Improper Enforcement of Message or Data Structure
Weakness ID: 707 (Weakness Class)Status: Incomplete
+ Description

Description Summary

The software does not enforce or incorrectly enforces that structured messages or data are well-formed before being read from an upstream component or sent to a downstream component.

Extended Description

If a message is malformed it may cause the message to be incorrectly interpreted.

This weakness typically applies in cases where the product prepares a control message that another process must act on, such as a command or query, and malicious input that was intended as data, can enter the control plane instead. However, this weakness also applies to more general cases where there are not always control implications.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ParentOfWeakness ClassWeakness Class74Failure to Sanitize Data into a Different Plane ('Injection')
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class116Improper Encoding or Escaping of Output
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class138Improper Sanitization of Special Elements
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base170Improper Null Termination
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class172Encoding Error
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class228Improper Handling of Syntactically Invalid Structure
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base240Improper Handling of Inconsistent Structural Elements
Research Concepts1000
ParentOfWeakness BaseWeakness Base463Deletion of Data Structure Sentinel
Research Concepts (primary)1000
MemberOfViewView1000Research Concepts
Research Concepts (primary)1000
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
3Using Leading 'Ghost' Character Sequences to Bypass Input Filters
4Using Alternative IP Address Encodings
7Blind SQL Injection
43Exploiting Multiple Input Interpretation Layers
52Embedding NULL Bytes
53Postfix, Null Terminate, and Backslash
64Using Slashes and URL Encoding Combined to Bypass Validation Logic
66SQL Injection
78Using Escaped Slashes in Alternate Encoding
79Using Slashes in Alternate Encoding
83XPath Injection
33HTTP Request Smuggling
34HTTP Response Splitting
84XQuery Injection
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2008-09-09MITREInternal CWE Team
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2009-01-12CWE Content TeamMITREInternal
updated Relationships
2009-03-10CWE Content TeamMITREInternal
updated Related Attack Patterns
2009-05-27CWE Content TeamMITREInternal
updated Description, Name
2009-07-27CWE Content TeamMITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2009-05-27Failure to Enforce that Messages or Data are Well-Formed