Observable Behavioral Discrepancy

Incomplete Base

Structure: Simple

Description

This vulnerability occurs when an application behaves differently in ways that unauthorized users can detect. These observable differences can reveal internal system logic, state information, or how the product varies from similar applications, providing attackers with valuable clues.

Extended Description

Applications should minimize information about their internal processes. When behavior varies noticeably—such as in response times, error messages, or feature availability—attackers can use these discrepancies to map the system's logic, infer sensitive data, or identify weaknesses not present in comparable software. These behavioral differences often create unintended side channels. An attacker can systematically probe these variations to simplify their attacks, bypass security controls, or gather intelligence without triggering standard detection mechanisms, making the system easier to exploit.

Common Consequences 1

Scope: ConfidentialityAccess Control

Impact: Read Application DataBypass Protection Mechanism

Observed Examples 2

CVE-2002-0208Product modifies TCP/IP stack and ICMP error messages in unusual ways that show the product is in use.

CVE-2004-2252Behavioral infoleak by responding to SYN-FIN packets.

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Architecture and Design

Implementation

Related Attack Patterns

Related Weaknesses

ChildOf:

Observable Discrepancy (CWE-203)

CanPrecede:

Covert Channel (CWE-514)

Taxonomy Mapping

PLOVER
WASC