CWE-656 Detail

CWE-656

Name

Reliance on Security Through Obscurity

Status

Draft

Published

2008-01-30
00h00 +00:00

Modified

2023-10-26
00h00 +00:00

Official links

CWE Mitre.org

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Notifications manage

List of Notifications

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CWE ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Name: Reliance on Security Through Obscurity

The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism.

CWE Description

This reliance on "security through obscurity" can produce resultant weaknesses if an attacker is able to reverse engineer the inner workings of the mechanism. Note that obscurity can be one small part of defense in depth, since it can create more work for an attacker; however, it is a significant risk if used as the primary means of protection.

General Informations

Modes Of Introduction

Architecture and Design
Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Common Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability Other	Other Note: The security mechanism can be bypassed easily.

Observed Examples

References	Description
CVE-2006-6588	Reliance on hidden form fields in a web application. Many web application vulnerabilities exist because the developer did not consider that "hidden" form fields can be processed using a modified client.
CVE-2006-7142	Hard-coded cryptographic key stored in executable program.
CVE-2005-4002	Hard-coded cryptographic key stored in executable program.
CVE-2006-4068	Hard-coded hashed values for username and password contained in client-side script, allowing brute-force offline attacks.

Potential Mitigations

Phases : Architecture and Design
Always consider whether knowledge of your code or design is sufficient to break it. Reverse engineering is a highly successful discipline, and financially feasible for motivated adversaries. Black-box techniques are established for binary analysis of executables that use obfuscation, runtime analysis of proprietary protocols, inferring file formats, and others.
Phases : Architecture and Design
When available, use publicly-vetted algorithms and procedures, as these are more likely to undergo more extensive security analysis and testing. This is especially the case with encryption and authentication.

Vulnerability Mapping Notes

Justification : This CWE entry is a Class and might have Base-level children that would be more appropriate
Comment : Examine children of this entry to see if there is a better fit

NotesNotes

Note that there is a close relationship between this weakness and CWE-603 (Use of Client-Side Authentication). If developers do not believe that a user can reverse engineer a client, then they are more likely to choose client-side authentication in the belief that it is safe.

References

REF-196

The Protection of Information in Computer Systems
Jerome H. Saltzer, Michael D. Schroeder.
http://web.mit.edu/Saltzer/www/publications/protection/

REF-544

Never Assuming that Your Secrets Are Safe
Sean Barnum, Michael Gegick.
https://web.archive.org/web/20220126060054/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/never-assuming-that-your-secrets-are-safe

REF-542

RFC: 793, TRANSMISSION CONTROL PROTOCOL
Jon Postel, Editor.
https://www.ietf.org/rfc/rfc0793.txt

Submission

Name	Organization	Date	Date release	Version
Pascal Meunier	Purdue University	2008-01-18 +00:00	2008-01-30 +00:00	Draft 8

Modifications

Name	Organization	Date	Comment
Eric Dalci	Cigital	2008-07-01 +00:00	updated Time_of_Introduction
CWE Content Team	MITRE	2008-09-08 +00:00	updated Common_Consequences, Description, Relationships, Other_Notes, Weakness_Ordinalities
CWE Content Team	MITRE	2009-01-12 +00:00	updated Description, Name
CWE Content Team	MITRE	2010-04-05 +00:00	updated Related_Attack_Patterns
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences
CWE Content Team	MITRE	2012-05-11 +00:00	updated Relationships
CWE Content Team	MITRE	2012-10-30 +00:00	updated Potential_Mitigations
CWE Content Team	MITRE	2014-06-23 +00:00	updated Other_Notes, Relationship_Notes
CWE Content Team	MITRE	2014-07-30 +00:00	updated Relationships
CWE Content Team	MITRE	2017-11-08 +00:00	updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships
CWE Content Team	MITRE	2019-06-20 +00:00	updated Related_Attack_Patterns
CWE Content Team	MITRE	2020-02-24 +00:00	updated Relationships, Time_of_Introduction
CWE Content Team	MITRE	2021-03-15 +00:00	updated Relationships
CWE Content Team	MITRE	2021-10-28 +00:00	updated Relationships
CWE Content Team	MITRE	2022-10-13 +00:00	updated Demonstrative_Examples, References
CWE Content Team	MITRE	2023-01-31 +00:00	updated Description
CWE Content Team	MITRE	2023-04-27 +00:00	updated Demonstrative_Examples, References, Relationships, Type
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes
CWE Content Team	MITRE	2023-10-26 +00:00	updated Demonstrative_Examples