CWE-353

Nome

Missing Support for Integrity Check

Probabilidade

Média

Status

Draft

Publicado

2006-07-19
00h00 +00:00

Modificado

2025-12-11
00h00 +00:00

Links oficiais

CWE Mitre.org

Notificações para um CWE

Fique informado sobre quaisquer alterações para um CWE específico.

Gerenciar notificações

Alertas personalizados

Ative seus alertas personalizados!

Para ativar seus alertas, basta estar conectado à sua conta gratuita. Se ainda não estiver conectado, escolha uma das opções abaixo.

Entrar na sua conta Criar uma conta Gratuita

Notificações para um CWE

Fique informado sobre quaisquer alterações para um CWE específico.

Parâmetros

Você pode especificar um título que será recuperado nos alertas que serão enviados.

Especifique o ID do CWE que deseja monitorar.

Agendamento

Mês

Cálculo da próxima execução

Dia

Dia da semana

Hora

Minuto

Data de criação

Última execução

Próxima execução

Nome: Missing Support for Integrity Check

The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.

Descrição CWE

If integrity check values or "checksums" are omitted from a protocol, there is no way of determining if data has been corrupted in transmission. The lack of checksum functionality in a protocol removes the first application-level check of data that can be used. The end-to-end philosophy of checks states that integrity checks should be performed at the lowest level that they can be completely implemented. Excluding further sanity checks and input validation performed by applications, the protocol's checksum is the most important level of checksum, since it can be performed more completely than at any previous level and takes into account entire messages, as opposed to single packets.

Informações Gerais

Modos de Introdução

Architecture and Design : OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.
Implementation

Plataformas Aplicáveis

Linguagem

Class: Not Language-Specific (Undetermined)

Consequências Comuns

Escopo	Impacto	Probabilidade
Integrity Other	Other Note: Data that is parsed and used may be corrupted.
Non-Repudiation Other	Hide Activities, Other Note: Without a checksum it is impossible to determine if any changes have been made to the data after it was sent.

Mitigações Potenciais

Phases : Architecture and Design
Add an appropriately sized checksum to the protocol, ensuring that data received may be simply validated before it is parsed and used.
Phases : Implementation
Ensure that the checksums present in the protocol design are properly implemented and added to each message before it is sent.

Notas de Mapeamento de Vulnerabilidade

Justificativa : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comentário : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Padrões de Ataque Relacionados

CAPEC-ID	Nome do Padrão de Ataque
CAPEC-13	Subverting Environment Variable Values The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause the target software to deviate from its expected operation in a manner that benefits the adversary.
CAPEC-14	Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service. This hostile service is created to deliver the correct content to the client software. For example, if the client-side application is a browser, the service will host a webpage that the browser loads.
CAPEC-389	Content Spoofing Via Application API Manipulation An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, spam-like content, or links to the attackers' code. In general, content-spoofing within an application API can be employed to stage many different types of attacks varied based on the attackers' intent. The techniques require use of specialized software that allow the attacker to use adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system.
CAPEC-39	Manipulating Opaque Client-based Data Tokens In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.
CAPEC-665	Exploitation of Thunderbolt Protection Flaws
CAPEC-74	Manipulating State
CAPEC-75	Manipulating Writeable Configuration Files Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.

Referências

REF-18

The CLASP Application Security Process
Secure Software, Inc..
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf

REF-44

24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega.

Submissão

Nome	Organização	Data	Data de lançamento	Version
CLASP		2006-07-19 +00:00	2006-07-19 +00:00	Draft 3

Modificações

Nome	Organização	Data	Comentário
Eric Dalci	Cigital	2008-07-01 +00:00	updated Time_of_Introduction
CWE Content Team	MITRE	2008-09-08 +00:00	updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings
CWE Content Team	MITRE	2009-10-29 +00:00	updated Description, Other_Notes
CWE Content Team	MITRE	2010-12-13 +00:00	updated Description, Name
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences, Demonstrative_Examples
CWE Content Team	MITRE	2012-05-11 +00:00	updated References, Relationships
CWE Content Team	MITRE	2012-10-30 +00:00	updated Demonstrative_Examples
CWE Content Team	MITRE	2014-07-30 +00:00	updated Relationships
CWE Content Team	MITRE	2017-11-08 +00:00	updated Applicable_Platforms, Modes_of_Introduction, Relationships
CWE Content Team	MITRE	2019-06-20 +00:00	updated Related_Attack_Patterns
CWE Content Team	MITRE	2020-02-24 +00:00	updated References, Relationships
CWE Content Team	MITRE	2021-07-20 +00:00	updated Related_Attack_Patterns
CWE Content Team	MITRE	2021-10-28 +00:00	updated Relationships
CWE Content Team	MITRE	2023-01-31 +00:00	updated Description
CWE Content Team	MITRE	2023-04-27 +00:00	updated Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes
CWE Content Team	MITRE	2025-12-11 +00:00	updated Relationships, Weakness_Ordinalities

CWE-353 Detalhe