Category-227: 7PK-API滥用

ID: 227 Status: Draft

Summary

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software useing an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."

Membership

ID NAME
CWE-242 使用内在危险函数
CWE-243 未改变工作目录时创建chroot Jail
CWE-244 在释放前清理堆内存不恰当(堆检查)
CWE-245 J2EE不安全实践:对连接的直接管理
CWE-246 J2EE不安全实践:对套接字的直接使用
CWE-248 未捕获的异常
CWE-250 带着不必要的权限执行
CWE-251 经常被滥用:字符串管理
CWE-252 未加检查的返回值
CWE-558 在多线程应用程序中使用getlogin()

Taxonomy Mappings

Mapped Taxonomy Name Node ID Fit Mapped Node Name
CERT C Secure Coding WIN30-C Properly pair allocation and deallocation functions

References

REF-6 Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors