CWE
Home > CWE List > CWE-20 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-20 Individual Dictionary Definition (Draft 9)

Insufficient Input Validation
Weakness ID
Status: Draft

20 (Weakness Class)

Description

Summary

The product has an absent or incorrect protection mechanism that fails to properly validate input that can affect the control flow or data flow of a program.

Potential Mitigations

One should validate input from untrusted sources before it is used. The untrusted data sources can be HTTP requests, file systems, databases, and any external systems that provide data to the application. In the case of HTTP requests, validate all parts of the request, including headers, form fields, cookies, and URL components that are used to transfer information from the browser to the server side application.

Duplicate any client-side checks on the server side. This should be simple to implement in terms of time and difficulty, and will greatly reduce the likelihood of insecure parameter values being used in the application.

Assume all input is malicious. Use an appropriate combination of black lists and white lists to ensure only valid and expected input is processed by the system.

Context Notes

In the context of web-applications it is particularly important to have adequate validation in place. Note that client-side checks should not be considered a secure means of validating parameters. These checks only help reduce the amount of server processing time for normal users who do not know the format of required input. It is a very minimal savings in terms of time. Attackers can bypass these mechanisms easily by intercepting parameters after the client-side checks and altering the values before they are submitted to the server.

Relationships
NatureTypeIDName
ChildOfCategoryCategory19Data Handling
ChildOfWeakness ClassWeakness ClassWeakness Class693Protection Mechanism Failure
ChildOfViewView635
ParentOfWeakness ClassWeakness ClassWeakness Class100Technology-Specific Input Validation Problems
ParentOfWeakness BaseWeakness BaseWeakness Base112Missing XML Validation
ParentOfWeakness BaseWeakness BaseWeakness Base114Process Control
ParentOfWeakness BaseWeakness BaseWeakness Base115Misinterpretation of Input
ParentOfWeakness ClassWeakness ClassWeakness Class21Pathname Traversal and Equivalence Errors
ParentOfWeakness ClassWeakness ClassWeakness Class554ASP.NET Misconfiguration: Not Using Input Validation Framework
ParentOfWeakness VariantWeakness VariantWeakness Variant606Unchecked Input for Loop Condition
ParentOfWeakness VariantWeakness VariantWeakness Variant626Null Byte Interaction Error (Poison Null Byte)
ParentOfWeakness ClassWeakness ClassWeakness Class74Failure to Sanitize Data into a Different Plane (aka 'Injection')
ParentOfCompound Element: ChainCompound Element: Chain680Integer Overflow to Buffer Overflow
ParentOfCompound Element: ChainCompound Element: Chain690Unchecked Return Value to NULL Pointer Dereference
ParentOfCompound Element: ChainCompound Element: Chain692Incomplete Blacklist to Cross-Site Scripting
Source Taxonomies

7 Pernicious Kingdoms - Input validation and representation

Related Attack Patterns
CAPEC-IDAttack Pattern Name
10Buffer Overflow via Environment Variables
31Accessing/Intercepting/Modifying HTTP Cookies
13Subverting Environment Variable Values
32Embedding Scripts in HTTP Query Strings
14Client-side Injection-induced Buffer Overflow
52Embedding NULL Bytes
71Using Unicode Encoding to Bypass Validation Logic
53Postfix, Null Terminate, and Backslash
72URL Encoding
18Embedding Scripts in Nonscript Elements
91XSS in IMG Tags
73User-Controlled Filename
78Using Escaped Slashes in Alternate Encoding
79Using Slashes in Alternate Encoding
99XML Parser Attack
101Server Side Include (SSI) Injection
22Exploiting Trust in Client (aka Make the Client Invisible)
24Filter Failure through Buffer Overflow
42MIME Conversion
43Exploiting Multiple Input Interpretation Layers
80Using UTF-8 Encoding to Bypass Validation Logic
45Buffer Overflow via Symbolic Links
63Simple Script Injection
81Web Logs Tampering
28Fuzzing
46Overflow Variables and Tags
64Using Slashes and URL Encoding Combined to Bypass Validation Logic
47Buffer Overflow via Parameter Expansion
83XPath Injection
66SQL Injection
67String Format Overflow in syslog()
85Client Network Footprinting (using AJAX/XSS)
86Embedding Script (XSS ) in HTTP Headers
88OS Command Injection
3Using Leading 'Ghost' Character Sequences to Bypass Input Filters
7Blind SQL Injection
8Buffer Overflow in an API Call
9Buffer Overflow in Local Command-Line Utilities
Page Last Updated: April 22, 2008