CWE-694: Use of Multiple Resources with Duplicate Identifier
Learn about CWE-694 (Use of Multiple Resources with Duplicate Identifier), its security impact, exploitation methods, and prevention guidelines.
What is Use of Multiple Resources with Duplicate Identifier?
• Overview: The vulnerability CWE-694 occurs when a software product uses multiple resources that can share the same identifier, even though each resource should have a unique identifier. This can lead to the program mistakenly operating on the wrong resource.
• Exploitation Methods:
- Attackers can exploit this vulnerability by creating or manipulating resources to have duplicate identifiers, leading the system to perform actions on incorrect resources.
- Common attack patterns include creating multiple accounts or sessions with the same identifier to confuse the application logic.
• Security Impact:
- Direct consequences of successful exploitation include unauthorized access or modification of resources.
- Potential cascading effects might involve data corruption or leakage if operations are performed on unintended resources.
- Business impact could include loss of customer trust, legal liabilities, and potential financial losses due to data breaches or service disruptions.
• Prevention Guidelines:
- Specific code-level fixes involve ensuring that all resources are assigned and checked for unique identifiers before any operation.
- Security best practices include implementing rigorous validation checks and using unique constraints in databases.
- Recommended tools and frameworks are those that support unique identifier generation and validation, such as UUID libraries or database features that enforce uniqueness.
Corgea can automatically detect and fix Use of Multiple Resources with Duplicate Identifier in your codebase. Try Corgea free today.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: Not specified
Vulnerable Code Example
class ResourceManager {
constructor() {
this.resources = {};
}
addResource(identifier, resource) {
// Vulnerable code: allows duplicate identifiers, leading to overwriting
this.resources[identifier] = resource; // Overwrites any existing resource with the same identifier
}
getResource(identifier) {
return this.resources[identifier];
}
}
Explanation
The above code does not check if an identifier already exists before adding a new resource. This can lead to unintentional overwriting of resources if the same identifier is used multiple times, which can result in data loss or unexpected behavior.
How to fix Use of Multiple Resources with Duplicate Identifier?
To resolve this vulnerability, ensure that each identifier is checked for uniqueness before adding a resource. If an identifier already exists, you should either throw an error or handle it in a way that prevents overwriting. This ensures that each resource remains uniquely identifiable, preserving the integrity of the data.
Fixed Code Example
class ResourceManager {
constructor() {
this.resources = {};
}
addResource(identifier, resource) {
// Fixed code: checks for existing identifiers to prevent overwriting
if (this.resources.hasOwnProperty(identifier)) {
throw new Error(`Resource with identifier '\${identifier}' already exists.`); // Prevents duplicate identifiers
}
this.resources[identifier] = resource; // Safely adds the resource
}
getResource(identifier) {
return this.resources[identifier];
}
}
Explanation
In the fixed code, before adding a resource, we check if the identifier already exists using hasOwnProperty. If it does, an error is thrown to prevent overwriting. This ensures that each resource identifier is unique, maintaining the integrity and reliability of the resource management system.