API Abuse
Introduces a security vulnerability by not using an API correctly or by making incorrect assumptions about the API and its offered functionality.
Examples
- Dangerous functions
system(),gets()(C),eval()(JavaScript),exec()(PHP),eval()(Ruby),eval()(Python),eval()( Java), ...
- Unchecked return values
- Ignoring the return value of a function that returns an error code
- Wrong security assumptions
- A server uses
gethostbyaddr()to check whether a given IP address is from a host on a whitelist. Wrong assumption:gethostbyaddr()returns the hostname of the given IP address. The attacker can use a DNS server to return a different hostname than the one that is actually associated with the IP address.
- A server uses