Kingdom: Time and State

Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time.

Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information.

28 items found
Weaknesses
Abstract
Storing a non-serializable object as an HttpSessionState attribute can damage application reliability.
Explanation
By default, ASP.NET servers store the HttpSessionState object, its attributes and any objects they reference in memory. This model limits active session state to what can be accommodated by the system memory of a single machine. In order to expand capacity beyond these limitations, servers are frequently configured to persistent session state information, which both expands capacity and permits the replication across multiple machines to improve overall performance. In order to persist its session state, the server must serialize the HttpSessionState object, which requires that all objects stored in it be serializable.

In order for the session to be serialized correctly, all objects the application stores as session attributes must declare the [Serializable] attribute. Additionally, if the object requires custom serialization methods, it must also implement the ISerializable interface.

Example 1: The following class adds itself to the session, but since it is not serializable, the session cannot be serialized correctly.


public class DataGlob {
String GlobName;
String GlobValue;

public void AddToSession(HttpSessionState session) {
session["glob"] = this;
}
}
References
[1] Session State Providers Microsoft Corporation
[2] Underpinnings of the Session State Implementation in ASP.NET Microsoft Corporation
[3] Standards Mapping - Common Weakness Enumeration CWE ID 579
[4] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[5] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[6] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[7] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[8] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[9] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[10] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
desc.structural.dotnet.asp_dotnet_bad_practices_non_serializable_object_stored_in_session
Abstract
Calling sleep() while holding a lock can cause a loss of performance and might cause a deadlock.
Explanation
If multiple threads are trying to obtain a lock on a resource, calling sleep() while holding a lock can cause all of the other threads to wait for the resource to be released, which can result in degraded performance and deadlock.

Example 1: The following code calls sleep() while holding a lock.

ReentrantLock rl = new ReentrantLock();
...
rl.lock();
Thread.sleep(500);
...
rl.unlock();
References
[1] LCK09-J. Do not perform operations that can block while holding a lock CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 557
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000336, CCI-000366, CCI-001094
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection
[6] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[8] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002950 CAT II
[29] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[30] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.java.code_correctness_call_to_sleep_in_lock
Abstract
Double-checked locking is an incorrect idiom that does not achieve the intended effect.
Explanation
Many talented individuals have spent a great deal of time pondering ways to make double-checked locking work in order to improve performance. None have succeeded.

Example 1: At first blush it may seem that the following bit of code achieves thread safety while avoiding unnecessary synchronization.


if (fitz == null) {
synchronized (this) {
if (fitz == null) {
fitz = new Fitzer();
}
}
}
return fitz;


The programmer wants to guarantee that only one Fitzer() object is ever allocated, but does not want to pay the cost of synchronization every time this code is called. This idiom is known as double-checked locking.

Unfortunately, it does not work, and multiple Fitzer() objects can be allocated. See The "Double-Checked Locking is Broken" Declaration for more details [1].
References
[1] D. Bacon et al. The "Double-Checked Locking is Broken" Declaration
[2] LCK10-J. Use a correct form of the double-checked locking idiom CERT
[3] Standards Mapping - Common Weakness Enumeration CWE ID 609
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[9] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[10] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
desc.structural.java.code_correctness_double_checked_locking
Abstract
If a thread fails to unlock a mutex after signaling other threads, the other threads will remain locked waiting on the mutex.
Explanation
After a thread signals other threads waiting on a mutex, it must unlock the mutex by calling pthread_mutex_unlock() before another thread can begin running. If the signaling thread fails to unlock the mutex, the pthread_cond_wait() call in the second thread will not return and the thread will not execute.

Example 1: The following code signals another thread waiting on a mutex by calling pthread_cond_signal(), but fails to unlock the mutex the other thread is waiting on.


...
pthread_mutex_lock(&count_mutex);

// Signal waiting thread
pthread_cond_signal(&count_threshold_cv);
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 373
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000336, CCI-000366, CCI-001094
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection
[6] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[8] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002950 CAT II
[29] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[30] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.structural.cpp.code_correctness_erroneous_synchronization
Abstract
Creating and using insecure temporary files can leave application and system data vulnerable to attacks.
Explanation
Applications require temporary files so frequently that many different mechanisms exist for creating them in the C Library and Windows(R) API. Most of these functions are vulnerable to various forms of attacks.
Example: The following code uses a temporary file for storing intermediate data gathered from the network before it is processed.


...
if (tmpnam_r(filename)){
FILE* tmp = fopen(filename,"wb+");
while((recv(sock,recvbuf,DATA_SIZE, 0) > 0)&&(amt!=0))
amt = fwrite(recvbuf,1,DATA_SIZE,tmp);
}
...


