CWE - CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (2.4)

Home > CWE List > CWE- Individual Dictionary Definition (2.4)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents
FAQs

Community
SwA On-Ramp
T-Shirt
Discussion List
Discussion Archives
Contact Us

Scoring
CWSS
CWRAF
CWE/SANS Top 25

Compatibility
Requirements
Coverage Claims Representation
Compatible Products
Make a Declaration

News
Calendar
Free Newsletter

Search the Site

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Weakness ID: 74 (Weakness Class)

Status: Incomplete

Description

Description Summary

The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Extended Description

Software has certain assumptions about what constitutes data and control respectively. It is the lack of verification of these assumptions for user-controlled input that leads to injection problems. Injection problems encompass a wide variety of issues -- all mitigated in very different ways and usually attempted in order to alter the control flow of the process. For this reason, the most effective way to discuss these weaknesses is to note the distinct features which classify them as injection weaknesses. The most important issue to note is that all injection problems share one thing in common -- i.e., they allow for the injection of control plane data into the user-controlled data plane. This means that the execution of the process may be altered by sending code in through legitimate data channels, using no other mechanism. While buffer overflows, and many other flaws, involve the use of some further issue to gain execution, injection problems need only for the data to be parsed. The most classic instantiations of this category of weakness are SQL injection and format string vulnerabilities.

Time of Introduction

Architecture and Design
Implementation

Applicable Platforms

Languages

All

Common Consequences

Scope	Effect
Confidentiality	Technical Impact: Read application data Many injection attacks involve the disclosure of important information -- in terms of both data sensitivity and usefulness in further exploitation.
Access Control	Technical Impact: Bypass protection mechanism In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
Other	Technical Impact: Alter execution logic Injection attacks are characterized by the ability to significantly change the flow of a given process, and in some cases, to the execution of arbitrary code.
Integrity Other	Technical Impact: Other Data injection attacks lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing.
Non-Repudiation	Technical Impact: Hide activities Often the actions performed by injected control code are unlogged.

Likelihood of Exploit

Very High

Potential Mitigations

Phase: Requirements

Programming languages and supporting technologies might be chosen which are not subject to these issues.

Phase: Implementation

Utilize an appropriate mix of white-list and black-list parsing to filter control-plane syntax from all input.

Weakness Ordinalities

Ordinality	Description
Primary	(where the weakness exists independent of other weaknesses)

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Class	20	Improper Input Validation	Development Concepts (primary)699
ChildOf	Weakness Class	707	Improper Enforcement of Message or Data Structure	Research Concepts (primary)1000
ChildOf	Category	727	OWASP Top Ten 2004 Category A6 - Injection Flaws	Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOf	Category	896	SFP Cluster: Tainted Input	Software Fault Pattern (SFP) Clusters (primary)888
ParentOf	Weakness Class	75	Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)	Development Concepts (primary)699 Research Concepts (primary)1000
ParentOf	Weakness Class	77	Improper Neutralization of Special Elements used in a Command ('Command Injection')	Development Concepts (primary)699 Research Concepts (primary)1000
ParentOf	Weakness Base	79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	Development Concepts (primary)699 Research Concepts (primary)1000
ParentOf	Weakness Base	91	XML Injection (aka Blind XPath Injection)	Development Concepts (primary)699 Research Concepts (primary)1000
ParentOf	Weakness Base	93	Improper Neutralization of CRLF Sequences ('CRLF Injection')	Development Concepts (primary)699 Research Concepts (primary)1000
ParentOf	Weakness Class	94	Improper Control of Generation of Code ('Code Injection')	Development Concepts (primary)699 Research Concepts (primary)1000
ParentOf	Weakness Base	99	Improper Control of Resource Identifiers ('Resource Injection')	Development Concepts (primary)699 Research Concepts (primary)1000
ParentOf	Weakness Base	134	Uncontrolled Format String	Development Concepts (primary)699 Research Concepts (primary)1000
ParentOf	Weakness Class	138	Improper Neutralization of Special Elements	Development Concepts (primary)699
CanFollow	Weakness Class	20	Improper Input Validation	Research Concepts1000
CanFollow	Weakness Class	116	Improper Encoding or Escaping of Output	Research Concepts1000

Relationship Notes

In the development view (CWE-699), this is classified as an Input Validation problem (CWE-20) because many people do not distinguish between the consequence/attack (injection) and the protection mechanism that prevents the attack from succeeding. In the research view (CWE-1000), however, input validation is only one potential protection mechanism (output encoding is another), and there is a chaining relationship between improper input validation and the improper enforcement of the structure of messages to other components. Other issues not directly related to input validation, such as race conditions, could similarly impact message structure.

