CWE-749

BaseIncomplete

Exposed Dangerous Method or Function

The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

125 linked vulnerabilities

1 related weaknesses

Extended Description

The function/method was never intended to be exposed to outside actors.
The function/method was only intended to be accessible to a limited set of actors, such as Internet-based access from a single web site.

Architecture and Design

If you must expose a method, make sure to perform input validation on all arguments, limit access to authorized parties, and protect against all possible vulnerabilities.

Architecture and DesignImplementation

accessible to all users
restricted to a small set of privileged users
prevented from being directly accessible at all

IntegrityConfidentialityAvailabilityAccess ControlOtherGain Privileges or Assume IdentityRead Application DataModify Application DataExecute Unauthorized Code or CommandsOther

Exposing critical functionality essentially provides an attacker with the privilege level of the exposed functionality. This could result in the modification or exposure of sensitive data or possibly even execution of arbitrary code.

Automated Static AnalysisEffectiveness: High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)