CWE-116 Detail

CWE-116

Improper Encoding or Escaping of Output
HIGH
Draft
2006-07-19 00:00 +00:00
2024-07-16 00:00 +00:00

Alerte pour un CWE

Stay informed of any changes for a specific CWE.
Alert management

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Extended Description

Improper encoding or escaping can allow attackers to change the commands that are sent to another component, inserting malicious commands instead.

Most products follow a certain protocol that uses structured messages for communication between components, such as queries or commands. These structured messages can contain raw data interspersed with metadata or control information. For example, "GET /index.html HTTP/1.1" is a structured message containing a command ("GET") with a single argument ("/index.html") and metadata about which protocol version is being used ("HTTP/1.1").

If an application uses attacker-supplied inputs to construct a structured message without properly encoding or escaping, then the attacker could insert special characters that will cause the data to be interpreted as control information or metadata. Consequently, the component that receives the output will perform the wrong operations, or otherwise interpret the data incorrectly.

Informations

Modes Of Introduction

Implementation
Operation

Applicable Platforms

Language

Class: Not Language-Specific (Often)

Technologies

Name: AI/ML (Undetermined)
Name: Database Server (Often)
Name: Web Server (Often)

Common Consequences

Scope Impact Likelihood
IntegrityModify Application Data

Note: The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted.
Integrity
Confidentiality
Availability
Access Control
Execute Unauthorized Code or Commands

Note: The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted.
ConfidentialityBypass Protection Mechanism

Note: The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted.

Observed Examples

Reference Description
CVE-2021-41232Chain: authentication routine in Go-based agile development product does not escape user name (CWE-116), allowing LDAP injection (CWE-90)
CVE-2008-4636OS command injection in backup software using shell metacharacters in a filename; correct behavior would require that this filename could not be changed.
CVE-2008-0769Web application does not set the charset when sending a page to a browser, allowing for XSS exploitation when a browser chooses an unexpected encoding.
CVE-2008-0005Program does not set the charset when sending a page to a browser, allowing for XSS exploitation when a browser chooses an unexpected encoding.
CVE-2008-5573SQL injection via password parameter; a strong password might contain "&"
CVE-2008-3773Cross-site scripting in chat application via a message subject, which normally might contain "&" and other XSS-related characters.
CVE-2008-0757Cross-site scripting in chat application via a message, which normally might be allowed to contain arbitrary content.

Potential Mitigations

Phases : Architecture and Design

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.

Alternately, use built-in functions, but consider using wrappers in case those functions are discovered to have a vulnerability.


Phases : Architecture and Design

If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.

For example, stored procedures can enforce database query structure and reduce the likelihood of SQL injection.


Phases : Architecture and Design // Implementation
Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.
Phases : Architecture and Design
In some cases, input validation may be an important strategy when output encoding is not a complete solution. For example, you may be providing the same output that will be processed by multiple consumers that use different encodings or representations. In other cases, you may be required to allow user-supplied input to contain control information, such as limited HTML tags that support formatting in a wiki or bulletin board. When this type of requirement must be met, use an extremely strict allowlist to limit which control sequences can be used. Verify that the resulting syntactic structure is what you expect. Use your normal encoding methods for the remainder of the input.
Phases : Architecture and Design
Use input validation as a defense-in-depth measure to reduce the likelihood of output encoding errors (see CWE-20).
Phases : Requirements
Fully specify which encodings are required by components that will be communicating with each other.
Phases : Implementation
When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.

Detection Methods

Automated Static Analysis

This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.
Effectiveness : Moderate

Automated Dynamic Analysis

This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.

Vulnerability Mapping Notes

Rationale : This CWE entry is a Class and might have Base-level children that would be more appropriate
Comments : Examine children of this entry to see if there is a better fit

Related Attack Patterns

CAPEC-ID Attack Pattern Name
CAPEC-104 Cross Zone Scripting
An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.
CAPEC-73 User-Controlled Filename
An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.
CAPEC-81 Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.
CAPEC-85 AJAX Footprinting
This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.

Notes

This weakness is primary to all weaknesses related to injection (CWE-74) since the inherent nature of injection involves the violation of structured messages.

CWE-116 and CWE-20 have a close association because, depending on the nature of the structured message, proper input validation can indirectly prevent special characters from changing the meaning of a structured message. For example, by validating that a numeric ID field should only contain the 0-9 characters, the programmer effectively prevents injection attacks.

