Category: Comprehensive Categorization: Improper Input Validation
Incomplete
Summary
Weaknesses in this category are related to improper input validation.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-105 | Struts: Form Field Without Validator | This vulnerability occurs when a Struts application form contains an input field that lacks a corresponding validator, leaving it open to unverified user input. |
| CWE-106 | Struts: Plug-in Framework not in Use | This weakness occurs when a Java application, particularly one using the Struts framework, does not implement a structured input validation plugin like the Struts Validator. Skipping this framework forces developers to write custom validation logic, which is often error-prone and increases the risk of security flaws from improperly handled user input. |
| CWE-108 | Struts: Unvalidated Action Form | In Apache Struts, every Action Form that processes user input must have a corresponding validation form configured. Missing this validation exposes the application to unvalidated data. |
| CWE-109 | Struts: Validator Turned Off | This vulnerability occurs when an application built with Apache Struts intentionally disables its built-in validation framework. By turning off the Struts Validator bean, developers remove critical automatic input filtering and custom validation rules, leaving the application unprotected against malicious or malformed data. |
| CWE-112 | Missing XML Validation | This vulnerability occurs when an application processes XML data from an untrusted source without first validating its structure and content against a defined schema. |
| CWE-1173 | Improper Use of Validation Framework | This vulnerability occurs when a software application either fails to use or incorrectly implements a built-in or library-provided input validation framework. |
| CWE-1174 | ASP.NET Misconfiguration: Improper Model Validation | This vulnerability occurs when an ASP.NET application either completely bypasses the built-in model validation system or implements it incorrectly, allowing untrusted data to flow into the application without proper checks. |
| CWE-1284 | Improper Validation of Specified Quantity in Input | This vulnerability occurs when an application accepts user input meant to define a quantity—like a number, size, or count—but fails to properly check if that value is safe and reasonable before using it. |
| CWE-1285 | Improper Validation of Specified Index, Position, or Offset in Input | This vulnerability occurs when software accepts user input to determine a location—like an array index, file position, or memory offset—but fails to properly check if that location is safe and valid before using it. |
| CWE-1286 | Improper Validation of Syntactic Correctness of Input | This vulnerability occurs when software expects input in a specific, well-structured format but fails to properly check that the incoming data actually follows those rules. |
| CWE-1287 | Improper Validation of Specified Type of Input | This vulnerability occurs when software expects a specific type of data as input but fails to properly check that the incoming data actually matches that type. |
| CWE-1288 | Improper Validation of Consistency within Input | This vulnerability occurs when an application accepts structured input containing multiple related fields but fails to verify that the values across those fields are logically consistent with each other. |
| CWE-1289 | Improper Validation of Unsafe Equivalence in Input | This vulnerability occurs when an application accepts user input as a reference (like a file path or resource identifier) but fails to properly check if that input is functionally equivalent to a dangerous or restricted value. |
| CWE-20 | Improper Input Validation | This vulnerability occurs when an application accepts data from an external source but fails to properly verify that the data is safe and correctly formatted before using it. This missing or flawed validation check allows malicious or malformed inputs to disrupt the application's logic or security. |
| CWE-554 | ASP.NET Misconfiguration: Not Using Input Validation Framework | This vulnerability occurs when an ASP.NET application fails to implement a structured input validation framework, relying instead on ad-hoc or missing validation checks. |
| CWE-606 | Unchecked Input for Loop Condition | This vulnerability occurs when an application fails to properly validate or limit user-supplied values that control loop iterations. Without these checks, malicious input can force the program into an endless or excessively long loop, consuming system resources and leading to denial of service or application instability. |
| CWE-622 | Improper Validation of Function Hook Arguments | This vulnerability occurs when an application adds monitoring or interception hooks to critical functions, but fails to properly check the arguments passed to those hooks. This lack of validation can allow attackers to inject malicious data, leading to security bypasses or system compromise. |
| CWE-781 | Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code | This vulnerability occurs when a Windows driver defines an IOCTL using METHOD_NEITHER but fails to properly check the user-supplied memory addresses before using them. |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.