CWE-116 Classe Rascunho High likelihood

Improper Encoding or Escaping of Output

This vulnerability occurs when an application builds a structured message—like a query, command, or request—for another component but fails to properly encode or escape user-supplied data. Because…

Definição

What is CWE-116?

This vulnerability occurs when an application builds a structured message—like a query, command, or request—for another component but fails to properly encode or escape user-supplied data. Because the output's structure isn't preserved, an attacker can inject malicious instructions that the receiving component will execute.
Structured messages, such as HTTP requests, database queries, or API calls, mix raw data with control characters and metadata. If you directly insert user input into these messages without encoding special characters, the receiving system can misinterpret the data as a command. For example, an unescaped quote in a SQL query could end a string and allow arbitrary code execution, turning a simple data field into a backdoor. This flaw is a primary cause of injection attacks like XSS, SQLi, and command injection. While SAST tools can detect the vulnerable pattern, managing this at scale is difficult; an ASPM like Plexicus can help you track and remediate these flaws across your entire stack by using AI to suggest the precise encoding function or parameterized query needed for your specific context.
Impacto no mundo real

Real-world CVEs caused by CWE-116

  • CVE-2021-41232

    Chain: authentication routine in Go-based agile development product does not escape user name (CWE-116), allowing LDAP injection (CWE-90)

  • CVE-2008-4636

    OS command injection in backup software using shell metacharacters in a filename; correct behavior would require that this filename could not be changed.

  • CVE-2008-0769

    Web application does not set the charset when sending a page to a browser, allowing for XSS exploitation when a browser chooses an unexpected encoding.

  • CVE-2008-0005

    Program does not set the charset when sending a page to a browser, allowing for XSS exploitation when a browser chooses an unexpected encoding.

  • CVE-2008-5573

    SQL injection via password parameter; a strong password might contain "&"

  • CVE-2008-3773

    Cross-site scripting in chat application via a message subject, which normally might contain "&" and other XSS-related characters.

  • CVE-2008-0757

    Cross-site scripting in chat application via a message, which normally might be allowed to contain arbitrary content.

Como os atacantes a exploram

Trajeto do atacante passo a passo

  1. 1

    This code displays an email address that was submitted as part of a form.

  2. 2

    The value read from the form parameter is reflected back to the client browser without having been encoded prior to output, allowing various XSS attacks (CWE-79).

  3. 3

    Consider a chat application in which a front-end web application communicates with a back-end server. The back-end is legacy code that does not perform authentication or authorization, so the front-end must implement it. The chat protocol supports two commands, SAY and BAN, although only administrators can use the BAN command. Each argument must be separated by a single space. The raw inputs are URL-encoded. The messaging protocol allows multiple commands to be specified on the same line if they are separated by a "|" character.

  4. 4

    First let's look at the back end command processor code

  5. 5

    The front end web application receives a command, encodes it for sending to the server, performs the authorization check, and sends the command to the server.

Exemplo de código vulnerável

Vulnerable JSP

This code displays an email address that was submitted as part of a form.

Vulnerável JSP 
<% String email = request.getParameter("email"); %>
  ...
  Email Address: <%= email %>
Payload do atacante

It is clear that, while the protocol and back-end allow multiple commands to be sent in a single request, the front end only intends to send a single command. However, the UrlEncode function could leave the "|" character intact. If an attacker provides:

Payload do atacante 
SAY hello world|BAN user12
Exemplo de código seguro

Secure pseudo

Seguro pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de verificação de prevenção

How to prevent CWE-116

  • Architecture and Design Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error. Alternately, use built-in functions, but consider using wrappers in case those functions are discovered to have a vulnerability.
  • Architecture and Design If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. For example, stored procedures can enforce database query structure and reduce the likelihood of SQL injection.
  • Architecture and Design / Implementation Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.
  • Architecture and Design In some cases, input validation may be an important strategy when output encoding is not a complete solution. For example, you may be providing the same output that will be processed by multiple consumers that use different encodings or representations. In other cases, you may be required to allow user-supplied input to contain control information, such as limited HTML tags that support formatting in a wiki or bulletin board. When this type of requirement must be met, use an extremely strict allowlist to limit which control sequences can be used. Verify that the resulting syntactic structure is what you expect. Use your normal encoding methods for the remainder of the input.
  • Architecture and Design Use input validation as a defense-in-depth measure to reduce the likelihood of output encoding errors (see CWE-20).
  • Requirements Fully specify which encodings are required by components that will be communicating with each other.
  • Implementation When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.
Sinais de deteção

How to detect CWE-116

Automated Static Analysis Moderate

This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.

