CWE - CWE-138: Failure to Sanitize Special Elements (Draft 9)

Home > CWE List > CWE-138 Individual Dictionary Definition (Draft 9)

CWE List
Full Dictionary View
Classification Tree
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

Section Contents
CWE List
Full Dictionary View
Classification Tree
Reports
Other Items of Interest
Sources

Key
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated

CWE-138 Individual Dictionary Definition (Draft 9)

Weakness ID

Status: Draft

138 (Weakness Class)

Description

Summary

The software fails to prevent the introduction of special elements with control implications into a mixed data / control stream.

Extended Description

Often times, platforms or environments have special elements that carry control implications. If software fails to prevent external control or influence over the inclusion of such special elements, the control flow of the program may be altered from what was intended.

Potential Mitigations

Developers should anticipate that special elements (e.g. delimiters, symbols) will be injected into input vectors of their software system. One defense is to create a while list (e.g. a regular expression) that defines valid input according to the requirements specifications. Strictly filter any input that does not match against the white list.

Relationships

Nature	Type	ID	Name
ChildOf	Category	137	Representation Errors
ParentOf	Category	139	General Special Element Problems
ParentOf	Category	169	Technology-Specific Special Elements
ParentOf	Weakness Base	140	Failure to Sanitize Delimiters
ParentOf	Weakness Variant	147	Failure to Sanitize Input Terminators
ParentOf	Weakness Variant	148	Failure to Sanitize Input Leaders
ParentOf	Weakness Variant	149	Failure to Sanitize Quoting Syntax
ParentOf	Weakness Variant	150	Failure to Sanitize Escape, Meta, or Control Sequences
ParentOf	Weakness Variant	151	Failure to Sanitize Comment Element
ParentOf	Weakness Variant	152	Failure to Sanitize Macro Symbol
ParentOf	Weakness Variant	153	Failure to Sanitize Substitution Character
ParentOf	Weakness Variant	154	Failure to Sanitize Variable Name Delimiter
ParentOf	Weakness Variant	155	Failure to Sanitize Wildcard or Matching Symbol
ParentOf	Weakness Variant	156	Failure to Sanitize Whitespace
ParentOf	Weakness Variant	157	Failure to Sanitize Paired Delimiters
ParentOf	Weakness Variant	158	Failure to Sanitize Null Byte or NUL Character
ParentOf	Weakness Class	159	Failure to Sanitize Special Element
ParentOf	Weakness Base	464	Addition of Data Structure Sentinel

Source Taxonomies

PLOVER - Special Elements (Characters or Reserved Words)

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
15	Command Delimiters

Page Last Updated: April 21, 2008


	CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us