CWE - CWE-707: Improper Enforcement of Message or Data Structure (1.6)

Home > CWE List > CWE- Individual Dictionary Definition (1.6)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research
CWE/SANS Top 25
CWSS

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-707: Improper Enforcement of Message or Data Structure

Improper Enforcement of Message or Data Structure

Weakness ID: 707 (Weakness Class)

Status: Incomplete

Description

Description Summary

The software does not enforce or incorrectly enforces that structured messages or data are well-formed before being read from an upstream component or sent to a downstream component.

Extended Description

If a message is malformed it may cause the message to be incorrectly interpreted.

This weakness typically applies in cases where the product prepares a control message that another process must act on, such as a command or query, and malicious input that was intended as data, can enter the control plane instead. However, this weakness also applies to more general cases where there are not always control implications.

Time of Introduction

Architecture and Design
Implementation

Applicable Platforms

Languages

All

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ParentOf	Weakness Class	74	Failure to Sanitize Data into a Different Plane ('Injection')	Research Concepts (primary)1000
ParentOf	Weakness Class	116	Improper Encoding or Escaping of Output	Research Concepts (primary)1000
ParentOf	Weakness Class	138	Improper Sanitization of Special Elements	Research Concepts (primary)1000
ParentOf	Weakness Base	170	Improper Null Termination	Research Concepts (primary)1000
ParentOf	Weakness Class	172	Encoding Error	Research Concepts (primary)1000
ParentOf	Weakness Class	228	Improper Handling of Syntactically Invalid Structure	Research Concepts (primary)1000
ParentOf	Weakness Base	240	Improper Handling of Inconsistent Structural Elements	Research Concepts1000
ParentOf	Weakness Base	463	Deletion of Data Structure Sentinel	Research Concepts (primary)1000
MemberOf	View	1000	Research Concepts	Research Concepts (primary)1000

Related Attack Patterns

CAPEC-ID	Attack Pattern Name	(CAPEC Version: 1.4)
3	Using Leading 'Ghost' Character Sequences to Bypass Input Filters
4	Using Alternative IP Address Encodings
7	Blind SQL Injection
43	Exploiting Multiple Input Interpretation Layers
52	Embedding NULL Bytes
53	Postfix, Null Terminate, and Backslash
64	Using Slashes and URL Encoding Combined to Bypass Validation Logic
66	SQL Injection
78	Using Escaped Slashes in Alternate Encoding
79	Using Slashes in Alternate Encoding
83	XPath Injection
33	HTTP Request Smuggling
34	HTTP Response Splitting
84	XQuery Injection

Content History

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Time of Introduction
2009-01-12	CWE Content Team	MITRE	Internal
2009-01-12	updated Relationships
2009-03-10	CWE Content Team	MITRE	Internal
2009-03-10	updated Related Attack Patterns
2009-05-27	CWE Content Team	MITRE	Internal
2009-05-27	updated Description, Name
2009-07-27	CWE Content Team	MITRE	Internal
2009-07-27	updated Relationships

Page Last Updated: October 29, 2009


	CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us