CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.0.1)  
Search by ID:

CWE-116: Insufficient Output Sanitization

Individual Definition in a New Window
Insufficient Output Sanitization
Status: Draft
Weakness ID: 116 (Weakness Class)
Description
Summary

The software does not sufficiently sanitize output before it is sent to a different control sphere.

Demonstrative Examples

Here a value read from an HTML form parameter is reflected back to the client browser without having been sanitized prior to output.

Java Example:
<% String email = request.getParameter("email"); %>
...
Email Address: <%= email %>
Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness ClassWeakness Class693Protection Mechanism Failure
Research Concepts (primary)1000
ChildOfCategoryCategory19Data Handling
Development Concepts (primary)699
ParentOfWeakness BaseWeakness BaseWeakness Base117Incorrect Output Sanitization for Logs
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness VariantWeakness Variant644Insufficient Sanitization of HTTP Headers for Scripting Syntax
Development Concepts (primary)699
Research Concepts (primary)1000
Applicable Platforms
Languages
All
Time of Introduction
* Architecture and Design
* Implementation
* Operation
Related Attack Patterns
CAPEC-ID(CAPEC Version 1.1)Attack Pattern Name
81Web Logs Tampering
63Simple Script Injection
18Embedding Scripts in Nonscript Elements
73User-Controlled Filename
85Client Network Footprinting (using AJAX/XSS)
86Embedding Script (XSS ) in HTTP Headers
Content History
Modifications
Sean Eidemiller. Cigital. 2008-07-01. (External)
added/updated demonstrative examples
Eric Dalci. Cigital. 2008-07-01. (External)
updated Time_of_Introduction
CWE Content Team. MITRE. 2008-09-08. (Internal)
updated Name, Relationships
Previous Entry Names
* Output Validation (changed 2008-04-11)
* Incorrect Output Sanitization (changed 2008-09-09)
Page Last Updated: October 16, 2008