Failure to Fulfill API Contract ('API Abuse') |
Weakness ID: 227 (Weakness Class) | Status: Draft |
Description Summary
Extended Description
An API is a contract between a caller and a callee. The most common forms of API misuse are caused by the caller failing to honor its end of this contract. For example, if a program fails to call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated.
Reference | Description |
---|---|
CVE-2006-7140 | crypto implementation removes padding when they shouldn't, allowing forged signatures |
CVE-2006-4339 | crypto implementation removes padding when they shouldn't, allowing forged signatures |
Nature | Type | ID | Name | View(s) this relationship pertains to![]() |
---|---|---|---|---|
ChildOf | ![]() | 18 | Source Code | Development Concepts (primary)699 |
ChildOf | ![]() | 710 | Coding Standards Violation | Research Concepts (primary)1000 |
ParentOf | ![]() | 242 | Use of Inherently Dangerous Function | Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700 |
ParentOf | ![]() | 243 | Failure to Change Working Directory in chroot Jail | Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700 |
ParentOf | ![]() | 244 | Failure to Clear Heap Memory Before Release ('Heap Inspection') | Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700 |
ParentOf | ![]() | 245 | J2EE Bad Practices: Direct Management of Connections | Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700 |
ParentOf | ![]() | 246 | J2EE Bad Practices: Direct Use of Sockets | Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700 |
ParentOf | ![]() | 247 | Reliance on DNS Lookups in a Security Decision | Development Concepts (primary)699 |
ParentOf | ![]() | 248 | Uncaught Exception | Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700 |
ParentOf | ![]() | 250 | Execution with Unnecessary Privileges | Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700 |
ParentOf | ![]() | 251 | Often Misused: String Management | Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700 |
ParentOf | ![]() | 252 | Unchecked Return Value | Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700 |
ParentOf | ![]() | 253 | Incorrect Check of Function Return Value | Development Concepts (primary)699 |
ParentOf | ![]() | 382 | J2EE Bad Practices: Use of System.exit() | Development Concepts699 |
ParentOf | ![]() | 558 | Use of getlogin() in Multithreaded Application | Seven Pernicious Kingdoms (primary)700 |
ParentOf | ![]() | 559 | Often Misused: Arguments and Parameters | Development Concepts (primary)699 |
ParentOf | ![]() | 573 | Failure to Follow Specification | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | ![]() | 586 | Explicit Call to Finalize() | Research Concepts (primary)1000 |
ParentOf | ![]() | 589 | Call to Non-ubiquitous API | Development Concepts (primary)699 |
ParentOf | ![]() | 605 | Multiple Binds to the Same Port | Development Concepts (primary)699 |
ParentOf | ![]() | 648 | Incorrect Use of Privileged APIs | Research Concepts1000 |
ParentOf | ![]() | 650 | Trusting HTTP Permission Methods on the Server Side | Research Concepts1000 |
ParentOf | ![]() | 684 | Failure to Provide Specified Functionality | Development Concepts (primary)699 Research Concepts (primary)1000 |
MemberOf | ![]() | 700 | Seven Pernicious Kingdoms | Seven Pernicious Kingdoms (primary)700 |
PeerOf | ![]() | 675 | Duplicate Operations on Resource | Research Concepts1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
7 Pernicious Kingdoms | API Abuse | ||
WASC | 42 | Abuse of Functionality |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
96 | Block Access to Libraries |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
7 Pernicious Kingdoms | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Description, Relationships, Taxonomy Mappings | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Name, Relationships | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | API Abuse | |||
2009-05-27 | Failure to Fulfill API Contract (aka 'API Abuse') | |||