Data Neutralization Issues

The accidental addition of a data-structure sentinel can cause serious programming logic problems.

The accidental deletion of a data-structure sentinel can cause serious programming logic problems.

Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error.

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralize...

The product constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, o...

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF ...

The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neut...

The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neu...

The product does not neutralize or incorrectly neutralizes delimiters.

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable ...

The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could ...

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an u...

The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes...

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes...

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralize...

The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.

The product does not neutralize or incorrectly neutralizes output that is written to logs.

The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.

The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected...

The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.

The product receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special elements that m...

The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is p...

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development l...