Difference between revisions of "Using the wrong operator"

From OWASP
Jump to: navigation, search
(Related Controls)
(Redirected page to Vulnerabilities)
 
Line 1: Line 1:
{{Template:Vulnerability}}
+
#REDIRECT [[Vulnerabilities]]
{{Template:SecureSoftware}}
 
 
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 
 
 
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
 
 
 
==Description==
 
This is a common error given when an operator is used which does not make sense in context.
 
 
 
'''Consequences'''
 
 
 
Unspecified.
 
 
 
'''Exposure period'''
 
 
 
* Pre-design through Build: The use of tools to detect this problem is recommended.
 
* Implementation: Many logic errors can lead to this condition. It can be exacerbated by lack, of or misuse, of mitigating technologies.
 
 
 
'''Platform'''
 
 
 
* Languages: Any
 
* Operating platforms: Any
 
 
 
'''Required resources'''
 
 
 
Any
 
 
 
'''Severity'''
 
 
 
Medium
 
 
 
'''Likelihood of exploit'''
 
 
 
Low
 
 
 
These types of bugs generally are the result of a typo. Although most of them can easily be found when testing of the program, it is important that one correct these problems, since they almost certainly will break the code.
 
 
 
==Risk Factors==
 
 
 
TBD
 
 
 
 
 
==Examples==
 
 
 
In C:
 
 
 
<pre>
 
char foo;
 
foo=a+c;
 
</pre>
 
 
 
 
 
==Related [[Attacks]]==
 
 
 
* [[Attack 1]]
 
* [[Attack 2]]
 
 
 
 
 
==Related [[Vulnerabilities]]==
 
 
 
* [[Vulnerability 1]]
 
* [[Vulnerabiltiy 2]]
 
 
 
 
 
 
 
==Related [[Controls]]==
 
 
 
* Pre-design through Build: Most static analysis programs should be able to catch these errors.
 
* Implementation: Save an index variable. This is the recommended solution. Rather than subtract pointers from one another, use an index variable of the same size as the pointers in question. Using this variable, "walk" from one pointer to the other and calculate the difference. Always sanity check this number.
 
 
 
==Related [[Technical Impacts]]==
 
 
 
* [[Technical Impact 1]]
 
* [[Technical Impact 2]]
 
 
 
 
 
==References==
 
 
 
TBD
 
[[Category:FIXME|add links
 
 
 
In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki>
 
 
 
Availability Vulnerability
 
 
 
Authorization Vulnerability
 
 
 
Authentication Vulnerability
 
 
 
Concurrency Vulnerability
 
 
 
Configuration Vulnerability
 
 
 
Cryptographic Vulnerability
 
 
 
Encoding Vulnerability
 
 
 
Error Handling Vulnerability
 
 
 
Input Validation Vulnerability
 
 
 
Logging and Auditing Vulnerability
 
 
 
Session Management Vulnerability]]
 
 
 
__NOTOC__
 
 
 
 
 
[[Category:OWASP ASDR Project]]
 
[[Category:Vulnerability]]
 
[[Category:General Logic Error Vulnerability]]
 
[[Category:OWASP_CLASP_Project]]
 

Latest revision as of 14:03, 5 April 2014

Redirect to: