OWASP Top Ten 2004 Category A1 - Unvalidated Input

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Summary

Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2004.

Weaknesses

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buf...

Client-Side Enforcement of Server-Side Security

The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.

Collapse of Data into Unsafe Value

The software filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property.

Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

External Control of Assumed-Immutable Web Parameter

The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

Improper Handling of Additional Special Element

The software receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided.

Improper Handling of Missing Special Element

The software receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process th...

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other us...

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes sp...

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutraliz...

Incorrect Behavior Order: Early Validation

The software validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs t...

Incorrect Behavior Order: Validate Before Canonicalize

The software validates input before it is canonicalized, which prevents the software from detecting data that becomes invalid after the canonicalization step.

Incorrect Behavior Order: Validate Before Filter

The software validates data before it has been filtered, which prevents the software from detecting data that becomes invalid after the filtering step.

Permissive List of Allowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are as...

Struts: Duplicate Validation Forms

The application uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.

Struts: Form Bean Does Not Extend Validation Class

If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input valid...

Struts: Incomplete validate() Method Definition

The application has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().

Struts: Plug-in Framework not in Use

When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient ...

Struts: Validator Turned Off

Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weakn...

URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

Concepts

Deprecated or Obsolete

Weaknesses in OWASP Top Ten (2004)

CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is consid...

See Also

  1. A1 Unvalidated Input

    OWASP


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.