This otherwise unremarkable code is vulnerable to a number of different attacks because it relies on an insecure method for creating temporary files. The vulnerabilities introduced by this function and others are described in the following sections. The most egregious security problems related to temporary file creation have occurred on Unix-based operating systems, but Windows applications have parallel risks. This section includes a discussion of temporary file creation on both Unix and Windows systems.

Methods and behaviors can vary between systems, but the fundamental risks introduced by each are reasonably constant. See the Recommendations section for information about safe core language functions and advice regarding a secure approach to creating temporary files.

The functions designed to aid in the creation of temporary files can be broken into two groups based on whether they simply provide a filename or actually open a new file.

Group 1 - "Unique" Filenames:

The first group of C Library and WinAPI functions designed to help with the process of creating temporary files do so by generating a unique file name for a new temporary file, which the program is then supposed to open. This group includes C Library functions like tmpnam(), tempnam(), mktemp() and their C++ equivalents prefaced with an _ (underscore) as well as the GetTempFileName() function from the Windows API. This group of functions suffers from an underlying race condition on the filename chosen. Although the functions guarantee that the filename is unique at the time it is selected, there is no mechanism to prevent another process or an attacker from creating a file with the same name after it is selected but before the application attempts to open the file. Beyond the risk of a legitimate collision caused by another call to the same function, there is a high probability that an attacker will be able to create a malicious collision because the filenames generated by these functions are not sufficiently randomized to make them difficult to guess.

If a file with the selected name is created, then depending on how the file is opened the existing contents or access permissions of the file may remain intact. If the existing contents of the file are malicious in nature, an attacker may be able to inject dangerous data into the application when it reads data back from the temporary file. If an attacker pre-creates the file with relaxed access permissions, then data stored in the temporary file by the application may be accessed, modified or corrupted by an attacker. On Unix based systems an even more insidious attack is possible if the attacker pre-creates the file as a link to another important file. Then, if the application truncates or writes data to the file, it may unwittingly perform damaging operations for the attacker. This is an especially serious threat if the program operates with elevated permissions.

Finally, in the best case the file will be opened with a call to open() using the O_CREAT and O_EXCL flags or to CreateFile() using the CREATE_NEW attribute, which will fail if the file already exists and therefore prevent the types of attacks described previously. However, if an attacker is able to accurately predict a sequence of temporary file names, then the application may be prevented from opening necessary temporary storage causing a denial of service (DoS) attack. This type of attack would not be difficult to mount given the small amount of randomness used in the selection of the filenames generated by these functions.

Group 2 - "Unique" Files:

The second group of C Library functions attempts to resolve some of the security problems related to temporary files by not only generating a unique file name, but also opening the file. This group includes C Library functions like tmpfile() and its C++ equivalents prefaced with an _ (underscore), as well as the slightly better-behaved C Library function mkstemp().

The tmpfile() style functions construct a unique filename and open it in the same way that fopen() would if passed the flags "wb+", that is, as a binary file in read/write mode. If the file already exists, tmpfile() will truncate it to size zero, possibly in an attempt to assuage the security concerns mentioned earlier regarding the race condition that exists between the selection of a supposedly unique filename and the subsequent opening of the selected file. However, this behavior clearly does not solve the function's security problems. First, an attacker may pre-create the file with relaxed access-permissions that will likely be retained by the file opened by tmpfile(). Furthermore, on Unix based systems if the attacker pre-creates the file as a link to another important file, the application may use its possibly elevated permissions to truncate that file, thereby doing damage on behalf of the attacker. Finally, if tmpfile() does create a new file, the access permissions applied to that file will vary from one operating system to another, which can leave application data vulnerable even if an attacker is unable to predict the filename to be used in advance.

Finally, mkstemp() is a reasonably safe way to create temporary files. It will attempt to create and open a unique file based on a filename template provided by the user combined with a series of randomly generated characters. If it is unable to create such a file, it will fail and return -1. On modern systems the file is opened using mode 0600, which means the file will be secure from tampering unless the user explicitly changes its access permissions. However, mkstemp() still suffers from the use of predictable file names and can leave an application vulnerable to denial of service attacks if an attacker causes mkstemp() to fail by predicting and pre-creating the filenames to be used.
References
[1] B. Schneier Yarrow: A secure pseudorandom number generator
[2] CryptLib
[3] Crypto++
[4] BeeCrypt
[5] OpenSSL
[6] CryptoAPI: CryptGenRandom() Microsoft
[7] RtlGenRandom() Microsoft
[8] .NET System.Security.Cryptography: Random Number Generation Microsoft
[9] Standards Mapping - Common Weakness Enumeration CWE ID 377
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001090
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-4 Information in Shared Resources (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-4 Information in Shared System Resources
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.3.1, Requirement 3.5.1
[15] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002380 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002380 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002380 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002380 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002380 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002380 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002380 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002380 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002380 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002380 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002380 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002380 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002380 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002380 CAT II
desc.semantic.cpp.insecure_temporary_file
Abstract
Creating and using insecure temporary files can leave application and system data vulnerable to attacks.
Explanation
Applications require temporary files so frequently that many different mechanisms exist for creating them. Most of these functions are vulnerable to various forms of attacks.
Example: The following code uses a temporary file for storing intermediate data gathered from the network before it is processed.


