Category: Verify Message Integrity
Draft
Summary
Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-353 | Missing Support for Integrity Check | This vulnerability occurs when a system uses a communication protocol that lacks built-in integrity verification, such as a checksum or cryptographic hash, to detect if data has been altered or corrupted during transmission. |
| CWE-354 | Improper Validation of Integrity Check Value | This vulnerability occurs when software fails to properly check the integrity of data by validating its checksum or hash value. Without this verification, the application cannot reliably detect if information has been altered, corrupted, or tampered with during storage or transmission. |
| CWE-390 | Detection of Error Condition Without Action | This weakness occurs when software successfully identifies an error condition but then fails to take any meaningful action to address it. The error is detected but ignored, leaving the system in an inconsistent or vulnerable state. |
| CWE-391 | Unchecked Error Condition | This vulnerability occurs when a program fails to properly check or handle error conditions, such as exceptions or return codes. By ignoring these failures, the software can enter an unexpected state that attackers might exploit, often without any logging or user notification. |
| CWE-494 | Download of Code Without Integrity Check | This vulnerability occurs when an application fetches and runs code from an external source—like a remote server or CDN—without properly verifying where it came from or ensuring it hasn't been tampered with. |
| CWE-565 | Reliance on Cookies without Validation and Integrity Checking | This vulnerability occurs when an application uses cookies to make security decisions—like granting access or changing settings—but fails to verify that the cookie data is legitimate, unaltered, and belongs to the current user. |
| CWE-649 | Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking | This vulnerability occurs when an application uses obfuscation or encryption to hide security-sensitive data (like tokens or parameters) but fails to verify whether that data has been altered. Without integrity checks, the system cannot detect if an attacker has tampered with these inputs. |
| CWE-707 | Improper Neutralization | This vulnerability occurs when an application fails to properly validate or sanitize structured data before it's received from an external source or sent to another component. This allows malformed messages to be processed, which can lead to misinterpretation and security breaches. |
| CWE-755 | Improper Handling of Exceptional Conditions | This vulnerability occurs when software fails to properly manage unexpected situations or errors, leaving it in an unstable or insecure state. |
| CWE-924 | Improper Enforcement of Message Integrity During Transmission in a Communication Channel | This vulnerability occurs when an application receives data over a network but fails to properly verify that the information wasn't altered in transit. |
| CWE-1008 | Architectural Concepts | This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.