Automated Dynamic Analysis

This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.

Correção automática do Plexicus

O Plexicus deteta automaticamente o CWE-116 e abre um PR de correção em menos de 60 segundos.

O Codex Remedium analisa cada commit, identifica esta fraqueza exata e entrega um pull request pronto para revisão com o patch. Sem tickets. Sem transferências.

Obter uma demonstração Experimente o Plexicus gratuitamente
Perguntas frequentes

Frequently asked questions

O que é o CWE-116?

This vulnerability occurs when an application builds a structured message—like a query, command, or request—for another component but fails to properly encode or escape user-supplied data. Because the output's structure isn't preserved, an attacker can inject malicious instructions that the receiving component will execute.

Qual a gravidade do CWE-116?

A MITRE classifica a probabilidade de exploração como Alta — esta fraqueza é ativamente explorada em campo e deve ser priorizada para remediação.

Que linguagens ou plataformas são afetadas pelo CWE-116?

MITRE lists the following affected platforms: AI/ML, Database Server, Web Server.

Como posso prevenir o CWE-116?

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error. Alternately, use built-in functions, but consider using wrappers in case those functions are discovered to have a vulnerability. If available, use structured mechanisms…

Como é que o Plexicus deteta e corrige o CWE-116?

O motor SAST do Plexicus correlaciona a assinatura de fluxo de dados do CWE-116 em cada commit. Quando é encontrada uma correspondência, o nosso agente Codex Remedium abre um PR de correção com o código corrigido, testes e um resumo de uma linha para o revisor.

Onde posso saber mais sobre o CWE-116?

A MITRE publica a definição canónica em https://cwe.mitre.org/data/definitions/116.html. Pode também consultar a documentação da OWASP e do NIST para orientações adjacentes.

Fraquezas relacionadas

Weaknesses related to CWE-116

CWE-707 Pai

Improper Neutralization

This vulnerability occurs when an application fails to properly validate or sanitize structured data before it's received from an external…

CWE-138 Irmão

Improper Neutralization of Special Elements

This vulnerability occurs when an application accepts external input but fails to properly sanitize special characters or syntax that have…

CWE-1426 Irmão

Improper Validation of Generative AI Output

This vulnerability occurs when an application uses a generative AI model (like an LLM) but fails to properly check the AI's output before…

CWE-170 Irmão

Improper Null Termination

This weakness occurs when software fails to properly end a string or array with the required null character or equivalent terminator.

CWE-172 Irmão

Encoding Error

This vulnerability occurs when software incorrectly transforms data between different formats, leading to corrupted or misinterpreted…

CWE-182 Irmão

Collapse of Data into Unsafe Value

This vulnerability occurs when an application's data filtering or transformation process incorrectly merges or simplifies information,…

CWE-20 Irmão

Improper Input Validation

This vulnerability occurs when an application accepts data from an external source but fails to properly verify that the data is safe and…

CWE-228 Irmão

Improper Handling of Syntactically Invalid Structure

This vulnerability occurs when software fails to properly reject or process input that doesn't follow the expected format or structure,…

CWE-240 Irmão

Improper Handling of Inconsistent Structural Elements

This vulnerability occurs when a system fails to properly manage situations where related data structures or elements should match but are…

Recursos

Further reading

Pronto quando você estiver

Pare de pagar por desenvolvedor.
Comece a fechar o ciclo.

O Plexicus é o ASPM nativo de IA que verifica, filtra, corrige, pentesta e explica — de forma autónoma. Programadores ilimitados, repos ilimitados, ações de IA de utilização justa. Nível gratuito real, €269/mo anual quando estiver pronto.

Começar grátis Reservar uma demo