Protection Mechanism Failure
Weakness ID: 693 (Weakness Class)Status: Draft
+ Description

Description Summary

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Extended Description

This weakness covers three distinct situations. A "missing" protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An "insufficient" protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an "ignored" mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.

+ Time of Introduction
  • Architecture and Design
  • Implementation
  • Operation
+ Applicable Platforms

Languages

All

+ Other Notes

This is a fairly high-level concept, although it covers a number of weaknesses in CWE that were more scattered throughout the natural hierarchy before Draft 9 was released.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory254Security Features
Development Concepts (primary)699
ParentOfWeakness ClassWeakness Class20Improper Input Validation
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant106Struts: Plug-in Framework not in Use
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant109Struts: Validator Turned Off
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base179Incorrect Behavior Order: Early Validation
Research Concepts1000
ParentOfWeakness BaseWeakness Base182Collapse of Data Into Unsafe Value
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base183Permissive Whitelist
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base184Incomplete Blacklist
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant262Not Using Password Aging
Research Concepts1000
ParentOfWeakness BaseWeakness Base269Improper Privilege Management
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class284Access Control (Authorization) Issues
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class287Improper Authentication
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base311Missing Encryption of Sensitive Data
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class326Inadequate Encryption Strength
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base327Use of a Broken or Risky Cryptographic Algorithm
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class345Insufficient Verification of Data Authenticity
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base357Insufficient UI Warning of Dangerous Operations
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base358Improperly Implemented Security Check for Standard
Research Concepts1000
ParentOfWeakness ClassWeakness Class424Failure to Protect Alternate Path
Research Concepts1000
ParentOfWeakness BaseWeakness Base521Weak Password Requirements
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base602Client-Side Enforcement of Server-Side Security
Research Concepts1000
ParentOfWeakness BaseWeakness Base640Weak Password Recovery Mechanism for Forgotten Password
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base653Insufficient Compartmentalization
Research Concepts1000
ParentOfWeakness BaseWeakness Base654Reliance on a Single Factor in a Security Decision
Research Concepts1000
ParentOfWeakness BaseWeakness Base655Insufficient Psychological Acceptability
Research Concepts1000
ParentOfWeakness BaseWeakness Base656Reliance on Security through Obscurity
Research Concepts1000
ParentOfWeakness ClassWeakness Class757Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base778Insufficient Logging
Research Concepts1000
ParentOfWeakness BaseWeakness Base807Reliance on Untrusted Inputs in a Security Decision
Research Concepts (primary)1000
MemberOfViewView1000Research Concepts
Research Concepts (primary)1000
+ Research Gaps

The concept of protection mechanisms is well established, but protection mechanism failures have not been studied comprehensively. It is suspected that protection mechanisms can have significantly different types of weaknesses than the weaknesses that they are intended to prevent.

+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
1Accessing Functionality Not Properly Constrained by ACLs
97Cryptanalysis
16Dictionary-based Password Attack
17Accessing, Modifying or Executing Executable Files
20Encryption Brute Forcing
22Exploiting Trust in Client (aka Make the Client Invisible)
87Forceful Browsing
36Using Unpublished Web Service APIs
49Password Brute Forcing
51Poison Web Service Registry
55Rainbow Table Password Cracking
56Removing/short-circuiting 'guard logic'
59Session Credential Falsification through Prediction
65Passively Sniff and Capture Application Code Bound for Authorized Client
70Try Common(default) Usernames and Passwords
74Manipulating User State
57Utilizing REST's Trust in the System Resource to Register Man in the Middle
103Clickjacking
107Cross Site Tracing
+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Description, Relationships, Other Notes
2009-01-12CWE Content TeamMITREInternal
updated Relationships
2009-03-10CWE Content TeamMITREInternal
updated Related Attack Patterns, Relationships
2009-05-27CWE Content TeamMITREInternal
updated Description, Related Attack Patterns
2009-07-27CWE Content TeamMITREInternal
updated Relationships
2009-10-29CWE Content TeamMITREInternal
updated Relationships