CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.8)  

Presentation Filter:

CWE-138: Improper Neutralization of Special Elements

 
Improper Neutralization of Special Elements
Weakness ID: 138 (Weakness Class)Status: Draft
+ Description

Description Summary

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.

Extended Description

Most languages and protocols have their own special elements such as characters and reserved words. These special elements can carry control implications. If software does not prevent external control or influence over the inclusion of such special elements, the control flow of the program may be altered from what was intended. For example, both Unix and Windows interpret the symbol < ("less than") as meaning "read input from a file".

+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

Language-independent

+ Common Consequences
ScopeEffect
Confidentiality
Integrity
Availability
Other

Technical Impact: Execute unauthorized code or commands; Alter execution logic; DoS: crash / exit / restart

+ Observed Examples
ReferenceDescription
Read arbitrary files from mail client by providing a special MIME header that is internally used to store pathnames for attachments.
Setuid program does not cleanse special escape sequence before sending data to a mail program, causing the mail program to process those sequences.
Multi-channel issue. Terminal escape sequences not filtered from log files.
Multi-channel issue. Terminal escape sequences not filtered from log files.
+ Potential Mitigations

Phase: Implementation

Developers should anticipate that special elements (e.g. delimiters, symbols) will be injected into input vectors of their software system. One defense is to create a white list (e.g. a regular expression) that defines valid input according to the requirements specifications. Strictly filter any input that does not match against the white list. Properly encode your output, and quote any elements that have special meaning to the component with which you are communicating.

Phase: Implementation

Strategy: Input Validation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."

Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

Phase: Implementation

Use and specify an appropriate output encoding to ensure that the special elements are well-defined. A normal byte sequence in one encoding could be a special element in another.

Phase: Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.

+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Development Concepts (primary)699
ChildOfCategoryCategory137Representation Errors
Development Concepts699
ChildOfWeakness ClassWeakness Class707Improper Enforcement of Message or Data Structure
Research Concepts (primary)1000
ChildOfCategoryCategory990SFP Secondary Cluster: Tainted Input to Command
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base140Improper Neutralization of Delimiters
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant147Improper Neutralization of Input Terminators
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant148Improper Neutralization of Input Leaders
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant149Improper Neutralization of Quoting Syntax
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant150Improper Neutralization of Escape, Meta, or Control Sequences
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant151Improper Neutralization of Comment Delimiters
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant152Improper Neutralization of Macro Symbols
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant153Improper Neutralization of Substitution Characters
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant154Improper Neutralization of Variable Name Delimiters
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant155Improper Neutralization of Wildcards or Matching Symbols
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant156Improper Neutralization of Whitespace
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant157Failure to Sanitize Paired Delimiters
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant158Improper Neutralization of Null Byte or NUL Character
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class159Failure to Sanitize Special Element
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfCategoryCategory169Technology-Specific Special Elements
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base464Addition of Data Structure Sentinel
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class790Improper Filtering of Special Elements
Research Concepts (primary)1000
+ Relationship Notes

This weakness can be related to interpretation conflicts or interaction errors in intermediaries (such as proxies or application firewalls) when the intermediary's model of an endpoint does not account for protocol-specific special elements.

See this entry's children for different types of special elements that have been observed at one point or another. However, it can be difficult to find suitable CVE examples. In an attempt to be complete, CWE includes some types that do not have any associated observed example.

+ Research Gaps

This weakness is probably under-studied for proprietary or custom formats. It is likely that these issues are fairly common in applications that use their own custom format for configuration files, logs, meta-data, messaging, etc. They would only be found by accident or with a focused effort based on an understanding of the format.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERSpecial Elements (Characters or Reserved Words)
PLOVERCustom Special Character Injection
Software Fault PatternsSFP24Tainted input to command
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Description, Potential_Mitigations, Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Description, Relationships, Other_Notes, Taxonomy_Mappings
2009-03-10CWE Content TeamMITREInternal
updated Description, Name
2009-07-27CWE Content TeamMITREInternal
updated Applicable_Platforms, Description, Observed_Examples, Other_Notes, Potential_Mitigations, Relationship_Notes, Relationships, Research_Gaps, Taxonomy_Mappings, Weakness_Ordinalities
2009-12-28CWE Content TeamMITREInternal
updated Relationships
2010-04-05CWE Content TeamMITREInternal
updated Description, Name
2010-12-13CWE Content TeamMITREInternal
updated Description
2011-03-29CWE Content TeamMITREInternal
updated Potential_Mitigations
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Common_Consequences, Relationships
2014-07-30CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Special Elements (Characters or Reserved Words)
2009-03-10Failure to Sanitize Special Elements
2010-04-05Improper Sanitization of Special Elements
Page Last Updated: July 30, 2014