Buffer overflow A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer. In this case, a buffer is a sequential section of memory allocated to contain anything from a character string to an array of integers. W rite-what-where condition Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow. Stack overflow A stack overflow condition is a buffer overflow condition, where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). Heap overflow A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as the PO SIX malloc() call. Buffer underwrite A buffer underwrite condition occurs when a buffer is indexed with a negative number, or pointer arithmetic with a negative value results in a position before the beginning of the valid memory location. W rap-around error W rap around errors occur whenever a value is incriminated past the maximum value for its type and therefore wr aps ar ound to a ver y smal l , negative, or undef ined value. Integer overflow An integer overflow condition exists when an integer, which has not been properly sanity checked is used in the determination of an offset or size for memory allocation, copying, concatenation, or similarly. If the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value. Integer coercion error Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types. Truncation error Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion. Sign extension error If one extends a signed number incorrectly, if negative numbers are used, an incorrect extension may result. Signed to unsigned conversion error A signed-to-unsigned conversion error takes place when a signed primitive is used as an unsigned value, usually as a size variable. Unsigned to signed conversion error An unsigned-to-signed conversion error takes place when a large unsigned primitive is used as an signed value usual ly as a si ze var i able. Unchecked array indexing Unchecked array indexing occurs when an unchecked value is used as an index into a buffer. M iscalculated null termination Miscalculated null termination occurs when the placement of a null character at the end of a buffer of characters (or string) is misplaced or omitted. Range and Type Errors Improper string length checking Improper string length checking takes place when wide or multi-byte character strings are mistaken for standard character strings. Covert storage channel The existence of a covert storage channel in a communications channel may release information which can be of significant use to attackers. Failure to account for default case in switch The failure to account for the default case in switch statements may lead to complex logical errors and may aid in other, unexpected security-related conditions. Null-pointer dereference A null-pointer dereference takes place when a pointer with a value of NULL is used as though it pointed to a valid memory area. Using freed memory The use of heap allocated memory after it has been freed or deleted leads to undefined system behavior and, in many cases, to a write-what-where condition. Doubly freeing memory Freeing or deleting the same memory chunk twice may when c ombi ned wi th ot her f l aws resul t in a write-what-where condition. Invoking untrusted mobile code This process will download external source or binaries and execute it. Cross-site scripting Cross-site scripting attacks are an instantiation of injection problems, in which malicious scripts are injected into the otherwise benign and trusted web sites. Format string problem Format string problems occur when a user has the ability to control or write completely the format string used to format data in the printf style family of C/C++ functions. Injection problem ( data us ed as somet hi ng else) Injection problems span a wide range of instantiations. The basic form of this flaw involves the injection of control-plane data into the data-plane in order to alter the control flow of the process. Command injection Command injection problems are a subset of injection problem, in which the process is tricked into calling external processes of the attackers choice through the injection of control-plane data into the data plane. SQ L injection SQ L injection attacks are another instantiation of injection attack, in which SQ L commands are injected into data-plane input in order to effect the execution of predefined SQ L commands. Deserialization of untrusted data Data which is untrusted can not be trusted to be well formed. Reliance on data layout Assumptions about protocol data or data stored in memory can be invalid, resulting in using data in ways that were unintended. Relative path library search Certain functions perform automatic path searching. The method and results of this path searching may not be as expected. Example: W inExec will use the 162 The CLASP Application Security Process space character as a delimiter, finding C: \Pr ogr am. exe as an accept abl e resul t f or a search for C: \Pr ogr am Fi l es \ Foo \ Bar . exe. Relying on package-level scope Java packages are not inherently closed; therefore, relying on them for code security is not a good practice. Insufficient entropy in PRNG The lack of entropy available for, or used by, a PRNG can be a stability and security threat. Failure of TRNG True random number generators generally have a limited source of entropy and therefore can fail or block. Publicizing of private data when using inner classes Java byte code has no notion of an inner class; therefore inner classes provide only a package-level security mechanism. Furthermore, the inner class gets access to the fields of its outer class even if that class is declared private. Environmental Problems Trust of system event data Security based on event locations are insecure and can be spoofed. Resource exhaustion (file descriptor, disk space, sockets, ...) Resource exhaustion is a simple denial of service condition which occurs when the resources necessary to perform an action are entirely consumed, therefore preventing that action from taking place. Information leak through class cloning Cloneable classes are effectively open classes since data cannot be hidden in them. Information leak through serialization Serializable classes are effectively open classes since data cannot be hidden in them. O verflow of static internal buffer A non-final static field can be viewed and edited in dangerous ways. State synchronization error State synchronization refers to a set of flaws involving contradictory states of execution in a process which result in undefined behavior. Covert timing channel Unintended information about data gets leaked through observing the timing of events. Symbolic name not mapping to correct object A constant symbolic reference to an object is used, even though the underlying object changes over time. Time of check, time of use race condition Time-of-check, time-of-use race conditions occur when between the time in which a given resource is checked, and the time that resource is used, a change occurs in the resource to invalidate the results of the check. Comparing classes by name The practice of determining an object s t ype, based on i ts n ame, is danger ous si nce mal ici ous code may purposely reuse class names in order to appear trusted. Race condition in switch If the variable which is switched on is changed while the switch statement is still in progress undefined activity may occur. Race condition in signal handler Race conditions occur frequently in signal handlers, since they are asynchronous actions. These race conditions may have any number of root-causes and symptoms. Unsafe function call from a signal handler There are several functions which under cer tain ci r c umst ances, if used in a si gnal handl er may result in the corruption of memory, allowing for exploitation of the process. Failure to drop privileges when reasonable Failing to drop privileges when it is reasonable to do so results in a lengthened time during which exploitation may result in unnecessarily negative consequences. Root Synchronization and Timing Errors Race condition in checking for certificate revocation If the revocation status of a certificate is not checked before each privilege requiring action, the system may be subject to a race condition, in which their certificate may be used before it is checked for revocation. M utable objects passed by reference Sending non-cloned mutable data as an argument may result in that data being altered or deleted by the called function, thereby putting the calling function into an undefined state. Passing mutable objects to an untrusted method Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the called function, thereby putting the class in an undefined state. Accidental leaking of sensitive information through error messages Server messages need to be parsed before being passed on to the user. Accidental leaking of sensitive information through sent data The accidental leaking of sensitive information through sent data refers to the transmission of data which is either sensitive in and of itself or useful in the further exploitation of the system through standard data channels.