Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-393:Return of Wrong Status Code
Weakness ID:393
Version:v4.17
Weakness Name:Return of Wrong Status Code
Vulnerability Mapping:Allowed
Abstraction:Base
Structure:Simple
Status:Draft
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

A function or operation returns an incorrect return value or status code that does not indicate the true result of execution, causing the product to modify its behavior based on the incorrect result.

▼Extended Description

This can lead to unpredictable behavior. If the function is used to make security-critical decisions or provide security-critical information, then the wrong status code can cause the product to assume that an action is safe or correct, even when it is not.

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfAllowed-with-ReviewC684Incorrect Provision of Specified Functionality
ChildOfDiscouragedP703Improper Check or Handling of Exceptional Conditions
Nature: ChildOf
Mapping: Allowed-with-Review
Type: Class
ID: 684
Name: Incorrect Provision of Specified Functionality
Nature: ChildOf
Mapping: Discouraged
Type: Pillar
ID: 703
Name: Improper Check or Handling of Exceptional Conditions
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC389Error Conditions, Return Values, Status Codes
MemberOfProhibitedV884CWE Cross-section
MemberOfProhibitedC961SFP Secondary Cluster: Incorrect Exception Behavior
MemberOfProhibitedC1412Comprehensive Categorization: Poor Coding Practices
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 389
Name: Error Conditions, Return Values, Status Codes
Nature: MemberOf
Mapping: Prohibited
Type:View
ID: 884
Name: CWE Cross-section
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 961
Name: SFP Secondary Cluster: Incorrect Exception Behavior
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1412
Name: Comprehensive Categorization: Poor Coding Practices
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-294Not Language-Specific Weaknesses
MemberOfProhibitedBSBOSS-315Unexpected State (impact)
MemberOfProhibitedBSBOSS-330Alter Execution Logic (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-294
Name: Not Language-Specific Weaknesses
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-315
Name: Unexpected State (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-330
Name: Alter Execution Logic (impact)
▼Relevant To View
Relevant to the view"Software Development - (699)"
NatureMappingTypeIDName
MemberOfProhibitedC389Error Conditions, Return Values, Status Codes
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 389
Name: Error Conditions, Return Values, Status Codes
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC961SFP Secondary Cluster: Incorrect Exception Behavior
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 961
Name: SFP Secondary Cluster: Incorrect Exception Behavior
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
IntegrityOtherN/AUnexpected StateAlter Execution Logic

This weakness could place the system in a state that could lead unexpected logic to be executed or other unintended behaviors.

Scope: Integrity, Other
Likelihood: N/A
Impact: Unexpected State, Alter Execution Logic
Note:

This weakness could place the system in a state that could lead unexpected logic to be executed or other unintended behaviors.

▼Potential Mitigations
▼Modes Of Introduction
Phase: Implementation
Note:

N/A

▼Applicable Platforms
Languages
Class: Not Language-Specific(Undetermined Prevalence)
▼Demonstrative Examples
Example 1

In the following example, an HTTP 404 status code is returned in the event of an IOException encountered in a Java servlet. A 404 code is typically meant to indicate a non-existent resource and would be somewhat misleading in this case.

Language: ( code)
N/A

Language: Java(Bad code)
try { // something that might throw IOException* ...} catch (IOException ioe) { response.sendError(SC_NOT_FOUND); }

▼Observed Examples
ReferenceDescription
CVE-2003-1132
DNS server returns wrong response code for non-existent AAAA record, which effectively says that the domain is inaccessible.
CVE-2001-1509
Hardware-specific implementation of system call causes incorrect results from geteuid.
CVE-2001-1559
Chain: System call returns wrong value (CWE-393), leading to a resultant NULL dereference (CWE-476).
CVE-2014-1266
chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint).
Reference: CVE-2003-1132
Description:
DNS server returns wrong response code for non-existent AAAA record, which effectively says that the domain is inaccessible.
Reference: CVE-2001-1509
Description:
Hardware-specific implementation of system call causes incorrect results from geteuid.
Reference: CVE-2001-1559
Description:
Chain: System call returns wrong value (CWE-393), leading to a resultant NULL dereference (CWE-476).
Reference: CVE-2014-1266
Description:
chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint).
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      Fuzzing
      Detection Method ID:DM-13
      Description:

      Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.

      Effectiveness:High
      Note:

      N/A

      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      Relationship

      This can be primary or resultant, but it is probably most often primary to other issues.

      N/A

      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      PLOVERN/AN/AWrong Status Code
      Software Fault PatternsSFP6N/AIncorrect Exception Behavior
      Taxonomy Name: PLOVER
      Entry ID: N/A
      Fit: N/A
      Entry Name: Wrong Status Code
      Taxonomy Name: Software Fault Patterns
      Entry ID: SFP6
      Fit: N/A
      Entry Name: Incorrect Exception Behavior
      ▼Related Attack Patterns
      IDName
      ▼References
      Details not found