...
try:
tmp_filename = os.tempnam()
tmp_file = open(tmp_filename, 'w')
data = s.recv(4096)
while True:
more = s.recv(4096)
tmp_file.write(more)
if not more:
break
except socket.timeout:
errMsg = "Connection timed-out while connecting"
self.logger.exception(errMsg)
raise Exception
...


This otherwise unremarkable code is vulnerable to a number of different attacks because it relies on an insecure method for creating temporary files. The vulnerabilities introduced by this function and others are described in the following sections. The most egregious security problems related to temporary file creation have occurred on Unix-based operating systems, but Windows applications have parallel risks.

Methods and behaviors can vary between systems, but the fundamental risks introduced by each are reasonably constant. See the Recommendations section for information about safe core language functions and advice regarding a secure approach to creating temporary files.

The functions designed to aid in the creation of temporary files can be broken into two groups based on whether they simply provide a filename or actually open a new file.

Group 1 - "Unique" Filenames:

The first group of functions designed to help with the process of creating temporary files do so by generating a unique file name for a new temporary file, which the program is then supposed to open. This group of functions suffers from an underlying race condition on the filename chosen. Although the functions guarantee that the filename is unique at the time it is selected, there is no mechanism to prevent another process or an attacker from creating a file with the same name after it is selected but before the application attempts to open the file. Beyond the risk of a legitimate collision caused by another call to the same function, there is a high probability that an attacker will be able to create a malicious collision because the filenames generated by these functions are not sufficiently randomized to make them difficult to guess.

If a file with the selected name is created, then depending on how the file is opened the existing contents or access permissions of the file may remain intact. If the existing contents of the file are malicious in nature, an attacker may be able to inject dangerous data into the application when it reads data back from the temporary file. If an attacker pre-creates the file with relaxed access permissions, then data stored in the temporary file by the application may be accessed, modified or corrupted by an attacker. On Unix based systems an even more insidious attack is possible if the attacker pre-creates the file as a link to another important file. Then, if the application truncates or writes data to the file, it may unwittingly perform damaging operations for the attacker. This is an especially serious threat if the program operates with elevated permissions.

Finally, in the best case the file will be opened with a call to open() using the os.O_CREAT and os.O_EXCL flags, which will fail if the file already exists and therefore prevent the types of attacks described previously. However, if an attacker is able to accurately predict a sequence of temporary file names, then the application may be prevented from opening necessary temporary storage causing a denial of service (DoS) attack. This type of attack would not be difficult to mount given the small amount of randomness used in the selection of the filenames generated by these functions.

Group 2 - "Unique" Files:

The second group of functions attempts to resolve some of the security problems related to temporary files by not only generating a unique file name, but also opening the file. This group includes functions like tmpfile().

The tmpfile() style functions construct a unique filename and open it in the same way that open() would if passed the flags "wb+", that is, as a binary file in read/write mode. If the file already exists, tmpfile() will truncate it to size zero, possibly in an attempt to assuage the security concerns mentioned earlier regarding the race condition that exists between the selection of a supposedly unique filename and the subsequent opening of the selected file. However, this behavior clearly does not solve the function's security problems. First, an attacker may pre-create the file with relaxed access-permissions that will likely be retained by the file opened by tmpfile(). Furthermore, on Unix based systems if the attacker pre-creates the file as a link to another important file, the application may use its possibly elevated permissions to truncate that file, thereby doing damage on behalf of the attacker. Finally, if tmpfile() does create a new file, the access permissions applied to that file will vary from one operating system to another, which can leave application data vulnerable even if an attacker is unable to predict the filename to be used in advance.
References
[1] B. Schneier Yarrow: A secure pseudorandom number generator
[2] Python Library Reference: os Python
[3] Python Library Reference: tempfile Python
[4] Symlink race WikiPedia
[5] Time of check to time of use WikiPedia
[6] Standards Mapping - Common Weakness Enumeration CWE ID 377
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001090
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-4 Information in Shared Resources (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-4 Information in Shared System Resources
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.3.1, Requirement 3.5.1
[12] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002380 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002380 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002380 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002380 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002380 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002380 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002380 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002380 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002380 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002380 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002380 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002380 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002380 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002380 CAT II
desc.semantic.python.insecure_temporary_file
Abstract
The method sets up a session that never expires.
Explanation
The longer a session stays open, the larger the window of opportunity an attacker has to compromise user accounts. While a session remains active, an attacker may be able to brute-force a user's password, crack a user's wireless encryption key, or commandeer a session from an open browser. Longer session timeouts can also prevent memory from being released and eventually result in a denial of service if a sufficiently large number of sessions are created.

