I see what you’re saying about the CWE-14[0-6] family being pretty limited to 
input processing when the issue could exist because of input or malformed 
output. Perhaps changing these to input/output would be more inclusive of this 
type of issue. Good catch.


From: Kurt Seifried <k...@seifried.org> 
Sent: Friday, July 1, 2022 8:37 PM
Subject: [Non-DoD Source] Is there a CWE for this?


I ran across this today while auditing CSA services quarterly:


In bl.ink URL redirection service, as of 2022-07-01 an improperly formatted 
security header exists in the HSTS support, specifically, the header served is 
\"strict-transport-security: max-age=63072000; includeSubdomains;\" which 
contains an extra semicolon (the final one is not needed), this may result in 
some client ignoring the HSTS header and thus rendering this security 
protection ineffective.


there's some stuff for inbound/input/malformed/configuration/directive/etc, but 
I'm not seeing anything for malformed outbound configuration/output. 



Kurt Seifried (He/Him)
k...@seifried.org <mailto:k...@seifried.org> 

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to