The product declares a critical variable, field, or member to be public when intended security policy requires it to be private.

How do you prevent CWE-766?

Data should be private, static, and final whenever possible. This will assure that your code is protected by instantiating early, preventing access, and preventing tampering.

How is CWE-766 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-766?

Exploiting CWE-766 can lead to: Read Application Data, Modify Application Data, Reduce Maintainability.

CWE-766: Critical Data Element Declared Public

How to prevent it

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following example declares a critical variable public, making it accessible to anyone with access to the object in which it is contained.

Vulnerable example

cpp

public: char* password;

Safe example

cpp

private: char* password;

The following example shows a basic user account class that includes member variables for the username and password as well as a public constructor for the class and a public method to authorize access to the user account.

Vulnerable example

cpp

#define MAX_PASSWORD_LENGTH 15

Safe example

cpp

class UserAccount

However, the member variables username and password are declared public and therefore will allow access and changes to the member variables to anyone with access to the object. These member variables should be declared private as shown below to prevent unauthorized access and changes.

How to prevent it

CWE-766: Critical Data Element Declared Public

Overview

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-766?

How do you prevent CWE-766?

How is CWE-766 detected?

What are the consequences of CWE-766?

References

Stay ahead of CWE-766

How to prevent it

Overview

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-766?

How do you prevent CWE-766?

How is CWE-766 detected?

What are the consequences of CWE-766?

References

Stay ahead of CWE-766