CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  
ID

CWE CATEGORY: Technology-Specific Special Elements

Category ID: 169
Status: Draft
+ Description

Description Summary

Weaknesses in this category are related to improper handling of special elements within particular technologies.
+ Applicable Platforms

Languages

Language-independent

+ Modes of Introduction

Special elements problems can arise from designs or languages that:

  • Do not separate "code" from "data"

  • Mix meta-information with information

+ Potential Mitigations

Phase: Implementation

Strategy: Input Validation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."

Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class138Improper Neutralization of Special Elements
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base170Improper Null Termination
Development Concepts (primary)699
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERTechnology-Specific Special Elements
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other_Notes, Taxonomy_Mappings
2011-03-29CWE Content TeamMITREInternal
updated Other_Notes
2014-06-23CWE Content TeamMITREInternal
updated Applicable_Platforms, Modes_of_Introduction, Other_Notes, Potential_Mitigations

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017