CWE-353

Naam

Missing Support for Integrity Check

Waarschijnlijkheid

Gemiddeld

Status

Draft

Gepubliceerd

2006-07-19
00h00 +00:00

Gewijzigd

2025-12-11
00h00 +00:00

Officiële links

CWE Mitre.org

Meldingen voor een CWE

Blijf op de hoogte van wijzigingen voor een specifieke CWE.

Meldingen beheren

Aangepaste meldingen

Activeer uw gepersonaliseerde meldingen!

Om uw meldingen te activeren hoeft u alleen maar ingelogd te zijn op uw gratis account. Als u nog niet bent ingelogd, kies dan een van de onderstaande opties.

Inloggen op uw account Maak een gratis account aan

Meldingen voor een CWE

Blijf op de hoogte van wijzigingen voor een specifieke CWE.

Parameters

U kunt een titel opgeven die wordt gebruikt in de meldingen die worden verzonden.

Geef het CWE-ID op dat u wilt monitoren.

Planning

Maand

Berekening volgende run

Dag

Weekdag

Uur

Minuut

Aanmakingsdatum

Laatste uitvoering

Volgende uitvoering

Naam: Missing Support for Integrity Check

The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.

CWE-beschrijving

If integrity check values or "checksums" are omitted from a protocol, there is no way of determining if data has been corrupted in transmission. The lack of checksum functionality in a protocol removes the first application-level check of data that can be used. The end-to-end philosophy of checks states that integrity checks should be performed at the lowest level that they can be completely implemented. Excluding further sanity checks and input validation performed by applications, the protocol's checksum is the most important level of checksum, since it can be performed more completely than at any previous level and takes into account entire messages, as opposed to single packets.

Algemene informatie

Introductiemodi

Architecture and Design : OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.
Implementation

Toepasselijke platforms

Taal

Class: Not Language-Specific (Undetermined)

Veelvoorkomende gevolgen

Bereik	Impact	Waarschijnlijkheid
Integrity Other	Other Note: Data that is parsed and used may be corrupted.
Non-Repudiation Other	Hide Activities, Other Note: Without a checksum it is impossible to determine if any changes have been made to the data after it was sent.

Mogelijke risicobeperkingen

Phases : Architecture and Design
Add an appropriately sized checksum to the protocol, ensuring that data received may be simply validated before it is parsed and used.
Phases : Implementation
Ensure that the checksums present in the protocol design are properly implemented and added to each message before it is sent.

Notities kwetsbaarheidsmapping

Rechtvaardiging : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Opmerking : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Gerelateerde aanvalspatronen

CAPEC-ID	Naam aanvalspatroon
CAPEC-13	Subverting Environment Variable Values The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause the target software to deviate from its expected operation in a manner that benefits the adversary.
CAPEC-14	Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service. This hostile service is created to deliver the correct content to the client software. For example, if the client-side application is a browser, the service will host a webpage that the browser loads.
CAPEC-389	Content Spoofing Via Application API Manipulation An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, spam-like content, or links to the attackers' code. In general, content-spoofing within an application API can be employed to stage many different types of attacks varied based on the attackers' intent. The techniques require use of specialized software that allow the attacker to use adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system.
CAPEC-39	Manipulating Opaque Client-based Data Tokens In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.
CAPEC-665	Exploitation of Thunderbolt Protection Flaws
CAPEC-74	Manipulating State
CAPEC-75	Manipulating Writeable Configuration Files Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.

Referenties

REF-18

The CLASP Application Security Process
Secure Software, Inc..
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf

REF-44

24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega.

Indiening

Naam	Organisatie	Datum	Releasedatum	Version
CLASP		2006-07-19 +00:00	2006-07-19 +00:00	Draft 3

Wijzigingen

Naam	Organisatie	Datum	Opmerking
Eric Dalci	Cigital	2008-07-01 +00:00	updated Time_of_Introduction
CWE Content Team	MITRE	2008-09-08 +00:00	updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings
CWE Content Team	MITRE	2009-10-29 +00:00	updated Description, Other_Notes
CWE Content Team	MITRE	2010-12-13 +00:00	updated Description, Name
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences, Demonstrative_Examples
CWE Content Team	MITRE	2012-05-11 +00:00	updated References, Relationships
CWE Content Team	MITRE	2012-10-30 +00:00	updated Demonstrative_Examples
CWE Content Team	MITRE	2014-07-30 +00:00	updated Relationships
CWE Content Team	MITRE	2017-11-08 +00:00	updated Applicable_Platforms, Modes_of_Introduction, Relationships
CWE Content Team	MITRE	2019-06-20 +00:00	updated Related_Attack_Patterns
CWE Content Team	MITRE	2020-02-24 +00:00	updated References, Relationships
CWE Content Team	MITRE	2021-07-20 +00:00	updated Related_Attack_Patterns
CWE Content Team	MITRE	2021-10-28 +00:00	updated Relationships
CWE Content Team	MITRE	2023-01-31 +00:00	updated Description
CWE Content Team	MITRE	2023-04-27 +00:00	updated Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes
CWE Content Team	MITRE	2025-12-11 +00:00	updated Relationships, Weakness_Ordinalities

CWE-353 Detail