Example 1: Code in the following example sets a negative value for the maximum inactive interval resulting in a session that remains active indefinitely.

...
HttpSession sesssion = request.getSession(true);
sesssion.setMaxInactiveInterval(-1);
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 613
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000879, CCI-002361
[3] Standards Mapping - FIPS200 IA
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-12 Session Termination (P2), MA-4 Nonlocal Maintenance (P2)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-12 Session Termination
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.8.1 Single or Multi Factor One Time Verifier Requirements (L1 L2 L3), 2.8.6 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.3.1 Session Logout and Timeout Requirements (L1 L2 L3), 3.3.2 Session Logout and Timeout Requirements (L1 L2 L3), 3.3.4 Session Logout and Timeout Requirements (L2 L3), 3.6.1 Re-authentication from a Federation or Assertion (L3), 3.6.2 Re-authentication from a Federation or Assertion (L3)
[7] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling
[8] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[9] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[10] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[11] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[12] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[14] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3, Requirement 8.5.15
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7, Requirement 8.5.15
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 8.5.15
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10, Requirement 8.1.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10, Requirement 8.1.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10, Requirement 8.1.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10, Requirement 8.1.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 8.2.8
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.3 - Authentication and Access Control
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.3 - Authentication and Access Control
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls, Control Objective C.2.3.2 - Web Software Access Controls
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3415 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3415 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3415 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3415 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3415 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3415 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3415 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Session Expiration (WASC-47)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Session Expiration
desc.structural.java.j2ee_bad_practices_insufficient_session_expiration
Abstract
A web application should not attempt to shut down its container.
Explanation
It is never a good idea for a web application to attempt to shut down the application container. A call to a termination method is probably part of leftover debug code or code imported from a non-J2EE application.
References
[1] ERR09-J. Do not allow untrusted code to terminate the JVM CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 382
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[6] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[8] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[29] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[30] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.semantic.java.j2ee_badpractices_jvm_termination
Abstract
Storing a non-serializable object as an HttpSession attribute can damage application reliability.
Explanation
A J2EE application can make use of multiple JVMs in order to improve application reliability and performance. In order to make the multiple JVMs appear as a single application to the end user, the J2EE container can replicate an HttpSession object across multiple JVMs so that if one JVM becomes unavailable another can step in and take its place without disrupting the flow of the application.

In order for session replication to work, the values the application stores as attributes in the session must implement the Serializable interface.

Example 1: The following class adds itself to the session, but because it is not serializable, the session can no longer be replicated.


public class DataGlob {
String globName;
String globValue;

public void addToSession(HttpSession session) {
session.setAttribute("glob", this);
}
}
References
[1] The Java Servlet Specification Sun Microsystems
[2] The java.io.Serializable Interface Oracle
[3] MSC08-J. Do not store non-serializable objects as attributes in an HTTP session CERT
[4] Standards Mapping - Common Weakness Enumeration CWE ID 579
[5] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[6] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[7] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[8] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[9] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[10] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[11] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
desc.structural.java.j2ee_bad_practices_non_serializable_object_stored_in_session
Abstract
Thread management in a web application is forbidden in some circumstances and is always highly error prone.
Explanation
Thread management in a web application is forbidden by the J2EE standard in some circumstances and is always highly error prone. Managing threads is difficult and is likely to interfere in unpredictable ways with the behavior of the application container. Even without interfering with the container, thread management usually leads to bugs that are hard to detect and diagnose like deadlock, race conditions, and other synchronization errors.
References
[1] Java 2 Platform Enterprise Edition Specification, v1.4 Sun Microsystems
[2] Standards Mapping - Common Weakness Enumeration CWE ID 383
[3] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
desc.semantic.java.j2ee_badpractices_threads
Abstract
JSON Web Tokens that do not implement protection claims such as jti and aud might be susceptible to impersonation and replay attacks.
Explanation
JWT is a standard used to create a URL-safe means of transferring data between two parties. JWT provides protection against data tampering because the information it contains is digitally signed with either the HMAC or the RSA algorithm. The server typically generates JWT after successful authentication by the client. This JWT accompanies future client requests to the server for stateless authentication. These tokens are often targeted by malicious users for impersonation attacks. The JWT specification includes various protection mechanisms to prevent the tokens against such attacks. The jti claim provides a unique identifier for the JWT. It can be used to prevent the JWT from being replayed. The application "signs out" the user from all devices by deleting all JWTs in the backend store associated with that user. In addition, the developer should use exp (expiration time) to expire the JWT.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 384
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000804, CCI-001664
[3] Standards Mapping - FIPS200 IA
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-23 Session Authenticity (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-23 Session Authenticity
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.2.1 Session Binding Requirements (L1 L2 L3), 3.2.3 Session Binding Requirements (L1 L2 L3), 3.3.1 Session Logout and Timeout Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling
[9] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[10] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[11] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[12] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[14] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[15] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002280 CAT II, APSC-DV-002260 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002280 CAT II, APSC-DV-002260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002280 CAT II, APSC-DV-002260 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002280 CAT II, APSC-DV-002260 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002280 CAT II, APSC-DV-002260 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002280 CAT II, APSC-DV-002260 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002280 CAT II, APSC-DV-002260 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002280 CAT II, APSC-DV-002260 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002280 CAT II, APSC-DV-002260 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002280 CAT II, APSC-DV-002260 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002260 CAT II, APSC-DV-002280 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Session Fixation (WASC-37)
[49] Standards Mapping - Web Application Security Consortium 24 + 2 Session Fixation
desc.dynamic.xtended_preview.json_web_token_missing_protection_claims
Abstract
OAuth2 authorization servers that do not timely expire authorization codes might be susceptible to impersonation attacks by continuing to grant a new valid access_token for stolen authorization codes.
Explanation
An authorization server generates multiple valid access tokens with the same authorization code is susceptible to impersonation attacks.
The OAuth2 API makes it possible for users to grant access to their accounts with an authorization server. When a user has denied access for an application, all access tokens are revoked and become invalid. However, if the associated authorization token is not revoked, a malicious application can exploit it to restore access to user's account after access revocation.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 613
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000879, CCI-002361
[3] Standards Mapping - FIPS200 IA
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-12 Session Termination (P2), MA-4 Nonlocal Maintenance (P2)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-12 Session Termination
[7] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.8.1 Single or Multi Factor One Time Verifier Requirements (L1 L2 L3), 2.8.6 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.3.1 Session Logout and Timeout Requirements (L1 L2 L3), 3.3.2 Session Logout and Timeout Requirements (L1 L2 L3), 3.3.4 Session Logout and Timeout Requirements (L2 L3), 3.6.1 Re-authentication from a Federation or Assertion (L3), 3.6.2 Re-authentication from a Federation or Assertion (L3)
[9] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling
[10] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[11] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[12] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[14] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[15] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[16] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3, Requirement 8.5.15
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7, Requirement 8.5.15
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 8.5.15
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10, Requirement 8.1.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10, Requirement 8.1.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10, Requirement 8.1.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10, Requirement 8.1.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 8.2.8
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3415 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3415 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3415 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3415 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3415 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3415 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3415 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Session Expiration (WASC-47)
[50] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Session Expiration
desc.dynamic.xtended_preview.oauth2_insufficient_authorization_code_expiration
Abstract
An OAuth2 authorization servers that issue refresh_tokens to web application clients and native application clients without verifying client_id and client_secret might be susceptible to impersonation attacks.
Explanation
Authorization servers that do not verify the client_id and client_secret when refreshing the access_token are susceptible to impersonation and unauthorized access attacks. Authorization servers might issue refresh tokens to web application clients and native application clients. The authorization server must verify the binding between the refresh token and client identity whenever the client identity can be authenticated. When client authentication is not possible, the authorization server should deploy other means to detect refresh token abuse such as redirecting the user to repeat the authorization process after an expiration date is reached.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 613
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000879, CCI-002361
[3] Standards Mapping - FIPS200 IA
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-12 Session Termination (P2), MA-4 Nonlocal Maintenance (P2)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-12 Session Termination
[7] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.8.1 Single or Multi Factor One Time Verifier Requirements (L1 L2 L3), 2.8.6 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.3.1 Session Logout and Timeout Requirements (L1 L2 L3), 3.3.2 Session Logout and Timeout Requirements (L1 L2 L3), 3.3.4 Session Logout and Timeout Requirements (L2 L3), 3.6.1 Re-authentication from a Federation or Assertion (L3), 3.6.2 Re-authentication from a Federation or Assertion (L3)
[9] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling
[10] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[11] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[12] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[14] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[15] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[16] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3, Requirement 8.5.15
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7, Requirement 8.5.15
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 8.5.15
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10, Requirement 8.1.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10, Requirement 8.1.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10, Requirement 8.1.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10, Requirement 8.1.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 8.2.8
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3415 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3415 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3415 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3415 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3415 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3415 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3415 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Session Expiration (WASC-47)
[50] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Session Expiration
desc.dynamic.xtended_preview.oauth2_insufficient_refresh_token_revocation
Abstract
OAuth2 protocol implementations that do not use a state parameter value with sufficient entropy are susceptible to a CSRF vulnerability.
Explanation
OAuth2 protocol implementations that do not use the state parameter value with sufficient entropy are susceptible to a CSRF vulnerability that might give an attacker the ability to login to the victim's current application account using a third-party account without any restrictions.
In authorization code type and implicit grant type, the OAuth2 protocol is vulnerable to a CSRF attack if the state parameter value is predictable. An attacker can perform a normal OAuth2 process and get the redirection URL that contains the authorization code for the third-party. The attacker can bind their own account to the victim's account for the vulnerable application by enticing a victim to access this URL. If the state parameter is set in the redirection URL but without sufficient entropy, then an attacker can predict the user's state parameter and forge a reliable redirection URL to persuade the victim to access and then implement a CSRF attack.
References
[1] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001664, CCI-001941, CCI-001942
[2] Standards Mapping - FIPS200 IA
[3] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity
[6] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[7] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling
[8] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[9] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[10] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[11] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[12] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[14] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3405 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3405 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3405 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3405 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3405 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3405 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3405 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Credential/Session Prediction (WASC-18)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.dynamic.xtended_preview.oauth2_insufficient_state_parameter_entropy
Abstract
A function uses either block.timestamp or block.number as a proxy for time.
Explanation
Values associated with block.timestamp or block.number are often used by developers to trigger time-dependent events, however, these values often give a sense of time that is generally not safe to use.

