CWE-656: Reliance on Security Through Obscurity
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism.
扩展描述
This reliance on "security through obscurity" can produce resultant weaknesses if an attacker is able to reverse engineer the inner workings of the mechanism. Note that obscurity can be one small part of defense in depth, since it can create more work for an attacker; however, it is a significant risk if used as the primary means of protection.
常见后果
影响范围: Confidentiality Integrity Availability Other
技术影响: Other
说明: The security mechanism can be bypassed easily.
潜在缓解措施
阶段: Architecture and Design
描述: Always consider whether knowledge of your code or design is sufficient to break it. Reverse engineering is a highly successful discipline, and financially feasible for motivated adversaries. Black-box techniques are established for binary analysis of executables that use obfuscation, runtime analysis of proprietary protocols, inferring file formats, and others.
阶段: Architecture and Design
描述: When available, use publicly-vetted algorithms and procedures, as these are more likely to undergo more extensive security analysis and testing. This is especially the case with encryption and authentication.
观察示例
参考: CVE-2006-6588
Reliance on hidden form fields in a web application. Many web application vulnerabilities exist because the developer did not consider that "hidden" form fields can be processed using a modified client.
参考: CVE-2006-7142
Hard-coded cryptographic key stored in executable program.
参考: CVE-2005-4002
Hard-coded cryptographic key stored in executable program.
参考: CVE-2006-4068
Hard-coded hashed values for username and password contained in client-side script, allowing brute-force offline attacks.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |