Category: Data Validation Issues
Draft
Summary
Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-112 | Missing XML Validation | This vulnerability occurs when an application processes XML data from an untrusted source without first validating its structure and content against a defined schema. |
| CWE-1173 | Improper Use of Validation Framework | This vulnerability occurs when a software application either fails to use or incorrectly implements a built-in or library-provided input validation framework. |
| CWE-1284 | Improper Validation of Specified Quantity in Input | This vulnerability occurs when an application accepts user input meant to define a quantity—like a number, size, or count—but fails to properly check if that value is safe and reasonable before using it. |
| CWE-1285 | Improper Validation of Specified Index, Position, or Offset in Input | This vulnerability occurs when software accepts user input to determine a location—like an array index, file position, or memory offset—but fails to properly check if that location is safe and valid before using it. |
| CWE-1286 | Improper Validation of Syntactic Correctness of Input | This vulnerability occurs when software expects input in a specific, well-structured format but fails to properly check that the incoming data actually follows those rules. |
| CWE-1287 | Improper Validation of Specified Type of Input | This vulnerability occurs when software expects a specific type of data as input but fails to properly check that the incoming data actually matches that type. |
| CWE-1288 | Improper Validation of Consistency within Input | This vulnerability occurs when an application accepts structured input containing multiple related fields but fails to verify that the values across those fields are logically consistent with each other. |
| CWE-1289 | Improper Validation of Unsafe Equivalence in Input | This vulnerability occurs when an application accepts user input as a reference (like a file path or resource identifier) but fails to properly check if that input is functionally equivalent to a dangerous or restricted value. |
| CWE-179 | Incorrect Behavior Order: Early Validation | This vulnerability occurs when an application validates user input before applying security filters or data normalization. Attackers can exploit this order of operations by submitting specially crafted input that passes the initial validation but becomes malicious after the application's filters or canonicalization processes modify it. |
| CWE-183 | Permissive List of Allowed Inputs | This vulnerability occurs when an application's security filter uses an allowlist that is too broad, mistakenly permitting dangerous inputs that should have been blocked. The flawed assumption that everything on the list is safe creates a direct path for attackers to exploit the system. |
| CWE-184 | Incomplete List of Disallowed Inputs | This vulnerability occurs when a security filter or validation mechanism relies on a 'denylist'—a predefined list of forbidden inputs—but that list is missing critical entries. Attackers can bypass the protection by using variations or inputs the developers didn't anticipate. |
| CWE-606 | Unchecked Input for Loop Condition | This vulnerability occurs when an application fails to properly validate or limit user-supplied values that control loop iterations. Without these checks, malicious input can force the program into an endless or excessively long loop, consuming system resources and leading to denial of service or application instability. |
| CWE-641 | Improper Restriction of Names for Files and Other Resources | This vulnerability occurs when an application creates file or resource names using unvalidated user input, failing to properly limit what characters or paths can be used. |
| CWE-699 | Software Development | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.