Due to the decentralized nature of blockchain, nodes can synchronize time only to a certain degree. Using block.timestamp is unreliable at best, and at worst, malicious miners can alter the timestamp of their blocks if they see an advantage to do so.

As for block.number, even though it is possible to predict the time between blocks (approximately 14 seconds), block times are not constant and can vary depending on network activity. This makes block.number unreliable for time-related calculations.

Example 1: The following code uses block.number to unlock funds after a certain period of time.


function withdraw() public {
require(users[msg.sender].amount > 0, 'no amount locked');
require(block.number >= users[msg.sender].unlockBlock, 'lock period not over');
uint amount = users[msg.sender].amount;
users[msg.sender].amount = 0;
(bool success, ) = msg.sender.call.value(amount)("");
require(success, 'transfer failed');
}
References
[1] Enterprise Ethereum Alliance Don't misuse block data
[2] Standards Mapping - Smart Contract Weakness Classification SWC-116
desc.structural.solidity.swc116
Abstract
The set callback could lead to a race condition.
Explanation
Node.js allows developers to assign callbacks to IO-blocked events. This allows better performance as the callbacks run asynchronously such that the main application isn't blocked by IO. However, this in turn may lead to race conditions when something outside the callback relies upon code within the callback to be run first.

Example 1: The following code checks a user against a database for authentication.

 
...
var authenticated = true;
...
database_connect.query('SELECT * FROM users WHERE name == ? AND password = ? LIMIT 1', userNameFromUser, passwordFromUser, function(err, results){
if (!err && results.length > 0){
authenticated = true;
}else{
authenticated = false;
}
});

if (authenticated){
//do something privileged stuff
authenticatedActions();
}else{
sendUnathenticatedMessage();
}


In this example we're supposed to be calling to a backend database to confirm a user's credentials for login, and if confirmed we set a variable to true, otherwise false. Unfortunately, since the callback is blocked by IO, it will run asynchronously and may be run after the check to if (authenticated), and since the default was true, it will go into the if-statement whether the user is actually authenticated or not.
References
[1] Kristopher Kowal Documentation for q
[2] Piotr Pelczar Asynchronous programming done right.
[3] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 367
[4] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362
[5] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003178
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements (L2 L3), 1.11.3 Business Logic Architectural Requirements (L3), 1.11.2 Business Logic Architectural Requirements (L2 L3), 1.11.3 Business Logic Architectural Requirements (L3), 11.1.6 Business Logic Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[20] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362
[21] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001995 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001995 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001995 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001995 CAT II
desc.structural.javascript.race_condition
Abstract
The application installs an application from shared storage, allowing a malicious app to replace the package to be installed.
Explanation
The app installs an application from shared storage where any application with external storage read/write permissions can write to. Due to a race condition, the malicious app monitoring the folder can swap a downloaded APK file for an alternate APK file, which the installation process will use in place of the legitimate update.

