automated static analysis tools that target this type of weakness.
Many modern techniques use data flow analysis to minimize the number of
false positives. This is not a perfect solution, since 100% accuracy and
coverage are not feasible.
Testing
Use dynamic tools and techniques that interact with the software using
large test suites with many diverse inputs, such as fuzz testing
(fuzzing), robustness testing, and fault injection. The software's
operation may slow down, but it should not become unstable, crash, or
generate incorrect results.
This weakness is primary to all weaknesses related to injection (CWE-74)
since the inherent nature of injection involves the violation of structured
messages.
CWE-116 and CWE-20 have a close association because, depending on the
nature of the structured message, proper input validation can indirectly
prevent special characters from changing the meaning of a structured
message. For example, by validating that a numeric ID field should only
contain the 0-9 characters, the programmer effectively prevents injection
attacks.
However, input validation is not always sufficient, especially when less
stringent data types must be supported, such as free-form text. Consider a
SQL injection scenario in which a last name is inserted into a query. The
name "O'Reilly" would likely pass the validation step since it is a common
last name in the English language. However, it cannot be directly inserted
into the database because it contains the "'" apostrophe character, which
would need to be escaped or otherwise handled. In this case, stripping the
apostrophe might reduce the risk of SQL injection, but it would produce
incorrect behavior because the wrong name would be recorded.
Research Gaps
While many published vulnerabilities are related to insufficient output
encoding, there is such an emphasis on input validation as a protection
mechanism that the underlying causes are rarely described. Within CVE, the
focus is primarily on well-understood issues like cross-site scripting and
SQL injection. It is likely that this weakness frequently occurs in custom
protocols that support multiple encodings, which are not necessarily
detectable with automated techniques.
Theoretical Notes
This is a data/directive boundary error in which data boundaries are not
sufficiently enforced before it is sent to a different control
sphere.
The software does not initialize or incorrectly initializes a
resource, which might leave the resource in an unexpected state when it is
accessed or used.
Extended Description
This can have security implications when the associated resource is
expected to have certain properties or values, such as a variable that
determines whether a user has been authenticated or not.
Time of Introduction
Implementation
Operation
Applicable Platforms
Languages
All
Modes of Introduction
This weakness can occur in code paths that are not well-tested, such as
rare error conditions. This is because the use of uninitialized data would
be noticed as a bug during frequently-used functionality.
Common Consequences
Scope
Effect
Confidentiality
When reusing a resource such as memory or a program variable, the
original contents of that resource may not be cleared before it is sent
to an untrusted party.
Integrity
If security-critical decisions rely on a variable having a "0" or
equivalent value, and the programming language performs this
initialization on behalf of the programmer, then a bypass of security
may occur.
Availability
The uninitialized data may contain values that cause program flow to
change in ways that the programmer did not intend. For example, if an
uninitialized variable is used as an array index in C, then its previous
contents may produce an index that is outside the range of the array,
possibly causing a crash or an exit in other environments.
Likelihood of Exploit
Medium
Demonstrative Examples
Example 1
Here, a boolean initiailized field is consulted to ensure that
initialization tasks are only completed once. However, the field is
mistakenly set to true during static initialization, so the initialization
code is never reached.
(Bad Code)
Java
private boolean initialized = true;
public void someMethod() {
if (!initialized) {
// perform initialization tasks
...
initialized = true;
}
Example 2
The following code intends to limit certain operations to the
administrator only.
(Bad Code)
Perl
$username = GetCurrentUser();
$state = GetStateData($username);
if (defined($state)) {
$uid = ExtractUserID($state);
}
# do stuff
if ($uid == 0) {
DoAdminThings();
}
If the application is unable to extract the state information - say,
due to a database timeout - then the $uid variable will not be
explicitly set by the programmer. This will cause $uid to be regarded as
equivalent to "0" in the conditional, allowing the original user to
perform administrator actions. Even if the attacker cannot directly
influence the state data, unexpected errors could cause incorrect
privileges to be assigned to a user just by accident.
