# Insecure Design (A06:2025)

Insecure design is a broad category representing different weaknesses, expressed as missing or ineffective control design. This is distinct from implementation flaws.

## Overview

Slides from #4 to #6 in 2025. Introduced in 2021, there have been noticeable improvements in the industry related to threat modeling and greater emphasis on secure design. Focus on risks related to design and architectural flaws.

## How Attackers Exploit This

### Business logic bypass

Application flows can be circumvented because the design didn't account for all possible user paths or state transitions.

**Detection signal:** Users completing processes in unexpected order, missing validation at critical steps

### Missing rate limiting

Sensitive operations like password reset or account creation lack rate limits, enabling automated attacks.

**Detection signal:** High volume of requests to sensitive endpoints from single sources

### Insufficient anti-automation

Critical functions lack protections against automated abuse, such as CAPTCHA or proof-of-work.

**Detection signal:** Bot-like traffic patterns, automated form submissions

## How to Prevent

- Establish a secure development lifecycle with security professionals
- Use threat modeling for critical authentication and access control
- Integrate security language and controls into user stories
- Write unit and integration tests to validate security controls
- Segregate tier layers based on exposure and protection needs
- Limit resource consumption by user or service

## CWEs with Detection Rules (8)

- **CWE-209**: Generation of Error Message Containing Sensitive Information (5 rules) [go, javascript, typescript, python]
- **CWE-434**: Unrestricted Upload of File with Dangerous Type (3 rules) [go, javascript, typescript, python]
- **CWE-840**: Business Logic Errors (3 rules) [go, javascript, typescript, python]
- **CWE-235**: Improper Handling of Extra Parameters (2 rules) [javascript, typescript, python]
- **CWE-269**: Improper Privilege Management (2 rules) [python]
- **CWE-444**: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') (1 rules) [python]
- **CWE-598**: Use of GET Request Method With Sensitive Query Strings (1 rules) [python]
- **CWE-807**: Reliance on Untrusted Inputs in a Security Decision (1 rules) [python]

## Other Mapped CWEs (32)

- CWE-73: CWE-73
- CWE-183: CWE-183
- CWE-213: CWE-213
- CWE-256: CWE-256
- CWE-257: CWE-257
- CWE-266: CWE-266
- CWE-280: CWE-280
- CWE-311: Missing Encryption of Sensitive Data
- CWE-312: CWE-312
- CWE-313: CWE-313
- CWE-316: CWE-316
- CWE-419: CWE-419
- CWE-430: CWE-430
- CWE-451: CWE-451
- CWE-472: CWE-472
- CWE-501: CWE-501
- CWE-522: Insufficiently Protected Credentials
- CWE-525: CWE-525
- CWE-539: CWE-539
- CWE-579: CWE-579
- CWE-602: CWE-602
- CWE-642: CWE-642
- CWE-646: CWE-646
- CWE-650: CWE-650
- CWE-653: CWE-653
- CWE-656: CWE-656
- CWE-657: CWE-657
- CWE-799: CWE-799
- CWE-841: CWE-841
- CWE-927: CWE-927
- CWE-1021: Improper Restriction of Rendered UI Layers or Frames
- CWE-1173: CWE-1173

## Quick Reference

- Total CWEs: 40
- With Shoulder rules: 8
- Detection rules: 18
- Critical rules: 1