Validate Inputs

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Summary

Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.

Weaknesses

Acceptance of Extraneous Untrusted Data With Trusted Data

The software, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the...

Deserialization of Untrusted Data

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

External Control of Assumed-Immutable Web Parameter

The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

The software does not adequately filter user-controlled input for special elements with control implications.

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or...

Improper Control of Generation of Code ('Code Injection')

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutraliz...

Improper Control of Resource Identifiers ('Resource Injection')

The software receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource t...

Improper Filtering of Special Elements

The software receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process th...

Improper Link Resolution Before File Access ('Link Following')

The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an un...

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, ...

Improper Neutralization of CRLF Sequences ('CRLF Injection')

The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF...

Improper Neutralization of Data within XPath Expressions ('XPath Injection')

The software uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neu...

Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')

The software uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly ne...

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluatio...

Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable...

Improper Neutralization of Equivalent Special Elements

The software properly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.

Improper Neutralization of Escape, Meta, or Control Sequences

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, met...

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other us...

Improper Neutralization of Server-Side Includes (SSI) Within a Web Page

The software generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) ...

Improper Neutralization of Special Elements

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control ele...

Improper Neutralization of Special Elements in Data Query Logic

The application generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes speci...

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or...

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes sp...

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralize...

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralize...

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutraliz...

Improper Restriction of Names for Files and Other Resources

The application constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting...

Incomplete Filtering of Multiple Instances of Special Elements

The software receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component.

Incomplete Filtering of One or More Instances of Special Elements

The software receives data from an upstream component, but does not completely filter one or more instances of special elements before sending it to a downstream compo...

Incomplete Filtering of Special Elements

The software receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.

Only Filtering One Instance of a Special Element

The software receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component.

Only Filtering Special Elements at a Specified Location

The software receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special elements that ...

Only Filtering Special Elements at an Absolute Position

The software receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. "byte number 10"), thereby missing remainin...

Only Filtering Special Elements Relative to a Marker

The software receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. "at the beginning/end of a string; ...

PHP External Variable Modification

A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the appli...

URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

XML Injection (aka Blind XPath Injection)

The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is ...

Concepts

Architectural Concepts

This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be ma...

See Also

  1. A Catalog of Security Architecture Weaknesses.

    2017 IEEE International Conference on Software Architecture (ICSA)

  2. Understanding Software Vulnerabilities Related to Architectural Security Tactics: An Empirical Investigation of Chromium, PHP and Thunderbird.

    2017 IEEE International Conference on Software Architecture (ICSA)


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.