Improper Enforcement of Message or Data Structure |
Weakness ID: 707 (Weakness Class) | Status: Incomplete |
Description Summary
The software does not enforce or incorrectly enforces that structured messages or data are well-formed before being read from an upstream component or sent to a downstream component.
Extended Description
If a message is malformed it may cause the message to be incorrectly interpreted.
This weakness typically applies in cases where the product prepares a control message that another process must act on, such as a command or query, and malicious input that was intended as data, can enter the control plane instead. However, this weakness also applies to more general cases where there are not always control implications.
Nature | Type | ID | Name | View(s) this relationship pertains to![]() |
---|---|---|---|---|
ParentOf | ![]() | 74 | Failure to Sanitize Data into a Different Plane ('Injection') | Research Concepts (primary)1000 |
ParentOf | ![]() | 116 | Improper Encoding or Escaping of Output | Research Concepts (primary)1000 |
ParentOf | ![]() | 138 | Improper Sanitization of Special Elements | Research Concepts (primary)1000 |
ParentOf | ![]() | 170 | Improper Null Termination | Research Concepts (primary)1000 |
ParentOf | ![]() | 172 | Encoding Error | Research Concepts (primary)1000 |
ParentOf | ![]() | 228 | Improper Handling of Syntactically Invalid Structure | Research Concepts (primary)1000 |
ParentOf | ![]() | 240 | Improper Handling of Inconsistent Structural Elements | Research Concepts1000 |
ParentOf | ![]() | 463 | Deletion of Data Structure Sentinel | Research Concepts (primary)1000 |
MemberOf | ![]() | 1000 | Research Concepts | Research Concepts (primary)1000 |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
3 | Using Leading 'Ghost' Character Sequences to Bypass Input Filters | |
4 | Using Alternative IP Address Encodings | |
7 | Blind SQL Injection | |
43 | Exploiting Multiple Input Interpretation Layers | |
52 | Embedding NULL Bytes | |
53 | Postfix, Null Terminate, and Backslash | |
64 | Using Slashes and URL Encoding Combined to Bypass Validation Logic | |
66 | SQL Injection | |
78 | Using Escaped Slashes in Alternate Encoding | |
79 | Using Slashes in Alternate Encoding | |
83 | XPath Injection | |
33 | HTTP Request Smuggling | |
34 | HTTP Response Splitting | |
84 | XQuery Injection |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
2008-09-09 | MITRE | Internal CWE Team | ||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2009-01-12 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Related Attack Patterns | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Description, Name | ||||
2009-07-27 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2009-05-27 | Failure to Enforce that Messages or Data are Well-Formed | |||