Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CWE-74 Classe Incompleto
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
This vulnerability occurs when an application uses untrusted external input to build a command, query, or data structure for another component, but fails to properly sanitize special characters or…
Definição
What is CWE-74?
This vulnerability occurs when an application uses untrusted external input to build a command, query, or data structure for another component, but fails to properly sanitize special characters or syntax. This allows the input to alter the intended meaning or behavior when the downstream component processes it.
At its core, an injection flaw happens because software makes assumptions about what is data versus what is executable code or control syntax. When user-supplied input is not validated against these assumptions, an attacker can inject their own instructions into the data stream. This effectively tricks the downstream parser—like a database, OS shell, or interpreter—into executing those instructions, altering the program's normal control flow.
Unlike other vulnerabilities that might require multiple flaws to be chained together, injection attacks are direct. They exploit the legitimate data processing channels of an application. The attacker's payload is delivered as ordinary input data, but because it contains special, un-neutralized elements, it is misinterpreted as code. This makes injection a broad and critical class of issues, encompassing SQL injection, command injection, and many others, each requiring specific sanitization techniques for the target interpreter.
Impacto no mundo real
Real-world CVEs caused by CWE-74
-
API service using a large generative AI model allows direct prompt injection to leak hard-coded system prompts or execute other prompts.
-
Python-based dependency management tool avoids OS command injection when generating Git commands but allows injection of optional arguments with input beginning with a dash (CWE-88), potentially allowing for code execution.
-
Canonical example of OS command injection. CGI program does not neutralize "|" metacharacter when invoking a phonebook program.
-
injection of sed script syntax ("sed injection")
-
Chain: improper input validation (CWE-20) in username parameter, leading to OS command injection (CWE-78), as exploited in the wild per CISA KEV.
-
Product does not neutralize ${xyz} style expressions, allowing remote code execution. (log4shell vulnerability)
Como os atacantes a exploram
Trajeto do atacante passo a passo
- 1
This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection.
- 2
The $userName variable is not checked for malicious input. An attacker could set the $userName variable to an arbitrary OS command such as:
- 3
Which would result in $command being:
- 4
Since the semi-colon is a command separator in Unix, the OS would first execute the ls command, then the rm command, deleting the entire file system.
- 5
Also note that this example code is vulnerable to Path Traversal (CWE-22) and Untrusted Search Path (CWE-426) attacks.
Exemplo de código vulnerável
Vulnerable PHP
This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection.
$userName = $_POST["user"];
$command = 'ls -l /home/' . $userName;
system($command); Payload do atacante
The $userName variable is not checked for malicious input. An attacker could set the $userName variable to an arbitrary OS command such as:
;rm -rf / Exemplo de código seguro
Secure Perl
However, validate_name() allows filenames that begin with a "-". An adversary could supply a filename like "-aR", producing the "ls -l -aR" command (CWE-88), thereby getting a full recursive listing of the entire directory and all of its sub-directories. There are a couple possible mitigations for this weakness. One would be to refactor the code to avoid using system() altogether, instead relying on internal functions. Another option could be to add a "--" argument to the ls command, such as "ls -l --", so that any remaining arguments are treated as filenames, causing any leading "-" to be treated as part of a filename instead of another option. Another fix might be to change the regular expression used in validate_name to force the first character of the filename to be a letter or number, such as:
if ($name =~ /^\w[\w\-]+$/) ... What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de verificação de prevenção
How to prevent CWE-74
- Requirements Programming languages and supporting technologies might be chosen which are not subject to these issues.
- Implementation Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.
Sinais de deteção
How to detect CWE-74
O Plexicus deteta automaticamente o CWE-74 e abre um PR de correção em menos de 60 segundos.
O Codex Remedium analisa cada commit, identifica esta fraqueza exata e entrega um pull request pronto para revisão com o patch. Sem tickets. Sem transferências.
Perguntas frequentes O que é o CWE-74?
Qual a gravidade do CWE-74?
Que linguagens ou plataformas são afetadas pelo CWE-74?
Como posso prevenir o CWE-74?
Como é que o Plexicus deteta e corrige o CWE-74?
Onde posso saber mais sobre o CWE-74?
Frequently asked questions
O que é o CWE-74?
This vulnerability occurs when an application uses untrusted external input to build a command, query, or data structure for another component, but fails to properly sanitize special characters or syntax. This allows the input to alter the intended meaning or behavior when the downstream component processes it.
Qual a gravidade do CWE-74?
A MITRE classifica a probabilidade de exploração como Alta — esta fraqueza é ativamente explorada em campo e deve ser priorizada para remediação.
Que linguagens ou plataformas são afetadas pelo CWE-74?
A MITRE não especificou as plataformas afetadas por este CWE — pode aplicar-se à maioria das stacks de aplicações.
Como posso prevenir o CWE-74?
Programming languages and supporting technologies might be chosen which are not subject to these issues. Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.
Como é que o Plexicus deteta e corrige o CWE-74?
O motor SAST do Plexicus correlaciona a assinatura de fluxo de dados do CWE-74 em cada commit. Quando é encontrada uma correspondência, o nosso agente Codex Remedium abre um PR de correção com o código corrigido, testes e um resumo de uma linha para o revisor.
Onde posso saber mais sobre o CWE-74?
A MITRE publica a definição canónica em https://cwe.mitre.org/data/definitions/74.html. Pode também consultar a documentação da OWASP e do NIST para orientações adjacentes.
Fraquezas relacionadas
Weaknesses related to CWE-74
CWE-707 Pai
Improper Neutralization
This vulnerability occurs when an application fails to properly validate or sanitize structured data before it's received from an external…
CWE-116 Irmão
Improper Encoding or Escaping of Output
This vulnerability occurs when an application builds a structured message—like a query, command, or request—for another component but…
CWE-138 Irmão
Improper Neutralization of Special Elements
This vulnerability occurs when an application accepts external input but fails to properly sanitize special characters or syntax that have…
CWE-1426 Irmão
Improper Validation of Generative AI Output
This vulnerability occurs when an application uses a generative AI model (like an LLM) but fails to properly check the AI's output before…
CWE-170 Irmão
Improper Null Termination
This weakness occurs when software fails to properly end a string or array with the required null character or equivalent terminator.
CWE-172 Irmão
Encoding Error
This vulnerability occurs when software incorrectly transforms data between different formats, leading to corrupted or misinterpreted…
CWE-182 Irmão
Collapse of Data into Unsafe Value
This vulnerability occurs when an application's data filtering or transformation process incorrectly merges or simplifies information,…
CWE-20 Irmão
Improper Input Validation
This vulnerability occurs when an application accepts data from an external source but fails to properly verify that the data is safe and…
CWE-228 Irmão
Improper Handling of Syntactically Invalid Structure
This vulnerability occurs when software fails to properly reject or process input that doesn't follow the expected format or structure,…
Pronto quando você estiver
Pare de pagar por desenvolvedor.
Comece a fechar o ciclo.
O Plexicus é o ASPM nativo de IA que verifica, filtra, corrige, pentesta e explica — de forma autónoma. Programadores ilimitados, repos ilimitados, ações de IA de utilização justa. Nível gratuito real, €269/mo anual quando estiver pronto.