Example 1: The following code installs an applications from the shared storage:


Intent intent = new Intent(Intent.ACTION_VIEW);
intent.setDataAndType(Uri.fromFile(new File(Environment.getExternalStorageDirectory() + "/download/" + "app.apk")), "application/vnd.android.package-archive");
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
startActivity(intent);
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 367
[2] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003178
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements (L2 L3), 1.11.3 Business Logic Architectural Requirements (L3), 11.1.6 Business Logic Security Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-RESILIENCE-2
[11] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[20] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362
[21] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001995 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001995 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001995 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001995 CAT II
desc.dataflow.java.race_condition_app_download
Abstract
The window of time between when a file property is checked and when the file is used can be exploited to launch a privilege escalation attack.
Explanation
File access race conditions, known as time-of-check, time-of-use (TOCTOU) race conditions, occur when:

1. The program checks a property of a file, referencing the file by name.

2. The program later performs a file system operation using the same filename and assumes that the previously-checked property has not changed.
Example 1: The following code is from a program installed setuid root. The program performs certain file operations on behalf of non-privileged users, and uses access checks to ensure that it does not use its root privileges to perform operations that should not be available to the current user. The program uses the access() system call to check if the person running the program has permission to access the specified file before it opens the file and performs the necessary operations.


if (!access(file,W_OK)) {
f = fopen(file,"w+");
operate(f);
...
}
else {
fprintf(stderr,"Unable to open file %s.\n",file);
}


The call to access() behaves as expected, and returns 0 if the user running the program has the necessary permissions to write to the file, and -1 otherwise. However, because both access() and fopen() operate on filenames rather than on file handles, there is no guarantee that the file variable still refers to the same file on disk when it is passed to fopen() that it did when it was passed to access(). If an attacker replaces file after the call to access() with a symbolic link to a different file, the program will use its root privileges to operate on the file even if it is a file that the attacker would otherwise be unable to modify. By tricking the program into performing an operation that would otherwise be impermissible, the attacker has gained elevated privileges.

This type of vulnerability is not limited to programs with root privileges. If the application is capable of performing any operation that the attacker would not otherwise be allowed perform, then it is a possible target.

The window of vulnerability for such an attack is the period of time between when the property is tested and when the file is used. Even if the use immediately follows the check, modern operating systems offer no guarantee about the amount of code that is executed before the process yields the CPU. Attackers have a variety of techniques to expand the length of the window of opportunity in order to make exploits easier. However, even with a small window, an exploit attempt can simply be repeated over and over until it is successful.

Example 2: The following code creates a file and then changes the owner of the file.


fd = creat(FILE, 0644); /* Create file */
if (fd == -1)
return;
if (chown(FILE, UID, -1) < 0) { /* Change file owner */
...
}


The code assumes that the file operated upon by the call to chown() is the same as the file created by the call to creat(), but that is not necessarily the case. Since chown() operates on a file name and not on a file handle, an attacker may be able to replace the file with a link to file the attacker does not own. The call to chown() would then give the attacker ownership of the linked file.
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 367
[3] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362
[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003178
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), CM-6 Configuration Settings (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, CM-6 Configuration Settings
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements (L2 L3), 1.11.3 Business Logic Architectural Requirements (L3), 11.1.6 Business Logic Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[20] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362
[21] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001995 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001995 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001995 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001995 CAT II
desc.controlflow.cpp.file_access_race_condition
Abstract
The window of time between when a file property is checked and when the file is used can be exploited to launch a privilege escalation attack.
Explanation
File access race conditions, known as time-of-check, time-of-use (TOCTOU) race conditions, occur when:

1. The program checks a property of a file, referencing the file by name.

2. The program later performs a file system operation using the same filename and assumes that the previously-checked property has not changed.
Example: The following program calls the CBL_CHECK_FILE_EXIST routine to check if the file exists before it creates one and performs the necessary operations.


CALL "CBL_CHECK_FILE_EXIST" USING
filename
file-details
RETURNING status-code
END-CALL

IF status-code NOT = 0
MOVE 3 to access-mode
MOVE 0 to deny-mode
MOVE 0 to device

CALL "CBL_CREATE_FILE" USING
filename
access-mode
deny-mode
device
file-handle
RETURNING status-code
END-CALL
END-IF


The call to CBL_CHECK_FILE_EXIST behaves as expected and returns a non-zero value, indicating that the file does not exist. However, because both CBL_CHECK_FILE_EXIST and CBL_CREATE_FILE operate on filenames rather than on file handles, there is no guarantee that the filename variable still refers to the same file on disk when it is passed to CBL_CREATE_FILE that it did when it was passed to CBL_CHECK_FILE_EXIST. If an attacker creates filename after the call to CBL_CHECK_FILE_EXIST, the call to CBL_CREATE_FILE will fail, leading the program to believe that the file is empty, when in fact it contains data controlled by the attacker.

The window of vulnerability for such an attack is the period of time between when the property is tested and when the file is used. Even if the use immediately follows the check, modern operating systems offer no guarantee about the amount of code that is executed before the process yields the CPU. Attackers have a variety of techniques to expand the length of the window of opportunity in order to make exploits easier. However, even with a small window, an exploit attempt can simply be repeated over and over until it is successful.

