Difference between revisions of "Incorrect block delimitation"

From OWASP
Jump to: navigation, search
 
(Reverting to last version not containing links to www.textbomono.com)
 
(10 intermediate revisions by 6 users not shown)
Line 1: Line 1:
 +
{{Template:Vulnerability}}
 +
{{Template:SecureSoftware}}
  
 +
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
{{Template:SecureSoftware}}
+
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
  
==Overview==
+
==Description==
  
 
In some languages, forgetting to explicitly delimit a block can result in a logic error that can, in turn, have security implications.
 
In some languages, forgetting to explicitly delimit a block can result in a logic error that can, in turn, have security implications.
  
==Consequences ==
+
'''Consequences'''
  
 
This is a general logic error - with all the potential consequences that this entails.
 
This is a general logic error - with all the potential consequences that this entails.
  
==Exposure period ==
+
'''Exposure period'''
  
* Implementation
+
* Implementation
  
==Platform ==
+
'''Platform'''
  
 
C, C++, C#, Java
 
C, C++, C#, Java
  
==Required resources ==
+
'''Required resources'''
  
 
Any
 
Any
  
==Severity ==
+
'''Severity'''
  
 
Varies
 
Varies
  
==Likelihood   of exploit ==
+
'''Likelihood of exploit'''
  
 
Low
 
Low
  
==Avoidance and mitigation ==
+
In many languages, braces are optional for blocks, and - in a case where braces are omitted - it is possible to insert a logic error where a statement is thought to be in a block but is not. This is a common and well known reliability error.
  
Implementation: Always use explicit block delimitation and use static-analysis technologies to enforce this practice.
 
  
==Discussion ==
 
  
In many languages, braces are optional for blocks, and - in a case where braces are omitted - it is possible to insert a logic error where a statement is thought to be in a block but is not. This is a common and well known reliability error.
+
==Risk Factors==
  
==Examples ==
+
TBD
 +
 
 +
==Examples==
  
 
In this example, when the condition is true, the intention may be that both ''x'' and ''y'' run.
 
In this example, when the condition is true, the intention may be that both ''x'' and ''y'' run.
  
 +
<pre>
 
if (condition==true) x;
 
if (condition==true) x;
   y;  
+
   y;
==Related problems ==
+
</pre>
  
Not available.
 
  
==Categories ==
+
==Related [[Attacks]]==
  
[[Category:Vulnerability]]
+
* [[Attack 1]]
 +
* [[Attack 2]]
  
[[Category:General Logic Errors]]
+
 
 +
==Related [[Vulnerabilities]]==
 +
 
 +
* [[Vulnerability 1]]
 +
* [[Vulnerabiltiy 2]]
 +
 
 +
 
 +
 
 +
==Related [[Controls]]==
 +
 
 +
* Implementation: Always use explicit block delimitation and use static-analysis technologies to enforce this practice.
 +
 
 +
 
 +
==Related [[Technical Impacts]]==
 +
 
 +
* [[Technical Impact 1]]
 +
* [[Technical Impact 2]]
 +
 
 +
 
 +
==References==
 +
 
 +
TBD
 +
[[Category:FIXME|add links
 +
 
 +
In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki>
 +
 
 +
Availability Vulnerability
 +
 
 +
Authorization Vulnerability
 +
 
 +
Authentication Vulnerability
 +
 
 +
Concurrency Vulnerability
 +
 
 +
Configuration Vulnerability
 +
 
 +
Cryptographic Vulnerability
 +
 
 +
Encoding Vulnerability
 +
 
 +
Error Handling Vulnerability
 +
 
 +
Input Validation Vulnerability
 +
 
 +
Logging and Auditing Vulnerability
 +
 
 +
Session Management Vulnerability]]
 +
 
 +
__NOTOC__
 +
 
 +
 
 +
[[Category:OWASP ASDR Project]]
 +
[[Category:Vulnerability]]
 +
[[Category:General Logic Error Vulnerability]]
 +
[[Category:OWASP_CLASP_Project]]

Latest revision as of 13:30, 27 May 2009

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.



Last revision (mm/dd/yy): 05/27/2009

Vulnerabilities Table of Contents

Description

In some languages, forgetting to explicitly delimit a block can result in a logic error that can, in turn, have security implications.

Consequences

This is a general logic error - with all the potential consequences that this entails.

Exposure period

  • Implementation

Platform

C, C++, C#, Java

Required resources

Any

Severity

Varies

Likelihood of exploit

Low

In many languages, braces are optional for blocks, and - in a case where braces are omitted - it is possible to insert a logic error where a statement is thought to be in a block but is not. This is a common and well known reliability error.


Risk Factors

TBD

Examples

In this example, when the condition is true, the intention may be that both x and y run.

if (condition==true) x;
  y;


Related Attacks


Related Vulnerabilities


Related Controls

  • Implementation: Always use explicit block delimitation and use static-analysis technologies to enforce this practice.


Related Technical Impacts


References

TBD