Example 3
The following code intends to concatenate a string to a variable and
print the string.
(Bad Code)
C
char str[20];
strcat(str, "hello world");
printf("%s", str);
This might seem innocent enough, but str was not initialized, so it
contains random memory. As a result, str[0] might not contain the null
terminator, so the copy might start at an offset other than 0. The
consequences can vary, depending on the underlying memory.
If a null terminator is found before str[8], then some bytes of random
garbage will be printed before the "hello world" string. The memory
might contain sensitive information from previous uses, such as a
password (which might occur as a result of CWE-14 or CWE-244). In this
example, it might not be a big deal, but consider what could happen if
large amounts of memory are printed out before the null terminator is
found.
If a null terminator isn't found before str[8], then a buffer overflow
could occur, since strcat will first look for the null terminator, then
copy 12 bytes starting with that location. Alternately, a buffer
over-read might occur (CWE-126) if a null terminator isn't found before
the end of the memory segment is reached, leading to a segmentation
fault and crash.
Permission bitmap is not properly initialized,
leading to resultant privilege elevation or
DoS.
Potential Mitigations
Phase
Description
Requirements
Use a language with features that can automatically mitigate or
eliminate weaknesses related to initialization.
For example, in Java, if the programmer does not explicitly initialize
a variable, then the code could produce a compile-time error (if the
variable is local) or automatically initialize the variable to the
default value for the variable's type. In Perl, if explicit
initialization is not performed, then a default value of undef is
assigned, which is interpreted as 0, false, or an equivalent value
depending on the context in which the variable is accessed.
Architecture and Design
Identify all variables and data stores that receive information from
external sources, and apply input validation to make sure that they are
only initialized to expected values.
Implementation
Explicitly initialize all your variables and other data stores, either
during declaration or just before the first usage.
Implementation
Pay close attention to complex conditionals that affect
initialization, since some conditions might not perform the
initialization.
Implementation
Avoid race conditions (CWE-362) during initialization routines.
Build and Compilation
Run or compile your software with settings that generate warnings
about uninitialized variables or data.
Testing
Use automated static analysis tools that target this type of weakness.
Many modern techniques use data flow analysis to minimize the number of
false positives. This is not a perfect solution, since 100% accuracy and
coverage are not feasible.
Testing
Use dynamic tools and techniques that interact with the software using
large test suites with many diverse inputs, such as fuzz testing
(fuzzing), robustness testing, and fault injection. The software's
operation may slow down, but it should not become unstable, crash, or
generate incorrect results.
Testing
Stress-test the software by calling it simultaneously from a large
number of threads or processes, and look for evidence of any unexpected
behavior. The software's operation may slow down, but it should not
become unstable, crash, or generate incorrect results.
Testing
Identify error conditions that are not likely to occur during normal
usage and trigger them. For example, run the program under low memory
conditions, run with insufficient privileges or permissions, interrupt a
transaction before it is completed, or disable connectivity to basic
network services such as DNS. Monitor the software for any unexpected
behavior. If you trigger an unhandled exception or similar error that
was discovered and handled by the application's environment, it may
still indicate unexpected conditions that were not handled by the
application itself.
Weakness Ordinalities
Ordinality
Description
Primary
(where the
weakness exists independent of other weaknesses)
Resultant
(where the
weakness is typically related to the presence of some other
weaknesses)
The product does not validate or incorrectly validates input
that can affect the control flow or data flow of a
program.
Extended Description
When software fails to validate input properly, an attacker is able to
craft the input in a form that is not expected by the rest of the
application. This will lead to parts of the system receiving unintended
input, which may result in altered control flow, arbitrary control of a
resource, or arbitrary code execution.
Terminology Notes
The "input validation" term is extremely common, but it is used in many
different ways. In some cases its usage can obscure the real underlying
weakness or otherwise hide chaining and composite relationships.