Furthermore, this type of vulnerability might apply to a program with root privileges that performs certain file operations on behalf of non-privileged users, and uses access checks to ensure that it does not use its root privileges to perform operations that should not be available to the current user. By tricking the program into performing an operation that would otherwise be impermissible, the attacker might gain elevated privileges.
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 367
[3] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362
[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003178
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), CM-6 Configuration Settings (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, CM-6 Configuration Settings
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements (L2 L3), 1.11.3 Business Logic Architectural Requirements (L3), 11.1.6 Business Logic Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[20] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362
[21] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001995 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001995 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001995 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001995 CAT II
desc.controlflow.cobol.file_access_race_condition
Abstract
The methods parse() and format() in java.text.Format contain a design flaw that can cause one user to see another user's data.
Explanation
The methods parse() and format() in java.text.Format contains a race condition that can cause one user to see another user's data.

Example 1: The following code shows how this design flaw can manifest itself.


public class Common {

private static SimpleDateFormat dateFormat;
...

public String format(Date date) {
return dateFormat.format(date);
}
...

final OtherClass dateFormatAccess=new OtherClass();
...

public void function_running_in_thread1(){
System.out.println("Time in thread 1 should be 12/31/69 4:00 PM, found: "+ dateFormatAccess.format(new Date(0)));
}

public void function_running_in_thread2(){
System.out.println("Time in thread 2 should be around 12/29/09 6:26 AM, found: "+ dateFormatAccess.format(new Date(System.currentTimeMillis())));
}
}


While this code will behave correctly in a single-user environment, if two threads run it at the same time they could produce the following output:

Time in thread 1 should be 12/31/69 4:00 PM, found: 12/31/69 4:00 PM
Time in thread 2 should be around 12/29/09 6:26 AM, found: 12/31/69 4:00 PM

In this case, the date from the first thread is shown in the output from the second thread due a race condition in the implementation of format().
References
[1] Bug 4228335 : SimpleDateFormat is not threadsafe Sun Microsystems
[2] The Java Servlet Specification Sun Microsystems
[3] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 488
[4] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362
[5] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001090, CCI-003178
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1), SC-4 Information in Shared Resources (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings, SC-4 Information in Shared System Resources
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements (L2 L3)
[11] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[12] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective B.3.3 - Terminal Software Attack Mitigation
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective B.3.3 - Terminal Software Attack Mitigation
[18] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362
[19] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
desc.structural.java.race_condition_format_flaw
Abstract
The developer is using the RoamingFolder or RoamingSettings property of the Windows.Storage.ApplicationData class.
Explanation
The RoamingFolder and RoamingSettings properties get a container in the roaming app data store, which can then be used to share data between two more devices. By writing and reading objects stored in the roaming app data store, the developer increases the risk of compromise. This includes the confidentiality, integrity, and availability of the data, applications, and systems which share those objects through the roaming app data store.

Developers should refrain from using this functionality without first implementing the necessary technical controls.
References
[1] ApplicationData.RoamingFolder | roamingFolder property
[2] ApplicationData.RoamingSettings | roamingSettings property
[3] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 367
[4] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362
[5] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003178
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements (L2 L3), 1.11.3 Business Logic Architectural Requirements (L3), 11.1.6 Business Logic Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[20] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362
[21] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001995 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001995 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001995 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001995 CAT II
desc.structural.dotnet.race_condition_roaming_data_access
Abstract
Installing the same signal handler for multiple signals can lead to a race condition when different signals are caught in short succession.
Explanation
Signal handling race conditions can occur whenever a function installed as a signal handler is non-reentrant, which means it maintains some internal state or calls another function that does so. Such race conditions are even more likely when the same function is installed to handle multiple signals.

Signal handling race conditions are more likely to occur when:

1. The program installs a single signal handler for more than one signal.

2. Two different signals for which the handler is installed arrive in short succession, causing a race condition in the signal handler.

Example: The following code installs the same simple, non-reentrant signal handler for two different signals. If an attacker causes signals to be sent at the right moments, the signal handler will experience a double free vulnerability. Calling free() twice on the same value can lead to a buffer overflow. When a program calls free() twice with the same argument, the program's memory management data structures become corrupted. This corruption can cause the program to crash or, in some circumstances, cause two later calls to malloc() to return the same pointer. If malloc() returns the same value twice and the program later gives the attacker control over the data that is written into this doubly-allocated memory, the program becomes vulnerable to a buffer overflow attack.


void sh(int dummy) {
...
free(global2);
free(global1);
...
}

int main(int argc,char* argv[]) {
...
signal(SIGHUP,sh);
signal(SIGTERM,sh);
...
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 364
[2] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003178
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 21.5
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 18-7-1
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements (L2 L3)
[11] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[20] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362
[21] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001995 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001995 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001995 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001995 CAT II
desc.structural.cpp.race_condition_signal_handling