CWE-184: Incomplete List of Disallowed Inputs
ID
CWE-184
Abstraction
Base
Structure
Simple
Status
Draft
Number of CVEs
42
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.
Developers often try to protect their products against malicious input by performing tests against inputs that are known to be bad, such as special characters that can invoke new commands. However, such lists often only account for the most well-known bad inputs. Attackers may be able to find other malicious inputs that were not expected by the developer, allowing them to bypass the intended protection mechanism.
Modes of Introduction
| Phase | Note |
|---|---|
| Implementation | Developers might begin to develop a list of bad inputs as a fast way to fix a particular weakness, instead of fixing the root cause. See [REF-141]. |
| Architecture and Design | The design might rely solely on detection of malicious inputs as a protection mechanism. |
Applicable Platforms
| Type | Class | Name | Prevalence |
|---|---|---|---|
| Language | Not Language-Specific |
Relationships
| View | Weakness | |||||||
|---|---|---|---|---|---|---|---|---|
| # ID | View | Status | # ID | Name | Abstraction | Structure | Status | |
| CWE-1000 | Research Concepts | Draft | CWE-693 | Protection Mechanism Failure | Pillar | Simple | Draft | |
| CWE-1000 | Research Concepts | Draft | CWE-1023 | Incomplete Comparison with Missing Factors | Class | Simple | Incomplete | |
| CWE-1000 | Research Concepts | Draft | CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | Base | Simple | Stable | |
| CWE-1000 | Research Concepts | Draft | CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | Base | Simple | Stable | |
| CWE-1000 | Research Concepts | Draft | CWE-434 | Unrestricted Upload of File with Dangerous Type | Base | Simple | Draft | |
| CWE-1000 | Research Concepts | Draft | CWE-98 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | Variant | Simple | Draft | |
Common Attack Pattern Enumeration and Classification (CAPEC)
The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.
CAPEC at Mitre.org| # ID | Name | Weaknesses |
|---|---|---|
| CAPEC-3 | Using Leading 'Ghost' Character Sequences to Bypass Input Filters | CWE-184 |
| CAPEC-6 | Argument Injection | CWE-184 |
| CAPEC-15 | Command Delimiters | CWE-184 |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers | CWE-184 |
| CAPEC-71 | Using Unicode Encoding to Bypass Validation Logic | CWE-184 |
| CAPEC-73 | User-Controlled Filename | CWE-184 |
| CAPEC-85 | AJAX Footprinting | CWE-184 |
| CAPEC-120 | Double Encoding | CWE-184 |
| CAPEC-182 | Flash Injection | CWE-184 |
CVEs Published
CVSS Severity
CVSS Severity - By Year
CVSS Base Score
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |
Loading...