CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types
CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.6)  
Presentation Filter:

CWE-554: ASP.NET Misconfiguration: Not Using Input Validation Framework

 
ASP.NET Misconfiguration: Not Using Input Validation Framework
Weakness ID: 554 (Weakness Variant)Status: Draft
+ Description

Description Summary

The ASP.NET application does not use an input validation framework.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

.NET

+ Common Consequences
ScopeEffect
Integrity

Technical Impact: Unexpected state

Unchecked input leads to cross-site scripting, process control, and SQL injection vulnerabilities, among others.

+ Potential Mitigations

Phase: Architecture and Design

Use the ASP.NET validation framework to check all program input before it is processed by the application. Example uses of the validation framework include checking to ensure that:

  1. Phone number fields contain only valid characters in phone numbers

  2. Boolean values are only "T" or "F"

  3. Free-form strings are of a reasonable length and composition

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory10ASP.NET Environment Issues
Development Concepts699
ChildOfWeakness ClassWeakness Class20Improper Input Validation
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory896SFP Cluster: Tainted Input
Software Fault Pattern (SFP) Clusters (primary)888
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Anonymous Tool Vendor (under NDA)Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Description, Relationships, Other_Notes, Taxonomy_Mappings, Type
2009-07-27CWE Content TeamMITREInternal
updated Other_Notes
2011-03-29CWE Content TeamMITREInternal
updated Common_Consequences, Description, Potential_Mitigations
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2011-06-27CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11ASP.NET Misconfiguration: Input Validation
Page Last Updated: February 18, 2014
 

CWE is co-sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security.

This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2014, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us