Category: Validate Inputs
Draft
Summary
Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-138 | Improper Neutralization of Special Elements | This vulnerability occurs when an application accepts external input but fails to properly sanitize special characters or syntax that have specific meanings in the target interpreter or protocol. This allows attackers to inject control elements that alter how downstream components process the data. |
| CWE-150 | Improper Neutralization of Escape, Meta, or Control Sequences | This vulnerability occurs when an application fails to properly sanitize or escape special character sequences in user-supplied input before passing that data to another system or component. Attackers can inject escape, meta, or control sequences to manipulate how the downstream component interprets the data, often leading to command execution, data corruption, or unauthorized actions. |
| CWE-20 | Improper Input Validation | This vulnerability occurs when an application accepts data from an external source but fails to properly verify that the data is safe and correctly formatted before using it. This missing or flawed validation check allows malicious or malformed inputs to disrupt the application's logic or security. |
| CWE-349 | Acceptance of Extraneous Untrusted Data With Trusted Data | This vulnerability occurs when a system processes both trusted and untrusted data together, but fails to separate them. The application incorrectly treats all incoming data—including the untrusted portion—with the same level of trust as the legitimate data. |
| CWE-352 | Cross-Site Request Forgery (CSRF) | Cross-Site Request Forgery (CSRF) happens when a web application cannot reliably tell if a user actually intended to submit a request, allowing an attacker to trick a user's browser into performing unwanted actions on their behalf. |
| CWE-472 | External Control of Assumed-Immutable Web Parameter | This vulnerability occurs when a web application incorrectly trusts data that appears to be fixed or hidden from the user, such as values in hidden form fields, cookies, or URL parameters. Because this data is actually controllable by the client, attackers can modify it to bypass security checks or corrupt application logic. |
| CWE-473 | PHP External Variable Modification | This vulnerability occurs when a PHP application fails to properly validate or sanitize variables that originate from outside the application, such as HTTP query strings, cookies, or POST data. Attackers can exploit this to inject unexpected values, altering the program's logic and security controls. |
| CWE-502 | Deserialization of Untrusted Data | This vulnerability occurs when an application accepts and processes serialized data from an untrusted source without proper validation, allowing an attacker to manipulate the data to execute malicious code or cause unexpected behavior. |
| CWE-59 | Improper Link Resolution Before File Access ('Link Following') | This vulnerability occurs when an application uses a filename to access a file but fails to properly check if that name points to a symbolic link, shortcut, or junction. This allows an attacker to manipulate the link's target, causing the application to read or write to an unintended, potentially sensitive location. |
| CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | An open redirect vulnerability occurs when a web application uses unvalidated user input to determine the destination of a redirect, allowing an attacker to send users to an untrusted, external website. |
| CWE-641 | Improper Restriction of Names for Files and Other Resources | This vulnerability occurs when an application creates file or resource names using unvalidated user input, failing to properly limit what characters or paths can be used. |
| CWE-643 | Improper Neutralization of Data within XPath Expressions ('XPath Injection') | XPath Injection occurs when an application uses unvalidated user input to build an XPath query for an XML database. Without proper sanitization, attackers can manipulate the query's structure. |
| CWE-652 | Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') | XQuery Injection occurs when an application uses unvalidated user input to build an XQuery expression for querying an XML database. Without proper neutralization, an attacker can manipulate the query's structure. |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | This vulnerability occurs when an application uses untrusted external input to build a command, query, or data structure for another component, but fails to properly sanitize special characters or syntax. This allows the input to alter the intended meaning or behavior when the downstream component processes it. |
| CWE-75 | Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) | This vulnerability occurs when an application fails to properly filter or encode user-supplied data containing special characters or commands that can be interpreted in a different context, such as a command shell, file system, or data format. |
| CWE-76 | Improper Neutralization of Equivalent Special Elements | This vulnerability occurs when an application successfully blocks or sanitizes a known set of dangerous inputs but fails to recognize and handle alternative forms that have the same meaning or effect. |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | This vulnerability occurs when an application builds a system command using untrusted user input without properly sanitizing it. An attacker can inject their own commands by inserting special characters or code, tricking the application into executing unintended and potentially harmful actions on the underlying system. |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | OS Command Injection occurs when an application builds a system command using untrusted, external input without properly sanitizing it. This allows an attacker to inject and execute arbitrary commands on the underlying operating system. |
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | This vulnerability occurs when a web application fails to properly sanitize or encode user-supplied input before displaying it on a webpage viewed by other users. |
| CWE-790 | Improper Filtering of Special Elements | This vulnerability occurs when an application accepts data from a source but fails to properly sanitize or incorrectly filters out special characters or control elements before passing that data to another system component. |
