CWE-838 Detail

CWE-838

Inappropriate Encoding for Output Context
Incomplete
2011-03-30
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notifiche per un CWE specifico
Rimani informato su qualsiasi modifica relativa a un CWE specifico.
Gestione notifiche

Nome: Inappropriate Encoding for Output Context

The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.

General Informations

Modes Of Introduction

Implementation

Piattaforme applicabili

Linguaggio

Class: Not Language-Specific (Undetermined)

Conseguenze comuni

Ambito Impatto Probabilità
Integrity
Confidentiality
Availability		Modify Application Data, Execute Unauthorized Code or Commands

Note: An attacker could modify the structure of the message or data being sent to the downstream component, possibly injecting commands.

Esempi osservati

Riferimenti Descrizione

CVE-2009-2814

Server does not properly handle requests that do not contain UTF-8 data; browser assumes UTF-8, allowing XSS.

Potential Mitigations

Phases : Implementation
Use context-aware encoding. That is, understand which encoding is being used by the downstream component, and ensure that this encoding is used. If an encoding can be specified, do so, instead of assuming that the default encoding is the same as the default being assumed by the downstream component.
Phases : Architecture and Design
Where possible, use communications protocols or data formats that provide strict boundaries between control and data. If this is not feasible, ensure that the protocols or formats allow the communicating components to explicitly state which encoding/decoding method is being used. Some template frameworks provide built-in support.
Phases : Architecture and Design

Detection Methods

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness : High

Note sulla mappatura delle vulnerabilità

Giustificazione : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commento : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Pattern di attacco correlati

CAPEC-ID Nome del pattern di attacco
CAPEC-468 Generic Cross-Browser Cross-Domain Theft
An attacker makes use of Cascading Style Sheets (CSS) injection to steal data cross domain from the victim's browser. The attack works by abusing the standards relating to loading of CSS: 1. Send cookies on any load of CSS (including cross-domain) 2. When parsing returned CSS ignore all data that does not make sense before a valid CSS descriptor is found by the CSS parser.

Riferimenti

REF-786

Injection-safe templating languages
Jim Manico.
https://manicode.blogspot.com/2010/06/injection-safe-templating-languages_30.html

REF-787

Can we please stop saying that XSS is boring and easy to fix!
Dinis Cruz.
http://diniscruz.blogspot.com/2010/09/can-we-please-stop-saying-that-xss-is.html

REF-788

Canoe: XSS prevention via context-aware output encoding
Ivan Ristic.
https://blog.ivanristic.com/2010/09/introducing-canoe-context-aware-output-encoding-for-xss-prevention.html

REF-789

What is the Future of Automated XSS Defense Tools?
Jim Manico.
http://software-security.sans.org/downloads/appsec-2011-files/manico-appsec-future-tools.pdf

REF-709

XSS Attacks
Jeremiah Grossman, Robert "RSnake" Hansen, Petko "pdp" D. Petkov, Anton Rager, Seth Fogie.

REF-725

DOM based XSS Prevention Cheat Sheet
OWASP.
http://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet

REF-45

OWASP Enterprise Security API (ESAPI) Project
OWASP.
https://owasp.org/www-project-enterprise-security-api/

Invio

Nome Organizzazione Data Data di rilascio Version
CWE Content Team MITRE 2011-03-24 +00:00 2011-03-30 +00:00 1.12

Modifiche

Nome Organizzazione Data Commento
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2011-06-27 +00:00 updated Demonstrative_Examples, Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2012-05-11 +00:00 updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2017-11-08 +00:00 updated References, Taxonomy_Mappings
CWE Content Team MITRE 2019-01-03 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2019-06-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated Detection_Factors, References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-09-09 +00:00 updated References
CWE Content Team MITRE 2025-12-11 +00:00 updated Time_of_Introduction, Weakness_Ordinalities
Le informazioni presentate su CVE Find provengono da diverse fonti di riferimento attentamente selezionate. I dati CVE sono forniti da MITRE Corporation e dal National Vulnerability Database (NVD). Il catalogo delle vulnerabilità sfruttate conosciute (KEV) proviene dalla Cybersecurity and Infrastructure Security Agency (CISA), mentre i punteggi EPSS provengono da FIRST.org. Inoltre, i dati relativi alle vulnerabilità software (CWE) e ai pattern di attacco comuni (CAPEC) sono mantenuti da MITRE Corporation, e le informazioni sulle configurazioni hardware e software (CPE) sono fornite da NVD.