Weaknesses in Software Written in Java

The product defines a public method that reads or modifies a private variable.

The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.

The code uses an operator for assignment when the intention was to perform a comparison.

The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.

The product contains a clone() method that does not call super.clone() to obtain the new object.

The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.

The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.

The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a ...

The product declares a critical variable, field, or member to be public when intended security policy requires it to be private.

The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.

Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that ...

The product uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient.

Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error.

The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing.

The product violates the Enterprise JavaBeans (EJB) specification by using the class loader.

The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package.

The product violates the Enterprise JavaBeans (EJB) specification by using sockets.

The product violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives.

The product contains an empty synchronized block.

The product makes an explicit call to the finalize() method from outside the finalizer.

The product violates secure coding principles for mobile code by declaring a finalize() method public.

The product contains a finalize() method that does not call super.finalize().

The product generates an error message that includes sensitive information about its environment, users, or associated data.

The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation...

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax t...

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an u...

An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected ...

The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations.

Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.

The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the co...

The J2EE application directly manages connections, instead of using the container's connection management facilities.

The J2EE application directly uses sockets instead of using framework method calls.

Thread management in a Web application is forbidden in some circumstances and is always highly error prone.

The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability.

A J2EE application uses System.exit(), which also shuts down its container.

When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully.

Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are we...

The J2EE application is configured to use an insufficient session ID length.

The default error page of a web application should not display sensitive information about the product.

In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system.

The code does not have a default case in an expression with multiple conditions, such as a switch statement.

The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.

The product does not maintain equal hashcodes for equal objects.

The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the...

The product sends non-cloned mutable data as an argument to a method or function.

The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways.

A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in a...

Assigning public data to a private array is equivalent to giving public access to the array.

An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.

A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package.

If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution...

Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.

Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.

The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another ...

The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.

If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input valid...

The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.

The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().

An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter.

When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient ...

An unused validation form indicates that validation logic is not up-to-date.

Every Action Form must have a corresponding validation form.

Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weakn...

Validation fields that do not appear in forms they are associated with indicate that the validation logic is out of date.

An exception is thrown from a function, but it is not caught.

The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes ...

Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.

Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.

The product uses the singleton pattern when creating a resource within a multithreaded environment.