Improper encoding or escaping can allow attackers to change the commands that are sent to another component, inserting malicious commands instead.
Most products follow a certain protocol that uses structured messages for communication between components, such as queries or commands. These structured messages can contain raw data interspersed with metadata or control information. For example, "GET /index.html HTTP/1.1" is a structured message containing a command ("GET") with a single argument ("/index.html") and metadata about which protocol version is being used ("HTTP/1.1").
If an application uses attacker-supplied inputs to construct a structured message without properly encoding or escaping, then the attacker could insert special characters that will cause the data to be interpreted as control information or metadata. Consequently, the component that receives the output will perform the wrong operations, or otherwise interpret the data incorrectly.
Scope | Impact | Likelihood |
---|---|---|
Integrity | Modify Application Data Note: The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted. | |
Integrity Confidentiality Availability Access Control | Execute Unauthorized Code or Commands Note: The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted. | |
Confidentiality | Bypass Protection Mechanism Note: The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted. |
Reference | Description |
---|---|
Chain: authentication routine in Go-based agile development product does not escape user name (CWE-116), allowing LDAP injection (CWE-90) | |
OS command injection in backup software using shell metacharacters in a filename; correct behavior would require that this filename could not be changed. | |
Web application does not set the charset when sending a page to a browser, allowing for XSS exploitation when a browser chooses an unexpected encoding. | |
Program does not set the charset when sending a page to a browser, allowing for XSS exploitation when a browser chooses an unexpected encoding. | |
SQL injection via password parameter; a strong password might contain "&" | |
Cross-site scripting in chat application via a message subject, which normally might contain "&" and other XSS-related characters. | |
Cross-site scripting in chat application via a message, which normally might be allowed to contain arbitrary content. |
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
Alternately, use built-in functions, but consider using wrappers in case those functions are discovered to have a vulnerability.
If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
For example, stored procedures can enforce database query structure and reduce the likelihood of SQL injection.
CAPEC-ID | Attack Pattern Name |
---|---|
CAPEC-104 | Cross Zone Scripting An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. |
CAPEC-73 | User-Controlled Filename An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities. |
CAPEC-81 | Web Server Logs Tampering Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application. |
CAPEC-85 | AJAX Footprinting This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS. |
CWE-116 and CWE-20 have a close association because, depending on the nature of the structured message, proper input validation can indirectly prevent special characters from changing the meaning of a structured message. For example, by validating that a numeric ID field should only contain the 0-9 characters, the programmer effectively prevents injection attacks.
However, input validation is not always sufficient, especially when less stringent data types must be supported, such as free-form text. Consider a SQL injection scenario in which a last name is inserted into a query. The name "O'Reilly" would likely pass the validation step since it is a common last name in the English language. However, it cannot be directly inserted into the database because it contains the "'" apostrophe character, which would need to be escaped or otherwise neutralized. In this case, stripping the apostrophe might reduce the risk of SQL injection, but it would produce incorrect behavior because the wrong name would be recorded.
Name | Organization | Date | Date Release | Version |
---|---|---|---|---|
CWE Community | Draft 3 |
Name | Organization | Date | Comment |
---|---|---|---|
Sean Eidemiller | Cigital | added/updated demonstrative examples | |
Eric Dalci | Cigital | updated Time_of_Introduction | |
CWE Content Team | MITRE | updated Name, Relationships | |
CWE Content Team | MITRE | updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships, Research_Gaps, Terminology_Notes, Theoretical_Notes | |
CWE Content Team | MITRE | updated Description, Potential_Mitigations | |
CWE Content Team | MITRE | updated Related_Attack_Patterns | |
CWE Content Team | MITRE | updated Demonstrative_Examples | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Demonstrative_Examples, Potential_Mitigations | |
CWE Content Team | MITRE | updated Detection_Factors, Potential_Mitigations, References, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Potential_Mitigations | |
CWE Content Team | MITRE | updated Potential_Mitigations | |
CWE Content Team | MITRE | updated Relationship_Notes, Relationships | |
CWE Content Team | MITRE | updated Common_Consequences, Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated References, Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Potential_Mitigations | |
CWE Content Team | MITRE | updated References | |
CWE Content Team | MITRE | updated Demonstrative_Examples, Relationships | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Related_Attack_Patterns | |
CWE Content Team | MITRE | updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Likelihood_of_Exploit, References, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated References | |
CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Applicable_Platforms, Demonstrative_Examples, Potential_Mitigations | |
CWE Content Team | MITRE | updated Relationships, Terminology_Notes | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Observed_Examples | |
CWE Content Team | MITRE | updated Description | |
CWE Content Team | MITRE | updated References, Relationships, Time_of_Introduction | |
CWE Content Team | MITRE | updated Mapping_Notes | |
CWE Content Team | MITRE | updated Applicable_Platforms |