Validate Inputs
A category in the Common Weakness Enumeration published by The MITRE Corporation.
Summary
Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.
Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.
Weaknesses
The software, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the...
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.
The software does not adequately filter user-controlled input for special elements with control implications.
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or...
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutraliz...
The software receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource t...
The software receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process th...
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an un...
The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, ...
The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF...
The software uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neu...
The software uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly ne...
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluatio...
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable...
The software properly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, met...
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other us...
The software generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) ...
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control ele...
The application generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes speci...
The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or...
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes sp...
The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralize...
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralize...
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutraliz...
The application constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting...
The software receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component.
The software receives data from an upstream component, but does not completely filter one or more instances of special elements before sending it to a downstream compo...
The software receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.
The software receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component.
The software receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special elements that ...
The software receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. "byte number 10"), thereby missing remainin...
The software receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. "at the beginning/end of a string; ...
A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the appli...
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is ...
Concepts
This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be ma...
See Also
- A Catalog of Security Architecture Weaknesses.
2017 IEEE International Conference on Software Architecture (ICSA)
- Understanding Software Vulnerabilities Related to Architectural Security Tactics: An Empirical Investigation of Chromium, PHP and Thunderbird.
2017 IEEE International Conference on Software Architecture (ICSA)
Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.