1. Home
  2. CWE Database
  3. CWE-393
Base · Medium

CWE-393: Return of Wrong Status Code

A function or operation returns an incorrect return value or status code that does not indicate the true result of execution, causing the product to modify its behavior based on the incorrect result.

CWE-393 · Base Level ·4 CVEs

Description

A function or operation returns an incorrect return value or status code that does not indicate the true result of execution, causing the product to modify its behavior based on the incorrect result.

This can lead to unpredictable behavior. If the function is used to make security-critical decisions or provide security-critical information, then the wrong status code can cause the product to assume that an action is safe or correct, even when it is not.

Potential Impact

Integrity, Other

Unexpected State, Alter Execution Logic

Demonstrative Examples

In the following example, an HTTP 404 status code is returned in the event of an IOException encountered in a Java servlet. A 404 code is typically meant to indicate a non-existent resource and would be somewhat misleading in this case.
Bad
try {
                        
                           
                           // something that might throw IOException
                           ...
                     } catch (IOException ioe) {response.sendError(SC_NOT_FOUND);}

Detection Methods

  • Fuzzing High — Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption,

Real-World CVE Examples

CVE IDDescription
CVE-2003-1132DNS server returns wrong response code for non-existent AAAA record, which effectively says that the domain is inaccessible.
CVE-2001-1509Hardware-specific implementation of system call causes incorrect results from geteuid.
CVE-2001-1559Chain: System call returns wrong value (CWE-393), leading to a resultant NULL dereference (CWE-476).
CVE-2014-1266Chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-56

CWE-684: Incorrect Provision of Specified Functionality

The code does not function according to its published specifications, potentially leading to incorrect usage.

CWE-703: Improper Check or Handling of Exceptional Conditions

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of t...

Taxonomy Mappings

  • PLOVER: — Wrong Status Code
  • Software Fault Patterns: SFP6 — Incorrect Exception Behavior

Frequently Asked Questions

What is CWE-393?

CWE-393 (Return of Wrong Status Code) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. A function or operation returns an incorrect return value or status code that does not indicate the true result of execution, causing the product to modify its behavior based on the incorrect result.

How can CWE-393 be exploited?

Attackers can exploit CWE-393 (Return of Wrong Status Code) to unexpected state, alter execution logic. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-393?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-393?

CWE-393 is classified as a Base-level weakness (Medium abstraction). It has been observed in 4 real-world CVEs.