7PK - Encapsulation

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Summary

Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."

Weaknesses

Active Debug Code

The application is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

Comparison of Classes by Name

The program compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.

Critical Public Variable Without Final Modifier

The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.

Exposure of Data Element to Wrong Session

The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.

Exposure of Sensitive System Information to an Unauthorized Control Sphere

The application does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the...

Private Data Structure Returned From A Public Method

The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways.

Public cloneable() Method Without Final ('Object Hijack')

A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in a...

Public Data Assigned to Private Array-Typed Field

Assigning public data to a private array is equivalent to giving public access to the array.

Trust Boundary Violation

The product mixes trusted and untrusted data in the same data structure or structured message.

Use of Inner Class Containing Sensitive Data

Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.

Concepts

Seven Pernicious Kingdoms

This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.

See Also

  1. Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors

    NIST Workshop on Software Security Assurance Tools Techniques and Metrics


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.