Comprehensive Categorization: Improper Neutralization
A category in the Common Weakness Enumeration published by The MITRE Corporation.
Summary
Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.
Weaknesses in this category are related to improper neutralization.
Weaknesses
The accidental addition of a data-structure sentinel can cause serious programming logic problems.
The accidental deletion of a data-structure sentinel can cause serious programming logic problems.
The product decodes the same input twice, which can limit the effectiveness of any protection mechanism that occurs in between the decoding operations.
The product does not properly encode or decode the data, resulting in unexpected values.
The product does not properly handle when a particular element is not completely specified.
If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments c...
The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a re...
The product receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.
The product receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided.
The product does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent.
The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount.
The product does not handle or incorrectly handles when more values are provided than expected.
The product does not handle or incorrectly handles when a particular structural element is not completely specified.
The product does not properly handle input in which an inconsistency exists between two or more special characters or reserved words.
The product does not handle or incorrectly handles when two or more structural elements should be consistent, but are not.
The product does not properly filter, remove, quote, or otherwise manage the invalid use of special elements in user-controlled input, which could cause adverse effect...
The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the as...
The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.
The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank...
The product does not properly handle when the same input uses several different (mixed) encodings.
The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.
The product does not handle or incorrectly handles inputs that are related to complex structures.
The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.
The product does not handle or incorrectly handles when a particular parameter, field, or argument name is not defined or supported by the product.
The product does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name.
The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).
The product does not properly handle when an input contains Unicode encoding.
The product does not properly handle when all or part of an input has been URL encoded.
The product does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined.
The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from...
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as comment deli...
The product does not neutralize or incorrectly neutralizes delimiters.
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta...
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression o...
The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers...
The product does not properly handle when a leading character or sequence ("leader") is missing or malformed, or if multiple leaders are used when only one should be a...
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as input termin...
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes internal special elements that could be interpreted in une...
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes leading special elements that could be interpreted in unex...
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as line delimit...
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as macro symbol...
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple internal special elements that could be interpret...
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple leading special elements that could be interprete...
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple trailing special elements that could be interpret...
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downs...
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or...
Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to ta...
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delim...
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as section deli...
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elem...
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as substitution...
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes trailing special elements that could be interpreted in une...
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimi...
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as variable nam...
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace w...
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or...
The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.
The product does not neutralize or incorrectly neutralizes output that is written to logs.
The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected...
The product receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component.
The product receives data from an upstream component, but does not completely filter one or more instances of special elements before sending it to a downstream compon...
The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.
The product does not properly handle null bytes or NUL characters when passing data between different representations or components.
The product receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component.
The product receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special elements that m...
The product receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. "byte number 10"), thereby missing remaining...
The product receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. "at the beginning/end of a string; t...
Concepts
This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using ta...
See Also
Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.