Failure to Handle Windows ::DATA Alternate Data Stream
Weakness ID: 69 (Weakness Variant)Status: Incomplete
+ Description

Description Summary

The software does not properly prevent access to, or detect usage of, alternate data streams (ADS).

Extended Description

An attacker can use an ADS to hide information about a file (e.g. size, the name of the process) from a system or file browser tools such as Windows Explorer and 'dir' at the command line utility. Alternately, the attacker might be able to bypass intended access restrictions for the associated data fork.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms



Operating Systems


+ Observed Examples
+ Potential Mitigations

Software tools are capable of finding ADSs on your system.

Ensure that the source code correctly parses the filename to read or write to the correct stream.

+ Background Details

Alternate data streams (ADS) were first implemented in the Windows NT operating system to provide compatibility between NTFS and the Macintosh Hierarchical File System (HFS). In HFS, data and resource forks are used to store information about a file. The data fork provides information about the contents of the file while the resource fork stores metadata such as file type.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base66Improper Handling of File Names that Identify Virtual Resources
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory68Windows Virtual File Problems
Resource-specific Weaknesses631
Development Concepts699
ChildOfCategoryCategory634Weaknesses that Affect System Processes
Resource-specific Weaknesses (primary)631
+ Theoretical Notes

This and similar problems exist because the same resource can have multiple identifiers that dictate which behavior can be performed on the resource.

+ Affected Resources
  • System Process
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERWindows ::DATA alternate data stream
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
11Cause Web Server Misclassification
+ References
Don Parker. "Windows NTFS Alternate Data Streams". 2005-02-16. <>.
M. Howard and D. LeBlanc. "Writing Secure Code". 2nd Edition. Microsoft. 2003.
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Applicable Platforms, Background Details, Description, Relationships, Other Notes, References, Taxonomy Mappings
2008-10-14CWE Content TeamMITREInternal
updated Description
2009-10-29CWE Content TeamMITREInternal
updated Other Notes, Theoretical Notes
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Windows ::DATA Alternate Data Stream