Category: OWASP Top Ten 2021 Category A03:2021 - Injection
Incomplete
Summary
Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top Ten 2021.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-113 | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') | This vulnerability occurs when an application accepts user-supplied data and includes it directly in HTTP headers without properly filtering out carriage return (CR) and line feed (LF) characters. This allows an attacker to inject new headers or split a single HTTP response into two separate responses, corrupting the intended communication flow. |
| CWE-116 | Improper Encoding or Escaping of Output | This vulnerability occurs when an application builds a structured message—like a query, command, or request—for another component but fails to properly encode or escape user-supplied data. Because the output's structure isn't preserved, an attacker can inject malicious instructions that the receiving component will execute. |
| CWE-138 | Improper Neutralization of Special Elements | This vulnerability occurs when an application accepts external input but fails to properly sanitize special characters or syntax that have specific meanings in the target interpreter or protocol. This allows attackers to inject control elements that alter how downstream components process the data. |
| CWE-184 | Incomplete List of Disallowed Inputs | This vulnerability occurs when a security filter or validation mechanism relies on a 'denylist'—a predefined list of forbidden inputs—but that list is missing critical entries. Attackers can bypass the protection by using variations or inputs the developers didn't anticipate. |
| CWE-20 | Improper Input Validation | This vulnerability occurs when an application accepts data from an external source but fails to properly verify that the data is safe and correctly formatted before using it. This missing or flawed validation check allows malicious or malformed inputs to disrupt the application's logic or security. |
| CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') | This vulnerability occurs when an application uses unvalidated external input, like a URL parameter or form field, to dynamically decide which class to load or which method to execute via reflection. An attacker can manipulate this input to force the application to load unexpected, potentially malicious code. |
| CWE-471 | Modification of Assumed-Immutable Data (MAID) | This vulnerability occurs when an application fails to protect data it assumes cannot be changed, allowing an attacker to alter it. |
| CWE-564 | SQL Injection: Hibernate | This vulnerability occurs when an application uses Hibernate to construct dynamic SQL queries with unsanitized user input, allowing an attacker to alter the query's logic or execute unauthorized SQL commands. |
| CWE-610 | Externally Controlled Reference to a Resource in Another Sphere | This vulnerability occurs when an application uses user-supplied input to reference a resource located outside its intended security boundary, allowing attackers to redirect operations to unintended locations. |
| CWE-643 | Improper Neutralization of Data within XPath Expressions ('XPath Injection') | XPath Injection occurs when an application uses unvalidated user input to build an XPath query for an XML database. Without proper sanitization, attackers can manipulate the query's structure. |
| CWE-644 | Improper Neutralization of HTTP Headers for Scripting Syntax | This vulnerability occurs when an application fails to properly sanitize or escape user-controlled data placed within HTTP response headers. Malicious scripting syntax can then be injected and executed by client-side components like Flash that process raw headers. |
| CWE-652 | Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') | XQuery Injection occurs when an application uses unvalidated user input to build an XQuery expression for querying an XML database. Without proper neutralization, an attacker can manipulate the query's structure. |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | This vulnerability occurs when an application uses untrusted external input to build a command, query, or data structure for another component, but fails to properly sanitize special characters or syntax. This allows the input to alter the intended meaning or behavior when the downstream component processes it. |
| CWE-75 | Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) | This vulnerability occurs when an application fails to properly filter or encode user-supplied data containing special characters or commands that can be interpreted in a different context, such as a command shell, file system, or data format. |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | This vulnerability occurs when an application builds a system command using untrusted user input without properly sanitizing it. An attacker can inject their own commands by inserting special characters or code, tricking the application into executing unintended and potentially harmful actions on the underlying system. |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | OS Command Injection occurs when an application builds a system command using untrusted, external input without properly sanitizing it. This allows an attacker to inject and execute arbitrary commands on the underlying operating system. |
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | This vulnerability occurs when a web application fails to properly sanitize or encode user-supplied input before displaying it on a webpage viewed by other users. |