| CWE-791 | Incomplete Filtering of Special Elements | This vulnerability occurs when an application accepts data from a source but fails to properly clean or neutralize all special characters or commands before passing that data to another system component. |
| CWE-792 | Incomplete Filtering of One or More Instances of Special Elements | This vulnerability occurs when an application receives external data but fails to properly neutralize all instances of potentially dangerous characters or code patterns before passing that data to another system component. |
| CWE-793 | Only Filtering One Instance of a Special Element | This vulnerability occurs when an application processes incoming data but only removes or neutralizes one occurrence of a dangerous element, leaving other identical or similar elements untouched before passing the data along. |
| CWE-794 | Incomplete Filtering of Multiple Instances of Special Elements | This vulnerability occurs when an application receives data from a source but fails to remove or neutralize every instance of a potentially dangerous element before passing that data to another component. |
| CWE-795 | Only Filtering Special Elements at a Specified Location | This vulnerability occurs when a security filter only checks for dangerous input patterns at specific, predefined locations within the data. It fails to scan the entire input stream, allowing malicious elements that appear outside the expected location to pass through and potentially harm downstream components. |
| CWE-796 | Only Filtering Special Elements Relative to a Marker | This vulnerability occurs when software filters dangerous inputs or characters, but only checks for them in specific, expected locations (like the start or end of a string). It fails to detect and remove the same dangerous elements if they appear elsewhere in the data, allowing them to pass through to critical system components. |
| CWE-797 | Only Filtering Special Elements at an Absolute Position | This vulnerability occurs when software checks for dangerous characters or patterns only at a fixed, hardcoded location in input data. Because it ignores these same elements if they appear anywhere else, attackers can bypass the filter by simply moving the malicious content to a different position. |
| CWE-88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') | This vulnerability occurs when an application builds a command string for execution by another component, but fails to properly separate or 'neutralize' the intended arguments. This allows an attacker to inject additional command-line arguments, options, or switches by including argument-separating characters (like spaces or dashes) in untrusted input. |
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | SQL Injection occurs when an application builds a database query using untrusted user input without properly sanitizing it. This allows an attacker to insert malicious SQL code that the database executes, potentially letting them view, modify, or delete sensitive data. |
| CWE-90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') | This vulnerability occurs when an application builds an LDAP query using untrusted user input without properly sanitizing it. An attacker can inject special characters or commands to alter the query's logic, potentially gaining unauthorized access to, modifying, or extracting sensitive directory information. |
| CWE-91 | XML Injection (aka Blind XPath Injection) | XML Injection occurs when an application fails to properly validate or escape user-controlled input before including it in XML documents or queries. This allows attackers to inject malicious XML elements or syntax, potentially altering the document's structure, extracting sensitive data, or disrupting processing logic. |
| CWE-93 | Improper Neutralization of CRLF Sequences ('CRLF Injection') | This vulnerability occurs when an application uses carriage return and line feed characters (CRLF) to structure data, like separating lines or records, but fails to properly sanitize these sequences from user-supplied input before processing. |
| CWE-94 | Improper Control of Generation of Code ('Code Injection') | This vulnerability occurs when an application builds executable code using unvalidated external input, such as user data. Because the application fails to properly filter or escape this input, an attacker can inject special characters or commands that alter the intended code's logic or syntax. |
| CWE-943 | Improper Neutralization of Special Elements in Data Query Logic | This vulnerability occurs when an application builds a query for a data store (like a database) but fails to properly sanitize user-controlled input. This allows an attacker to inject special elements that change the query's intended logic, potentially accessing or manipulating data in unauthorized ways. |
| CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') | This vulnerability occurs when an application takes user input and passes it directly into a dynamic code execution function, like eval(), without properly sanitizing it. This allows an attacker to inject and execute arbitrary code within the application's context. |
| CWE-96 | Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') | Static Code Injection occurs when an application incorporates unvalidated or improperly sanitized user input directly into a static, executable resource like a configuration file, template, or library. Because this input is saved and later executed, it allows an attacker to inject malicious code that becomes a permanent part of the application's logic. |
| CWE-97 | Improper Neutralization of Server-Side Includes (SSI) Within a Web Page | This vulnerability occurs when a web application dynamically generates pages but fails to properly sanitize user-supplied input that could be interpreted as server-side include (SSI) commands, allowing an attacker to inject malicious directives. |
| CWE-98 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | This vulnerability occurs when a PHP application uses unvalidated or insufficiently restricted user input directly within file inclusion functions like require() or include(). |
| CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') | This vulnerability occurs when an application accepts user input as a resource identifier (like a file path or port number) without proper validation, allowing an attacker to access or manipulate resources outside the intended scope. |
| CWE-1008 | Architectural Concepts | This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.