CWE-707: Improper Neutralization
If a message is malformed, it may cause the message to be incorrectly interpreted.
Neutralization is an abstract term for any technique that ensures that input (and output) conforms with expectations and is "safe." This can be done by:
- checking that the input/output is already "safe" (e.g. validation)
- transformation of the input/output to be "safe" using techniques such as filtering, encoding/decoding, escaping/unescaping, quoting/unquoting, or canonicalization
- preventing the input/output from being directly provided by an attacker (e.g. "indirect selection" that maps externally-provided values to internally-controlled values)
- preventing the input/output from being processed at all
This weakness typically applies in cases where the product prepares a control message that another process must act on, such as a command or query, and malicious input that was intended as data, can enter the control plane instead. However, this weakness also applies to more general cases where there are not always control implications.
Modes of Introduction
| Phase | Note |
|---|---|
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
Applicable Platforms
| Type | Class | Name | Prevalence |
|---|---|---|---|
| Language | Not Language-Specific | ||
| Operating_system | Not OS-Specific | ||
| Architecture | Not Architecture-Specific | ||
| Technology | Not Technology-Specific |
Common Attack Pattern Enumeration and Classification (CAPEC)
The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.
CAPEC at Mitre.org| # ID | Name | Weaknesses |
|---|---|---|
| CAPEC-3 | Using Leading 'Ghost' Character Sequences to Bypass Input Filters | CWE-707 |
| CAPEC-7 | Blind SQL Injection | CWE-707 |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers | CWE-707 |
| CAPEC-52 | Embedding NULL Bytes | CWE-707 |
| CAPEC-53 | Postfix, Null Terminate, and Backslash | CWE-707 |
| CAPEC-64 | Using Slashes and URL Encoding Combined to Bypass Validation Logic | CWE-707 |
| CAPEC-78 | Using Escaped Slashes in Alternate Encoding | CWE-707 |
| CAPEC-79 | Using Slashes in Alternate Encoding | CWE-707 |
| CAPEC-83 | XPath Injection | CWE-707 |
| CAPEC-84 | XQuery Injection | CWE-707 |
| CAPEC-250 | XML Injection | CWE-707 |
| CAPEC-276 | Inter-component Protocol Manipulation | CWE-707 |
| CAPEC-277 | Data Interchange Protocol Manipulation | CWE-707 |
| CAPEC-278 | Web Services Protocol Manipulation | CWE-707 |
| CAPEC-279 | SOAP Manipulation | CWE-707 |
| CAPEC-468 | Generic Cross-Browser Cross-Domain Theft | CWE-707 |
CVEs Published
CVSS Severity
CVSS Severity - By Year
CVSS Base Score
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |