Category: Behavioral Problems
Draft
Summary
Weaknesses in this category are related to unexpected behaviors from code that an application uses.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1025 | Comparison Using Wrong Factors | This weakness occurs when a program compares two items but checks the wrong properties or attributes. This flawed comparison leads to incorrect decisions, creating security and logic errors. |
| CWE-1037 | Processor Optimization Removal or Modification of Security-critical Code | This vulnerability occurs when a processor's performance optimization unintentionally strips out or alters security-critical code that a developer intentionally placed in the software. |
| CWE-115 | Misinterpretation of Input | This vulnerability occurs when software incorrectly interprets or processes input data, leading to unintended and potentially harmful security consequences. The flawed interpretation can come from user-provided data, external systems, or other components. |
| CWE-179 | Incorrect Behavior Order: Early Validation | This vulnerability occurs when an application validates user input before applying security filters or data normalization. Attackers can exploit this order of operations by submitting specially crafted input that passes the initial validation but becomes malicious after the application's filters or canonicalization processes modify it. |
| CWE-408 | Incorrect Behavior Order: Early Amplification | This vulnerability occurs when a system allows a user to trigger a resource-intensive operation before verifying their identity or checking their permissions. |
| CWE-437 | Incomplete Model of Endpoint Features | This vulnerability occurs when a security product, proxy, or monitoring system sits between endpoints but lacks a full understanding of what those endpoints can do or their current state. Because it's working with incomplete information, it can make wrong decisions, allowing malicious traffic to pass or incorrectly blocking legitimate requests. |
| CWE-439 | Behavioral Change in New Version or Environment | This vulnerability occurs when a component's behavior unexpectedly changes after an update or when deployed to a different environment, and the systems or users depending on it are unaware of and cannot manage this change. |
| CWE-440 | Expected Behavior Violation | This weakness occurs when a software component, such as a function, API, or feature, fails to act as documented or intended. The system's actual behavior deviates from its promised specification, leading to unpredictable results. |
| CWE-444 | Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') | This weakness occurs when a proxy, firewall, or other intermediary HTTP agent interprets a malformed HTTP request or response differently than the final destination server or client. This inconsistency allows an attacker to craft messages that bypass the intermediary's security checks. |
| CWE-480 | Use of Incorrect Operator | This vulnerability occurs when a developer mistakenly uses the wrong operator in their code, leading to unintended and potentially insecure logic. |
| CWE-483 | Incorrect Block Delimitation | This vulnerability occurs when a developer fails to use explicit braces or delimiters to group multiple statements within a block, leading to unexpected program logic. |
| CWE-484 | Omitted Break Statement in Switch | This vulnerability occurs when a developer forgets to include a 'break' statement inside a switch-case block. Without it, the code execution 'falls through' and unintentionally runs the logic for subsequent cases, leading to unexpected behavior. |
| CWE-551 | Incorrect Behavior Order: Authorization Before Parsing and Canonicalization | This vulnerability occurs when a web server checks access permissions before fully processing and normalizing a URL, potentially allowing attackers to bypass security controls. |
| CWE-698 | Execution After Redirect (EAR) | Execution After Redirect (EAR) occurs when a web application sends a redirect response to a user's browser but continues to run server-side code, potentially performing unintended actions. |
| CWE-733 | Compiler Optimization Removal or Modification of Security-critical Code | This vulnerability occurs when a compiler's optimization process unintentionally strips out or alters security-critical code that a developer intentionally wrote, leaving the application exposed. |
| CWE-783 | Operator Precedence Logic Error | This vulnerability occurs when a developer writes a conditional expression where the intended logic is broken due to misunderstanding or misapplying the rules of operator precedence. |
| CWE-835 | Loop with Unreachable Exit Condition ('Infinite Loop') | An infinite loop occurs when a program's iteration logic contains an exit condition that can never be satisfied, causing the loop to run indefinitely and consume system resources. |
| CWE-837 | Improper Enforcement of a Single, Unique Action | This vulnerability occurs when a system fails to properly prevent users from repeating an action that should only be performed once, such as submitting a vote, finalizing a purchase, or requesting a refund. |
| CWE-841 | Improper Enforcement of Behavioral Workflow | This weakness occurs when an application requires a user to follow a specific sequence of actions, but fails to enforce that order. Attackers can exploit this by skipping steps, performing actions out of sequence, or interrupting the flow, which can corrupt the business logic or put the system into an invalid state. |
| CWE-699 | Software Development | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.