Protection Mechanism Failure |
Weakness ID: 693 (Weakness Class) | Status: Draft |
Description Summary
Extended Description
This weakness covers three distinct situations. A "missing" protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An "insufficient" protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an "ignored" mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.
This is a fairly high-level concept, although it covers a number of weaknesses in CWE that were more scattered throughout the natural hierarchy before Draft 9 was released. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 254 | Security Features | Development Concepts (primary)699 |
ParentOf | Weakness Class | 20 | Improper Input Validation | Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 106 | Struts: Plug-in Framework not in Use | Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 109 | Struts: Validator Turned Off | Research Concepts (primary)1000 |
ParentOf | Weakness Base | 179 | Incorrect Behavior Order: Early Validation | Research Concepts1000 |
ParentOf | Weakness Base | 182 | Collapse of Data Into Unsafe Value | Research Concepts (primary)1000 |
ParentOf | Weakness Base | 183 | Permissive Whitelist | Research Concepts (primary)1000 |
ParentOf | Weakness Base | 184 | Incomplete Blacklist | Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 262 | Not Using Password Aging | Research Concepts1000 |
ParentOf | Weakness Base | 269 | Improper Privilege Management | Research Concepts (primary)1000 |
ParentOf | Weakness Class | 284 | Access Control (Authorization) Issues | Research Concepts (primary)1000 |
ParentOf | Weakness Class | 287 | Improper Authentication | Research Concepts (primary)1000 |
ParentOf | Weakness Base | 311 | Missing SecurityDatabase\Encrypt\Encryption of Sensitive Data | Research Concepts (primary)1000 |
ParentOf | Weakness Class | 326 | Inadequate SecurityDatabase\Encrypt\Encryption Strength | Research Concepts (primary)1000 |
ParentOf | Weakness Base | 327 | Use of a Broken or Risky Cryptographic Algorithm | Research Concepts (primary)1000 |
ParentOf | Weakness Class | 345 | Insufficient Verification of Data Authenticity | Research Concepts (primary)1000 |
ParentOf | Weakness Base | 357 | Insufficient UI Warning of Dangerous Operations | Research Concepts (primary)1000 |
ParentOf | Weakness Base | 358 | Improperly Implemented Security Check for Standard | Research Concepts1000 |
ParentOf | Weakness Class | 424 | Failure to Protect Alternate Path | Research Concepts1000 |
ParentOf | Weakness Base | 521 | Weak Password Requirements | Research Concepts (primary)1000 |
ParentOf | Weakness Base | 602 | Client-Side Enforcement of Server-Side Security | Research Concepts1000 |
ParentOf | Weakness Base | 640 | Weak Password Recovery Mechanism for Forgotten Password | Research Concepts (primary)1000 |
ParentOf | Weakness Base | 653 | Insufficient Compartmentalization | Research Concepts1000 |
ParentOf | Weakness Base | 654 | Reliance on a Single Factor in a Security Decision | Research Concepts1000 |
ParentOf | Weakness Base | 655 | Insufficient Psychological Acceptability | Research Concepts1000 |
ParentOf | Weakness Base | 656 | Reliance on Security through Obscurity | Research Concepts1000 |
ParentOf | Weakness Class | 757 | Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') | Research Concepts (primary)1000 |
ParentOf | Weakness Base | 778 | Insufficient Logging | Research Concepts1000 |
ParentOf | Weakness Base | 807 | Reliance on Untrusted Inputs in a Security Decision | Research Concepts (primary)1000 |
MemberOf | View | 1000 | Research Concepts | Research Concepts (primary)1000 |
The concept of protection mechanisms is well established, but protection mechanism failures have not been studied comprehensively. It is suspected that protection mechanisms can have significantly different types of weaknesses than the weaknesses that they are intended to prevent. |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
1 | Accessing Functionality Not Properly Constrained by ACLs | |
97 | Cryptanalysis | |
16 | Dictionary-based Password Attack | |
17 | Accessing, Modifying or Executing Executable Files | |
20 | SecurityDatabase\Encrypt\Encryption Brute Forcing | |
22 | Exploiting Trust in Client (aka Make the Client Invisible) | |
87 | Forceful Browsing | |
36 | Using Unpublished Web Service APIs | |
49 | Password Brute Forcing | |
51 | Poison Web Service Registry | |
55 | Rainbow Table Password Cracking | |
56 | Removing/short-circuiting 'guard logic' | |
59 | Session Credential Falsification through Prediction | |
65 | Passively Sniff and Capture Application Code Bound for Authorized Client | |
70 | Try Common(default) Usernames and Passwords | |
74 | Manipulating User State | |
57 | Utilizing REST's Trust in the System Resource to Register Man in the Middle | |
103 | Clickjacking | |
107 | Cross Site Tracing |
Modifications | ||||
---|---|---|---|---|
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Description, Relationships, Other Notes | ||||
2009-01-12 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Related Attack Patterns, Relationships | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Description, Related Attack Patterns | ||||
2009-07-27 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2009-10-29 | CWE Content Team | MITRE | Internal | |
updated Relationships |