CWE-116 Class Draft High likelihood

Improper Encoding or Escaping of Output

This vulnerability occurs when an application builds a structured message—like a query, command, or request—for another component but fails to properly encode or escape user-supplied data. Because…

Definition

What is CWE-116?

This vulnerability occurs when an application builds a structured message—like a query, command, or request—for another component but fails to properly encode or escape user-supplied data. Because the output's structure isn't preserved, an attacker can inject malicious instructions that the receiving component will execute.
Structured messages, such as HTTP requests, database queries, or API calls, mix raw data with control characters and metadata. If you directly insert user input into these messages without encoding special characters, the receiving system can misinterpret the data as a command. For example, an unescaped quote in a SQL query could end a string and allow arbitrary code execution, turning a simple data field into a backdoor. This flaw is a primary cause of injection attacks like XSS, SQLi, and command injection. While SAST tools can detect the vulnerable pattern, managing this at scale is difficult; an ASPM like Plexicus can help you track and remediate these flaws across your entire stack by using AI to suggest the precise encoding function or parameterized query needed for your specific context.
Auswirkungen in der Praxis

Real-world CVEs caused by CWE-116

  • CVE-2021-41232

    Chain: authentication routine in Go-based agile development product does not escape user name (CWE-116), allowing LDAP injection (CWE-90)

  • CVE-2008-4636

    OS command injection in backup software using shell metacharacters in a filename; correct behavior would require that this filename could not be changed.

  • CVE-2008-0769

    Web application does not set the charset when sending a page to a browser, allowing for XSS exploitation when a browser chooses an unexpected encoding.

  • CVE-2008-0005

    Program does not set the charset when sending a page to a browser, allowing for XSS exploitation when a browser chooses an unexpected encoding.

  • CVE-2008-5573

    SQL injection via password parameter; a strong password might contain "&"

  • CVE-2008-3773

    Cross-site scripting in chat application via a message subject, which normally might contain "&" and other XSS-related characters.

  • CVE-2008-0757

    Cross-site scripting in chat application via a message, which normally might be allowed to contain arbitrary content.

Wie Angreifer es ausnutzen

Angreiferpfad Schritt für Schritt

  1. 1

    This code displays an email address that was submitted as part of a form.

  2. 2

    The value read from the form parameter is reflected back to the client browser without having been encoded prior to output, allowing various XSS attacks (CWE-79).

  3. 3

    Consider a chat application in which a front-end web application communicates with a back-end server. The back-end is legacy code that does not perform authentication or authorization, so the front-end must implement it. The chat protocol supports two commands, SAY and BAN, although only administrators can use the BAN command. Each argument must be separated by a single space. The raw inputs are URL-encoded. The messaging protocol allows multiple commands to be specified on the same line if they are separated by a "|" character.

  4. 4

    First let's look at the back end command processor code

  5. 5

    The front end web application receives a command, encodes it for sending to the server, performs the authorization check, and sends the command to the server.

Verwundbares Codebeispiel

Vulnerable JSP

This code displays an email address that was submitted as part of a form.

Verwundbar JSP 
<% String email = request.getParameter("email"); %>
  ...
  Email Address: <%= email %>
Angreifer-Payload

It is clear that, while the protocol and back-end allow multiple commands to be sent in a single request, the front end only intends to send a single command. However, the UrlEncode function could leave the "|" character intact. If an attacker provides:

Angreifer-Payload 
SAY hello world|BAN user12
Sicheres Codebeispiel

Secure pseudo

Sicher pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Präventions-Checkliste

How to prevent CWE-116

  • Architecture and Design Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error. Alternately, use built-in functions, but consider using wrappers in case those functions are discovered to have a vulnerability.
  • Architecture and Design If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. For example, stored procedures can enforce database query structure and reduce the likelihood of SQL injection.
  • Architecture and Design / Implementation Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.
  • Architecture and Design In some cases, input validation may be an important strategy when output encoding is not a complete solution. For example, you may be providing the same output that will be processed by multiple consumers that use different encodings or representations. In other cases, you may be required to allow user-supplied input to contain control information, such as limited HTML tags that support formatting in a wiki or bulletin board. When this type of requirement must be met, use an extremely strict allowlist to limit which control sequences can be used. Verify that the resulting syntactic structure is what you expect. Use your normal encoding methods for the remainder of the input.
  • Architecture and Design Use input validation as a defense-in-depth measure to reduce the likelihood of output encoding errors (see CWE-20).
  • Requirements Fully specify which encodings are required by components that will be communicating with each other.
  • Implementation When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.
Erkennungssignale

How to detect CWE-116

Automated Static Analysis Moderate

This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.

Automated Dynamic Analysis

This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.

Plexicus Auto-Fix

Plexicus erkennt CWE-116 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.

Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.

Demo anfordern Plexicus kostenlos testen
Häufig gestellte Fragen

Frequently asked questions

Was ist CWE-116?

This vulnerability occurs when an application builds a structured message—like a query, command, or request—for another component but fails to properly encode or escape user-supplied data. Because the output's structure isn't preserved, an attacker can inject malicious instructions that the receiving component will execute.

Wie gravierend ist CWE-116?

MITRE stuft die Exploit-Wahrscheinlichkeit als hoch ein — diese Schwachstelle wird aktiv in freier Wildbahn ausgenutzt und sollte priorisiert behoben werden.

Welche Sprachen oder Plattformen sind von CWE-116 betroffen?

MITRE lists the following affected platforms: AI/ML, Database Server, Web Server.

Wie kann ich CWE-116 verhindern?

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error. Alternately, use built-in functions, but consider using wrappers in case those functions are discovered to have a vulnerability. If available, use structured mechanisms…

Wie erkennt und behebt Plexicus CWE-116?

Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-116 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.

Wo erfahre ich mehr über CWE-116?

MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/116.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.

Verwandte Schwachstellen

Weaknesses related to CWE-116

CWE-707 Parent

Improper Neutralization

This vulnerability occurs when an application fails to properly validate or sanitize structured data before it's received from an external…

CWE-138 Sibling

Improper Neutralization of Special Elements

This vulnerability occurs when an application accepts external input but fails to properly sanitize special characters or syntax that have…

CWE-1426 Sibling

Improper Validation of Generative AI Output

This vulnerability occurs when an application uses a generative AI model (like an LLM) but fails to properly check the AI's output before…

CWE-170 Sibling

Improper Null Termination

This weakness occurs when software fails to properly end a string or array with the required null character or equivalent terminator.

CWE-172 Sibling

Encoding Error

This vulnerability occurs when software incorrectly transforms data between different formats, leading to corrupted or misinterpreted…

CWE-182 Sibling

Collapse of Data into Unsafe Value

This vulnerability occurs when an application's data filtering or transformation process incorrectly merges or simplifies information,…

CWE-20 Sibling

Improper Input Validation

This vulnerability occurs when an application accepts data from an external source but fails to properly verify that the data is safe and…

CWE-228 Sibling

Improper Handling of Syntactically Invalid Structure

This vulnerability occurs when software fails to properly reject or process input that doesn't follow the expected format or structure,…

CWE-240 Sibling

Improper Handling of Inconsistent Structural Elements

This vulnerability occurs when a system fails to properly manage situations where related data structures or elements should match but are…

Ressourcen

Further reading

Bereit, wenn du es bist

Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.

Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.

Kostenlos starten Demo buchen