Improper Enforcement of Message or Data Structure |
Weakness ID: 707 (Weakness Class) | Status: Incomplete |
Description Summary
The software does not enforce or incorrectly enforces that structured messages or data are well-formed before being read from an upstream component or sent to a downstream component.
Extended Description
If a message is malformed it may cause the message to be incorrectly interpreted.
This weakness typically applies in cases where the product prepares a control message that another process must act on, such as a command or query, and malicious input that was intended as data, can enter the control plane instead. However, this weakness also applies to more general cases where there are not always control implications.
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ParentOf | Weakness Class | 74 | Failure to Sanitize Data into a Different Plane ('Injection') | Research Concepts (primary)1000 |
ParentOf | Weakness Class | 116 | Improper Encoding or Escaping of Output | Research Concepts (primary)1000 |
ParentOf | Weakness Class | 138 | Improper Sanitization of Special Elements | Research Concepts (primary)1000 |
ParentOf | Weakness Base | 170 | Improper Null Termination | Research Concepts (primary)1000 |
ParentOf | Weakness Class | 172 | Encoding Error | Research Concepts (primary)1000 |
ParentOf | Weakness Class | 228 | Improper Handling of Syntactically Invalid Structure | Research Concepts (primary)1000 |
ParentOf | Weakness Base | 240 | Improper Handling of Inconsistent Structural Elements | Research Concepts1000 |
ParentOf | Weakness Base | 463 | Deletion of Data Structure Sentinel | Research Concepts (primary)1000 |
MemberOf | View | 1000 | Research Concepts | Research Concepts (primary)1000 |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
3 | Using Leading 'Ghost' Character Sequences to Bypass Input Filters | |
4 | Using Alternative IP Address Encodings | |
7 | Blind SQL Injection | |
43 | Exploiting Multiple Input Interpretation Layers | |
52 | Embedding NULL Bytes | |
53 | Postfix, Null Terminate, and Backslash | |
64 | Using Slashes and URL Encoding Combined to Bypass Validation Logic | |
66 | SQL Injection | |
78 | Using Escaped Slashes in Alternate Encoding | |
79 | Using Slashes in Alternate Encoding | |
83 | XPath Injection | |
33 | HTTP Request Smuggling | |
34 | HTTP Response Splitting | |
84 | XQuery Injection |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
2008-09-09 | MITRE | Internal CWE Team | ||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2009-01-12 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Related Attack Patterns | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Description, Name | ||||
2009-07-27 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2009-05-27 | Failure to Enforce that Messages or Data are Well-Formed | |||