Some people use "input validation" as a general term that covers many
different techniques for ensuring that input is appropriate, such as
cleansing/filtering, canonicalization, and escaping. Others use the term in
a more narrow context to simply mean "checking if an input conforms to
expectations without changing it."
Time of Introduction
Architecture and Design
Implementation
Applicable Platforms
Languages
All
Platform Notes
Input validation can be a problem in any system that handles data from an
external source.
Modes of Introduction
If a programmer believes that an attacker cannot modify certain inputs,
then the programmer might not perform any input validation at all. For
example, in web applications, many programmers believe that cookies and
hidden form fields can not be modified from a web browser (CWE-472),
although they can be altered using a proxy or a custom program. In a
client-server architecture, the programmer might assume that client-side
security checks cannot be bypassed, even when a custom client could be
written that skips those checks (CWE-602).
Common Consequences
Scope
Effect
Availability
An attacker could provide unexpected values and cause a program crash
or excessive consumption of resources, such as memory and CPU.
Confidentiality
An attacker could read confidential data if they are able to control
resource references.
Integrity
An attacker could use malicious input to modify data or possibly alter
control flow in unexpected ways, including arbitrary command
execution.
Likelihood of Exploit
High
Demonstrative Examples
Example 1
This example demonstrates a shopping interaction in which the user
is free to specify the quantity of items to be purchased and a total is
calculated.
(Bad Code)
Java
...
public static final double price = 20.00;
int quantity = currentUser.getAttribute("quantity");
double total = price * quantity;
chargeUser(total);
...
The user has no control over the price variable, however the code does
not prevent a negative value from being specified for quantity. If an
attacker were to provide a negative value, then the user would have
their account credited instead of debited.
Example 2
This example asks the user for a height and width of an m X n game
board with a maximum dimension of 100 squares.
(Bad Code)
C
...
#define MAX_DIM 100
...
int m,n, error; /* board dimensions */
board_square_t *board;
printf("Please specify the board height: \n");
error = scanf("%d", &m);
if ( EOF == error ){
die("No integer passed: Die evil hacker!\n");
}
printf("Please specify the board width: \n");
error = scanf("%d", &n);
if ( EOF == error ){
die("No integer passed: Die evil hacker!\n");
}
if ( m > MAX_DIM || n > MAX_DIM ) {
die("Value too large: Die evil hacker!\n");
}
board = (board_square_t*) malloc( m * n *
sizeof(board_square_t));
...
While this code checks to make sure the user cannot specify large,
positive integers and consume too much memory, it fails to check for
negative values supplied by the user. As a result, an attacker can
perform a resource consumption (CWE-400) attack against this program by
specifying two, large negative values that will not overflow, resulting
in a very large memory allocation (CWE-789) and possibly a system crash.
Alternatively, an attacker can provide very large negative values which
will cause an integer overflow (CWE-190) and unexpected behavior will
follow depending on how the values are treated in the remainder of the
program.
Example 3
The following example shows a PHP application in which the
programmer attempts to display a user's birthday and homepage.
The programmer intended for $birthday to be in a date format and
$homepage to be a valid URL. However, since the values are derived from
an HTTP request, if an attacker can trick a victim into clicking a
crafted URL with <script> tags providing the values for
birthday and / or homepage, then the script will run on the client's
browser when the webserver echoes the content. Notice that even if the
programmer were to defend the $birthday variable by restricting input to
integers and dashes, it would still be possible for an attacker to
provide a string of the form:
(Attack)
2009-01-09--
If this data were used in a SQL statement, it would treat the
remainder of the statement as a comment. The comment could disable other
security-related logic in the statement. In this case, encoding combined
with input validation would be a more useful protection
mechanism.
Furthermore, an XSS (CWE-79) attack or SQL injection (CWE-89) are just
a few of the potential consequences in a failed protection mechanism of
this nature. Depending on the context of the code, CRLF Injection
(CWE-93), Argument Injection (CWE-88), or Command Injection (CWE-77) may
also be possible.
Example 4
This function attempts to extract a pair of numbers from a
user-supplied string.
View Data 
