Intentionally Introduced Weakness
Category ID: 505 (Category)Status: Draft
+ Description

Description Summary

Weaknesses in this category were intentionally introduced by the developer, typically as a result of prioritizing other aspects of the program over security, such as maintenance.

Extended Description

Characterizing intention is tricky: some features intentionally placed in programs can at the same time inadvertently introduce security flaws. For example, a feature that facilitates remote debugging or system maintenance may at the same time provide a trapdoor to a system. Where such cases can be distinguished, they are categorized as intentional but nonmalicious. Not wishing to endow programs with intentions, we nevertheless use the terms "malicious flaw," "malicious code," and so on, as shorthand for flaws, code, etc., that have been introduced into a system by an individual with malicious intent. Although some malicious flaws could be disguised as inadvertent flaws, this distinction can be easy to make in practice. Inadvertently created Trojan horse programs are hardly likely, although an intentionally-introduced buffer overflow might plausibly seem to be an error.

+ Demonstrative Examples

Example 1

The following snippet from a Java servlet demonstrates the use of a "debug" parameter that invokes debug-related functionality. If deployed into production, an attacker may use the debug parameter to get the application to divulge sensitive information.

(Bad Code)
Example Language: Java 
String mode = request.getParameter("mode");
// perform requested servlet task
...

if (mode.equals(DEBUG)) {
// print sensitive information in client browser (PII, server statistics, etc.)
...
}
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory504Motivation/Intent
Development Concepts (primary)699
ParentOfWeakness ClassWeakness Class506Embedded Malicious Code
Development Concepts (primary)699
ParentOfCategoryCategory513Intentionally Introduced Nonmalicious Weakness
Development Concepts (primary)699
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
LandwehrIntentional
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
LandwehrExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-09-08CWE Content TeamMITREInternal
updated Description, Relationships, Taxonomy Mappings
Previous Entry Names
Change DatePrevious Entry Name
2008-01-30Intentional
Back to top