Failure to Fulfill API Contract ('API Abuse')
Weakness ID: 227 (Weakness Class)Status: Draft
+ Description

Description Summary

The software uses an API in a manner contrary to its intended use.

Extended Description

An API is a contract between a caller and a callee. The most common forms of API misuse are caused by the caller failing to honor its end of this contract. For example, if a program fails to call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated.

+ Alternate Terms
API Abuse
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Observed Examples
ReferenceDescription
CVE-2006-7140crypto implementation removes padding when they shouldn't, allowing forged signatures
CVE-2006-4339crypto implementation removes padding when they shouldn't, allowing forged signatures
+ Potential Mitigations

Always utilize APIs in the specified manner.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory18Source Code
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class710Coding Standards Violation
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base242Use of Inherently Dangerous Function
Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
ParentOfWeakness VariantWeakness Variant243Failure to Change Working Directory in chroot Jail
Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
ParentOfWeakness VariantWeakness Variant244Failure to Clear Heap Memory Before Release ('Heap Inspection')
Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
ParentOfWeakness VariantWeakness Variant245J2EE Bad Practices: Direct Management of Connections
Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
ParentOfWeakness VariantWeakness Variant246J2EE Bad Practices: Direct Use of Sockets
Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
ParentOfWeakness VariantWeakness Variant247Reliance on DNS Lookups in a Security Decision
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base248Uncaught Exception
Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
ParentOfWeakness ClassWeakness Class250Execution with Unnecessary Privileges
Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
ParentOfCategoryCategory251Often Misused: String Management
Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
ParentOfWeakness BaseWeakness Base252Unchecked Return Value
Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
ParentOfWeakness BaseWeakness Base253Incorrect Check of Function Return Value
Development Concepts (primary)699
ParentOfWeakness VariantWeakness Variant382J2EE Bad Practices: Use of System.exit()
Development Concepts699
ParentOfWeakness VariantWeakness Variant558Use of getlogin() in Multithreaded Application
Seven Pernicious Kingdoms (primary)700
ParentOfCategoryCategory559Often Misused: Arguments and Parameters
Development Concepts (primary)699
ParentOfWeakness ClassWeakness Class573Failure to Follow Specification
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant586Explicit Call to Finalize()
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant589Call to Non-ubiquitous API
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base605Multiple Binds to the Same Port
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base648Incorrect Use of Privileged APIs
Research Concepts1000
ParentOfWeakness VariantWeakness Variant650Trusting HTTP Permission Methods on the Server Side
Research Concepts1000
ParentOfWeakness BaseWeakness Base684Failure to Provide Specified Functionality
Development Concepts (primary)699
Research Concepts (primary)1000
MemberOfViewView700Seven Pernicious Kingdoms
Seven Pernicious Kingdoms (primary)700
PeerOfWeakness ClassWeakness Class675Duplicate Operations on Resource
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
7 Pernicious KingdomsAPI Abuse
WASC42Abuse of Functionality
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
96Block Access to Libraries
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
7 Pernicious KingdomsExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Description, Relationships, Taxonomy Mappings
2009-05-27CWE Content TeamMITREInternal
updated Name, Relationships
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11API Abuse
2009-05-27Failure to Fulfill API Contract (aka 'API Abuse')