CWE-227: API Misuse - Seven Pernicious Kingdoms

This particular group falls under the classification of vulnerabilities known as the Seven Pernicious Kingdoms. It encompasses weaknesses that occur when software utilizes an API in a way that goes against its intended purpose. The authors of the Seven Pernicious Kingdoms describe an API as a set of rules or expectations agreed upon by the caller and the callee. The most common type of API misuse is when the caller fails to uphold their part of this agreement. For instance, if a program neglects to call the chdir() function after using chroot(), it violates the guidelines for securely changing the active root directory. Another example of misusing a library is when the caller assumes that the callee will provide reliable DNS information that can be used for authentication. This assumption about the behavior of the API can lead to abuse. On the other hand, the caller-callee contract can also be breached from the perspective of the callee. If a coder creates a subclass of SecureRandom and returns a non-random value, they have violated the agreed-upon contract.