| CWE-80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | This vulnerability, commonly known as Basic Cross-Site Scripting (XSS), occurs when a web application fails to properly sanitize user input containing HTML and JavaScript tags. When untrusted data containing characters like <, >, and & is rendered directly into a webpage, a browser may execute it as active code, not just display it as text. |
| CWE-83 | Improper Neutralization of Script in Attributes in a Web Page | This vulnerability occurs when a web application fails to properly sanitize or block JavaScript URIs (like 'javascript:') within HTML tag attributes. Attackers can inject malicious code into attributes such as onmouseover, onload, onerror, or style, leading to cross-site scripting (XSS) attacks when the page renders. |
| CWE-87 | Improper Neutralization of Alternate XSS Syntax | This vulnerability occurs when an application fails to properly sanitize user-supplied input that uses alternative methods to execute cross-site scripting (XSS) attacks. |
| CWE-88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') | This vulnerability occurs when an application builds a command string for execution by another component, but fails to properly separate or 'neutralize' the intended arguments. This allows an attacker to inject additional command-line arguments, options, or switches by including argument-separating characters (like spaces or dashes) in untrusted input. |
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | SQL Injection occurs when an application builds a database query using untrusted user input without properly sanitizing it. This allows an attacker to insert malicious SQL code that the database executes, potentially letting them view, modify, or delete sensitive data. |
| CWE-90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') | This vulnerability occurs when an application builds an LDAP query using untrusted user input without properly sanitizing it. An attacker can inject special characters or commands to alter the query's logic, potentially gaining unauthorized access to, modifying, or extracting sensitive directory information. |
| CWE-91 | XML Injection (aka Blind XPath Injection) | XML Injection occurs when an application fails to properly validate or escape user-controlled input before including it in XML documents or queries. This allows attackers to inject malicious XML elements or syntax, potentially altering the document's structure, extracting sensitive data, or disrupting processing logic. |
| CWE-917 | Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') | Expression Language Injection occurs when an application uses untrusted, external input to build an expression language statement—common in frameworks like Java Server Pages (JSP)—without properly sanitizing it. This allows an attacker to inject malicious expressions that alter the intended logic and execute arbitrary code when the statement is processed. |
| CWE-93 | Improper Neutralization of CRLF Sequences ('CRLF Injection') | This vulnerability occurs when an application uses carriage return and line feed characters (CRLF) to structure data, like separating lines or records, but fails to properly sanitize these sequences from user-supplied input before processing. |
| CWE-94 | Improper Control of Generation of Code ('Code Injection') | This vulnerability occurs when an application builds executable code using unvalidated external input, such as user data. Because the application fails to properly filter or escape this input, an attacker can inject special characters or commands that alter the intended code's logic or syntax. |
| CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') | This vulnerability occurs when an application takes user input and passes it directly into a dynamic code execution function, like eval(), without properly sanitizing it. This allows an attacker to inject and execute arbitrary code within the application's context. |
| CWE-96 | Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') | Static Code Injection occurs when an application incorporates unvalidated or improperly sanitized user input directly into a static, executable resource like a configuration file, template, or library. Because this input is saved and later executed, it allows an attacker to inject malicious code that becomes a permanent part of the application's logic. |
| CWE-97 | Improper Neutralization of Server-Side Includes (SSI) Within a Web Page | This vulnerability occurs when a web application dynamically generates pages but fails to properly sanitize user-supplied input that could be interpreted as server-side include (SSI) commands, allowing an attacker to inject malicious directives. |
| CWE-98 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | This vulnerability occurs when a PHP application uses unvalidated or insufficiently restricted user input directly within file inclusion functions like require() or include(). |
| CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') | This vulnerability occurs when an application accepts user input as a resource identifier (like a file path or port number) without proper validation, allowing an attacker to access or manipulate resources outside the intended scope. |
| CWE-1344 | Weaknesses in OWASP Top Ten (2021) | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2021. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.