Use of Multiple Resources with Duplicate Identifier
Incomplete Base
Structure: Simple
Description
The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required.
If the product assumes that each resource has a unique identifier, the product could operate on the wrong resource if attackers can cause multiple resources to be associated with the same identifier.
Common Consequences 2
Scope: Access Control
Impact: Bypass Protection Mechanism
If unique identifiers are assumed when protecting sensitive resources, then duplicate identifiers might allow attackers to bypass the protection.
Scope: Other
Impact: Quality Degradation
Potential Mitigations 1
Phase: Architecture and Design
Where possible, use unique identifiers. If non-unique identifiers are detected, then do not operate any resource with a non-unique identifier and report the error appropriately.
Demonstrative Examples 1
ID : DX-221
These two Struts validation forms have the same name.Code Example:
Bad
XML
xmlIt is not certain which form will be used by Struts. It is critically important that validation logic be maintained and kept in sync with the rest of the product.
Observed Examples 1
CVE-2013-4787chain: mobile OS verifies cryptographic signature of file in an archive, but then installs a different file with the same name that is also listed in the archive.
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Related Weaknesses
Notes
RelationshipThis weakness is probably closely associated with other issues related to doubling, such as Multiple Operations on Resource in Single-Operation Context (Duplicate Operations on Resource). It's often a case of an API contract violation (7PK - API Abuse).