However, input validation is not always sufficient, especially when less stringent data types must be supported, such as free-form text. Consider a SQL injection scenario in which a last name is inserted into a query. The name "O'Reilly" would likely pass the validation step since it is a common last name in the English language. However, it cannot be directly inserted into the database because it contains the "'" apostrophe character, which would need to be escaped or otherwise neutralized. In this case, stripping the apostrophe might reduce the risk of SQL injection, but it would produce incorrect behavior because the wrong name would be recorded.


The usage of the "encoding" and "escaping" terms varies widely. For example, in some programming languages, the terms are used interchangeably, while other languages provide APIs that use both terms for different tasks. This overlapping usage extends to the Web, such as the "escape" JavaScript function whose purpose is stated to be encoding. The concepts of encoding and escaping predate the Web by decades. Given such a context, it is difficult for CWE to adopt a consistent vocabulary that will not be misinterpreted by some constituency.
This is a data/directive boundary error in which data boundaries are not sufficiently enforced before it is sent to a different control sphere.
While many published vulnerabilities are related to insufficient output encoding, there is such an emphasis on input validation as a protection mechanism that the underlying causes are rarely described. Within CVE, the focus is primarily on well-understood issues like cross-site scripting and SQL injection. It is likely that this weakness frequently occurs in custom protocols that support multiple encodings, which are not necessarily detectable with automated techniques.

References

REF-45

OWASP Enterprise Security API (ESAPI) Project
OWASP.
http://www.owasp.org/index.php/ESAPI

REF-46

Output Sanitization
Joshbw.
https://web.archive.org/web/20081208054333/http://analyticalengine.net/archives/58

REF-47

Sanitizing user data: How and where to do it
Niyaz PK.
https://web.archive.org/web/20090105222005/http://www.diovo.com/2008/09/sanitizing-user-data-how-and-where-to-do-it/

REF-48

Input validation or output filtering, which is better?
Jeremiah Grossman.
https://blog.jeremiahgrossman.com/2007/01/input-validation-or-output-filtering.html

REF-49

Input Validation - Not That Important
Jim Manico.
https://manicode.blogspot.com/2008/08/input-validation-not-that-important.html

REF-50

Preventing XSS with Correct Output Encoding
Michael Eddington.
http://phed.org/2008/05/19/preventing-xss-with-correct-output-encoding/

REF-7

Writing Secure Code
Michael Howard, David LeBlanc.
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223

Submission

Name Organization Date Date Release Version
CWE Community 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modifications

Name Organization Date Comment
Sean Eidemiller Cigital 2008-07-01 +00:00 added/updated demonstrative examples
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Name, Relationships
CWE Content Team MITRE 2009-01-12 +00:00 updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships, Research_Gaps, Terminology_Notes, Theoretical_Notes
CWE Content Team MITRE 2009-03-10 +00:00 updated Description, Potential_Mitigations
CWE Content Team MITRE 2009-05-27 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2009-07-27 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2009-10-29 +00:00 updated Relationships
CWE Content Team MITRE 2009-12-28 +00:00 updated Demonstrative_Examples, Potential_Mitigations
CWE Content Team MITRE 2010-02-16 +00:00 updated Detection_Factors, Potential_Mitigations, References, Taxonomy_Mappings
CWE Content Team MITRE 2010-04-05 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2010-06-21 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2011-03-29 +00:00 updated Relationship_Notes, Relationships
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2011-09-13 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2012-05-11 +00:00 updated References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2014-06-23 +00:00 updated References
CWE Content Team MITRE 2014-07-30 +00:00 updated Demonstrative_Examples, Relationships
CWE Content Team MITRE 2015-12-07 +00:00 updated Relationships
CWE Content Team MITRE 2017-01-19 +00:00 updated Relationships
CWE Content Team MITRE 2017-05-03 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Likelihood_of_Exploit, References, Taxonomy_Mappings
CWE Content Team MITRE 2018-03-27 +00:00 updated References
CWE Content Team MITRE 2019-01-03 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2019-06-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2020-06-25 +00:00 updated Applicable_Platforms, Demonstrative_Examples, Potential_Mitigations
CWE Content Team MITRE 2021-03-15 +00:00 updated Relationships, Terminology_Notes
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated Observed_Examples
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships, Time_of_Introduction
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2024-07-16 +00:00 updated Applicable_Platforms
Click on the button to the left (OFF), to authorize the inscription of cookie improving the functionalities of the site. Click on the button to the left (Accept all), to unauthorize the inscription of cookie improving the functionalities of the site.