Failure to Fulfill API Contract ('API Abuse') |
Weakness ID: 227 (Weakness Class) | Status: Draft |
Description Summary
Extended Description
An API is a contract between a caller and a callee. The most common forms of API misuse are caused by the caller failing to honor its end of this contract. For example, if a program fails to call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated.
Reference | Description |
---|---|
CVE-2006-7140 | crypto implementation removes padding when they shouldn't, allowing forged signatures |
CVE-2006-4339 | crypto implementation removes padding when they shouldn't, allowing forged signatures |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 18 | Source Code | Development Concepts (primary)699 |
ChildOf | Weakness Class | 710 | Coding Standards Violation | Research Concepts (primary)1000 |
ParentOf | Weakness Base | 242 | Use of Inherently Dangerous Function | Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700 |
ParentOf | Weakness Variant | 243 | Failure to Change Working Directory in chroot Jail | Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700 |
ParentOf | Weakness Variant | 244 | Failure to Clear Heap Memory Before Release ('Heap Inspection') | Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700 |
ParentOf | Weakness Variant | 245 | J2EE Bad Practices: Direct Management of Connections | Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700 |
ParentOf | Weakness Variant | 246 | J2EE Bad Practices: Direct Use of Sockets | Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700 |
ParentOf | Weakness Variant | 247 | Reliance on DNS Lookups in a Security Decision | Development Concepts (primary)699 |
ParentOf | Weakness Base | 248 | Uncaught Exception | Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700 |
ParentOf | Weakness Class | 250 | Execution with Unnecessary Privileges | Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700 |
ParentOf | Category | 251 | Often Misused: String Management | Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700 |
ParentOf | Weakness Base | 252 | Unchecked Return Value | Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700 |
ParentOf | Weakness Base | 253 | Incorrect Check of Function Return Value | Development Concepts (primary)699 |
ParentOf | Weakness Variant | 382 | J2EE Bad Practices: Use of System.exit() | Development Concepts699 |
ParentOf | Weakness Variant | 558 | Use of getlogin() in Multithreaded Application | Seven Pernicious Kingdoms (primary)700 |
ParentOf | Category | 559 | Often Misused: Arguments and Parameters | Development Concepts (primary)699 |
ParentOf | Weakness Class | 573 | Failure to Follow Specification | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 586 | Explicit Call to Finalize() | Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 589 | Call to Non-ubiquitous API | Development Concepts (primary)699 |
ParentOf | Weakness Base | 605 | Multiple Binds to the Same Port | Development Concepts (primary)699 |
ParentOf | Weakness Base | 648 | Incorrect Use of Privileged APIs | Research Concepts1000 |
ParentOf | Weakness Variant | 650 | Trusting HTTP Permission Methods on the Server Side | Research Concepts1000 |
ParentOf | Weakness Base | 684 | Failure to Provide Specified Functionality | Development Concepts (primary)699 Research Concepts (primary)1000 |
MemberOf | View | 700 | Seven Pernicious Kingdoms | Seven Pernicious Kingdoms (primary)700 |
PeerOf | Weakness Class | 675 | Duplicate Operations on Resource | Research Concepts1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
7 Pernicious Kingdoms | API Abuse | ||
WASC | 42 | Abuse of Functionality |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
96 | Block Access to Libraries |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
7 Pernicious Kingdoms | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Description, Relationships, Taxonomy Mappings | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Name, Relationships | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | API Abuse | |||
2009-05-27 | Failure to Fulfill API Contract (aka 'API Abuse') | |||