1. Home
  2. CWE Database
  3. CWE-841
Class · High

CWE-841: Improper Enforcement of Behavioral Workflow

The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.

CWE-841 · Class Level ·9 CVEs

Description

The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.

By performing actions in an unexpected order, or by omitting steps, an attacker could manipulate the business logic of the product or cause it to enter an invalid state. In some cases, this can also expose resultant weaknesses. For example, a file-sharing protocol might require that an actor perform separate steps to provide a username, then a password, before being able to transfer files. If the file-sharing server accepts a password command followed by a transfer command, without any username being provided, the product might still perform the transfer. Note that this is different than CWE-696, which focuses on when the product performs actions in the wrong sequence; this entry is closely related, but it is focused on ensuring that the actor performs actions in the correct sequence. Workflow-related behaviors include:

Potential Impact

Other

Alter Execution Logic

Demonstrative Examples

This code is part of an FTP server and deals with various commands that could be sent by a user. It is intended that a user must successfully login before performing any other action such as retrieving or listing files.
Bad
def dispatchCommand(command, user, args):
                        if command == 'Login':loginUser(args)return
                           
                           
                           # user has requested a file
                           if command == 'Retrieve_file':
			   
			   if authenticated(user) and ownsFile(user,args):
			   
			   sendFile(args)return
			   
                           if command == 'List_files':listFiles(args)return
                           
                           ...
The server correctly avoids sending files to a user that isn't logged in and doesn't own the file. However, the server will incorrectly list the files in any directory without confirming the command came from an authenticated user, and that the user is authorized to see the directory's contents.
Here is a fixed version of the above example:
Good
def dispatchCommand(command, user, args):
                        
                           
                           ...
                           if command == 'List_files':if authenticated(user) and ownsDirectory(user,args):listFiles(args)return
                           
                           
                           ...

Detection Methods

  • Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2011-0348Bypass of access/billing restrictions by sending traffic to an unrestricted destination before sending to a restricted destination.
CVE-2007-3012Attacker can access portions of a restricted page by canceling out of a dialog.
CVE-2009-5056Ticket-tracking system does not enforce a permission setting.
CVE-2004-2164Shopping cart does not close a database connection when user restores a previous order, leading to connection exhaustion.
CVE-2003-0777Chain: product does not properly handle dropped connections, leading to missing NULL terminator (CWE-170) and segmentation fault.
CVE-2005-3327Chain: Authentication bypass by skipping the first startup step as required by the protocol.
CVE-2004-0829Chain: File server crashes when sent a "find next" request without an initial "find first."
CVE-2010-2620FTP server allows remote attackers to bypass authentication by sending (1) LIST, (2) RETR, (3) STOR, or other commands without performing the required login steps first.
CVE-2005-3296FTP server allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.

CWE-691: Insufficient Control Flow Management

The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow c...

Taxonomy Mappings

  • WASC: 40 — Insufficient Process Validation

Frequently Asked Questions

What is CWE-841?

CWE-841 (Improper Enforcement of Behavioral Workflow) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.

How can CWE-841 be exploited?

Attackers can exploit CWE-841 (Improper Enforcement of Behavioral Workflow) to alter execution logic. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-841?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-841?

CWE-841 is classified as a Class-level weakness (High abstraction). It has been observed in 9 real-world CVEs.