Protection Mechanism Failure
This weakness occurs when software either lacks a necessary security control, implements one that is too weak, or fails to activate an existing control in a critical area, leaving it vulnerable to targeted attacks.
Protection Mechanism Failure breaks down into three common scenarios developers encounter. First, a **missing mechanism** means the application has no defense at all for a specific attack type, like having no input validation for SQL queries. Second, an **insufficient mechanism** provides only partial protection; for example, a rate limiter that blocks simple brute-force attempts but is easily bypassed by distributed attacks. Finally, an **ignored mechanism** happens when a security feature (like output encoding) is built into the application but is accidentally not called in certain code paths, creating inconsistent protection. In practice, this weakness often stems from inconsistent security policies, misunderstood threat models, or human error during implementation. To prevent it, ensure security controls are applied uniformly across all relevant components, regularly test defenses against the latest attack techniques, and verify that no code paths unintentionally bypass your established security layers.
Impact: Bypass Protection Mechanism
- 1DEPRECATED: Location
- 17DEPRECATED: Code
- 20Improper Input Validation
- 22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- 36Absolute Path Traversal
- 51Path Equivalence: '/multiple//internal/slash'
- 57Path Equivalence: 'fakedir/../realdir/filename'
- 59Improper Link Resolution Before File Access ('Link Following')
- 65Windows Hard Link
- 74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
- 87Improper Neutralization of Alternate XSS Syntax
- 107Struts: Unused Validation Form
- 127Buffer Under-read
- 237Improper Handling of Structural Elements
- 477Use of Obsolete Function
- 480Use of Incorrect Operator
- 668Exposure of Resource to Wrong Sphere