1. Home
  2. CWE Database
  3. CWE-656
Class · High

CWE-656: Reliance on Security Through Obscurity

The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism.

CWE-656 · Class Level ·4 CVEs ·2 Mitigations

Description

The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism.

This reliance on "security through obscurity" can produce resultant weaknesses if an attacker is able to reverse engineer the inner workings of the mechanism. Note that obscurity can be one small part of defense in depth, since it can create more work for an attacker; however, it is a significant risk if used as the primary means of protection.

Potential Impact

Confidentiality, Integrity, Availability, Other

Other

Mitigations & Prevention

Architecture and Design

Always consider whether knowledge of your code or design is sufficient to break it. Reverse engineering is a highly successful discipline, and financially feasible for motivated adversaries. Black-box techniques are established for binary analysis of executables that use obfuscation, runtime analysis of proprietary protocols, inferring file formats, and others.

Architecture and Design

When available, use publicly-vetted algorithms and procedures, as these are more likely to undergo more extensive security analysis and testing. This is especially the case with encryption and authentication.

Real-World CVE Examples

CVE IDDescription
CVE-2006-6588Reliance on hidden form fields in a web application. Many web application vulnerabilities exist because the developer did not consider that "hidden" form fields can be processed using a modified clien
CVE-2006-7142Hard-coded cryptographic key stored in executable program.
CVE-2005-4002Hard-coded cryptographic key stored in executable program.
CVE-2006-4068Hard-coded hashed values for username and password contained in client-side script, allowing brute-force offline attacks.

CWE-657: Violation of Secure Design Principles

The product violates well-established principles for secure design.

CWE-693: Protection Mechanism Failure

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed at...

CWE-259: Use of Hard-coded Password

The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communicati...

CWE-321: Use of Hard-coded Cryptographic Key

The product uses a hard-coded, unchangeable cryptographic key.

CWE-472: External Control of Assumed-Immutable Web Parameter

The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally con...

Frequently Asked Questions

What is CWE-656?

CWE-656 (Reliance on Security Through Obscurity) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism.

How can CWE-656 be exploited?

Attackers can exploit CWE-656 (Reliance on Security Through Obscurity) to other. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-656?

Key mitigations include: Always consider whether knowledge of your code or design is sufficient to break it. Reverse engineering is a highly successful discipline, and financially feasible for motivated adversaries. Black-box

What is the severity of CWE-656?

CWE-656 is classified as a Class-level weakness (High abstraction). It has been observed in 4 real-world CVEs.