The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries). View - a subset of CWE entries that provides a way of examining CWE content. The CERT Oracle Secure Coding Standard for Java (2011) Chapter 18 - Miscellaneous (MSC) OWASP Top Ten 2010 Category A3 - Broken Authentication and Session Management OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.Ĭategory - a CWE entry that contains a set of other entries that share a common characteristic.
These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction.
This table shows the weaknesses and high level categories that are related to this weakness. Storing Passwords in a Recoverable Format Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. That is linked to a certain type of product, typically involving a specific language or technology. Lack of Administrator Control over Security Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. More specific than a Pillar Weakness, but more general than a Base Weakness.
Use of Invariant Value in Dynamically Changing ContextĬlass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. That is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention.
HARDCODED PASSWORD PASSWORD
Client-side systems with hard-coded passwords pose even more of a threat, since the extraction of a password from a binary is usually very simple. Any user of that program may be able to extract the password. The programmer may simply hard-code those back-end credentials into the front-end product.
The back-end service may require a fixed password which can be easily discovered. The Outbound variant applies to front-end systems that authenticate with a back-end service. Finally, since all installations of the product will have the same password, even across different organizations, this enables massive attacks such as worms to take place. If the password is ever discovered or published (a common occurrence on the Internet), then anybody with knowledge of this password can access the product. This hard-coded password is the same for each installation of the product, and it usually cannot be changed or disabled by system administrators without manually modifying the program, or otherwise patching the product. In the Inbound variant, a default administration account is created, and a simple password is hard-coded into the product and associated with that account. Outbound: the product connects to another system or component, and it contains hard-coded credentials for connecting to that component.
0 kommentar(er)