Causal Nature

Explicit

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
CLASP			Injection problem ('data' used as something else)
OWASP Top Ten 2004	A6	CWE_More_Specific	Injection Flaws

Related Attack Patterns

CAPEC-ID	Attack Pattern Name	(CAPEC Version: 1.7.1)
10	Buffer Overflow via Environment Variables
101	Server Side Include (SSI) Injection
106	Cross Site Scripting through Log Files
108	Command Line Execution through SQL Injection
13	Subverting Environment Variable Values
135	Format String Injection
14	Client-side Injection-induced Buffer Overflow
24	Filter Failure through Buffer Overflow
267	Leverage Alternate Encoding
273	HTTP Response Smuggling
28	Fuzzing
3	Using Leading 'Ghost' Character Sequences to Bypass Input Filters
34	HTTP Response Splitting
40	Manipulating Writeable Terminal Devices
42	MIME Conversion
43	Exploiting Multiple Input Interpretation Layers
45	Buffer Overflow via Symbolic Links
46	Overflow Variables and Tags
47	Buffer Overflow via Parameter Expansion
51	Poison Web Service Registry
52	Embedding NULL Bytes
53	Postfix, Null Terminate, and Backslash
64	Using Slashes and URL Encoding Combined to Bypass Validation Logic
66	SQL Injection
67	String Format Overflow in syslog()
7	Blind SQL Injection
71	Using Unicode Encoding to Bypass Validation Logic
72	URL Encoding
76	Manipulating Input to File System Calls
78	Using Escaped Slashes in Alternate Encoding
79	Using Slashes in Alternate Encoding
8	Buffer Overflow in an API Call
80	Using UTF-8 Encoding to Bypass Validation Logic
83	XPath Injection
84	XQuery Injection
9	Buffer Overflow in Local Command-Line Utilities
91	XSS in IMG Tags

Content History

Submissions
Submission Date	Submitter	Organization	Source
	CLASP		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Time_of_Introduction
2008-08-15		Veracode	External
2008-08-15	Suggested OWASP Top Ten 2004 mapping
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Common_Consequences, Description, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities
2009-01-12	CWE Content Team	MITRE	Internal
2009-01-12	updated Relationships
2009-05-27	CWE Content Team	MITRE	Internal
2009-05-27	updated Name, Related_Attack_Patterns
2009-07-27	CWE Content Team	MITRE	Internal
2009-07-27	updated Relationships
2009-10-29	CWE Content Team	MITRE	Internal
2009-10-29	updated Description, Other_Notes
2010-02-16	CWE Content Team	MITRE	Internal
2010-02-16	updated Relationships
2010-04-05	CWE Content Team	MITRE	Internal
2010-04-05	updated Related_Attack_Patterns
2010-06-21	CWE Content Team	MITRE	Internal
2010-06-21	updated Description, Name
2010-12-13	CWE Content Team	MITRE	Internal
2010-12-13	updated Common_Consequences, Relationship_Notes
2011-06-01	CWE Content Team	MITRE	Internal
2011-06-01	updated Common_Consequences
2012-05-11	CWE Content Team	MITRE	Internal
2012-05-11	updated Related_Attack_Patterns, Relationships
2012-10-30	CWE Content Team	MITRE	Internal
2012-10-30	updated Potential_Mitigations
Previous Entry Names
Change Date	Previous Entry Name
2008-04-11	Injection

2009-05-27	Failure to Sanitize Data into a Different Plane (aka 'Injection')

2010-06-21	Failure to Sanitize Data into a Different Plane ('Injection')

Page Last Updated: February 20, 2013


	CWE is co-sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2013, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us