CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')Weakness ID: 74 Vulnerability Mapping:
DISCOURAGEDThis CWE ID should not be used to map to real-world vulnerabilities Abstraction: ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. |
Description The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. Extended Description Software or other automated logic has certain assumptions about what constitutes data and control respectively. It is the lack of verification of these assumptions for user-controlled input that leads to injection problems. Injection problems encompass a wide variety of issues -- all mitigated in very different ways and usually attempted in order to alter the control flow of the process. For this reason, the most effective way to discuss these weaknesses is to note the distinct features that classify them as injection weaknesses. The most important issue to note is that all injection problems share one thing in common -- i.e., they allow for the injection of control plane data into the user-controlled data plane. This means that the execution of the process may be altered by sending code in through legitimate data channels, using no other mechanism. While buffer overflows, and many other flaws, involve the use of some further issue to gain execution, injection problems need only for the data to be parsed. Relationships This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore. Relevant to the view "Research Concepts" (CWE-1000) Nature | Type | ID | Name |
---|
ChildOf | Pillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things. | 707 | Improper Neutralization | ParentOf | Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 75 | Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) | ParentOf | Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 91 | XML Injection (aka Blind XPath Injection) | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 93 | Improper Neutralization of CRLF Sequences ('CRLF Injection') | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 94 | Improper Control of Generation of Code ('Code Injection') | ParentOf | Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 99 | Improper Control of Resource Identifiers ('Resource Injection') | ParentOf | Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 943 | Improper Neutralization of Special Elements in Data Query Logic | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 1236 | Improper Neutralization of Formula Elements in a CSV File | CanFollow | Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 20 | Improper Input Validation | CanFollow | Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 116 | Improper Encoding or Escaping of Output |
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore. Relevant to the view "Weaknesses for Simplified Mapping of Published Vulnerabilities" (CWE-1003) Nature | Type | ID | Name |
---|
ParentOf | Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 91 | XML Injection (aka Blind XPath Injection) | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 94 | Improper Control of Generation of Code ('Code Injection') | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 917 | Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 1236 | Improper Neutralization of Formula Elements in a CSV File |
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore. Relevant to the view "Architectural Concepts" (CWE-1008) Nature | Type | ID | Name |
---|
MemberOf | Category - a CWE entry that contains a set of other entries that share a common characteristic. | 1019 | Validate Inputs |
Modes Of Introduction The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.Phase | Note |
---|
Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
Common Consequences This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.Scope | Impact | Likelihood |
---|
Confidentiality
| Technical Impact: Read Application Data Many injection attacks involve the disclosure of important information -- in terms of both data sensitivity and usefulness in further exploitation. | | Access Control
| Technical Impact: Bypass Protection Mechanism In some cases, injectable code controls authentication; this may lead to a remote vulnerability. | | Other
| Technical Impact: Alter Execution Logic Injection attacks are characterized by the ability to significantly change the flow of a given process, and in some cases, to the execution of arbitrary code. | | Integrity Other
| Data injection attacks lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. | | Non-Repudiation
| Technical Impact: Hide Activities Often the actions performed by injected control code are unlogged. | |
Likelihood Of Exploit Demonstrative Examples Example 1 This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection. (bad code) Example Language: PHP
$userName = $_POST["user"]; $command = 'ls -l /home/' . $userName; system($command);
The $userName variable is not checked for malicious input. An attacker could set the $userName variable to an arbitrary OS command such as: Which would result in $command being: Since the semi-colon is a command separator in Unix, the OS would first execute the ls command, then the rm command, deleting the entire file system. Also note that this example code is vulnerable to Path Traversal (CWE-22) and Untrusted Search Path (CWE-426) attacks. Example 2 Consider the following program. It intends to perform an "ls -l" on an input filename. The validate_name() subroutine performs validation on the input to make sure that only alphanumeric and "-" characters are allowed, which avoids path traversal (CWE-22) and OS command injection (CWE-78) weaknesses. Only filenames like "abc" or "d-e-f" are intended to be allowed. (bad code) Example Language: Perl
my $arg = GetArgument("filename");
do_listing($arg);
sub do_listing {
my($fname) = @_;
if (! validate_name($fname)) {
print "Error: name is not well-formed!\n";
return;
}
# build command
my $cmd = "/bin/ls -l $fname";
system($cmd);
}
sub validate_name {
my($name) = @_;
if ($name =~ /^[\w\-]+$/) {
return(1);
}
else {
return(0);
}
}
However, validate_name() alows filenames that begin with a "-". An adversary could supply a filename like "-aR", producing the "ls -l -aR" command (CWE-88), thereby getting a full recursive listing of the entire directory and all of its sub-directories.
There are a couple possible mitigations for this
weakness. One would be to refactor the code to avoid
using system() altogether, instead relying on internal
functions.
Another option could be to add a "--" argument
to the ls command, such as "ls -l --", so that any
remaining arguments are treated as filenames, causing
any leading "-" to be treated as part of a filename
instead of another option.
Another fix might be to change the regular expression used in validate_name to force the first character of the filename to be a letter or number, such as:
(good code) Example Language: Perl
if ($name =~ /^\w[\w\-]+$/) ...
Observed Examples Reference | Description |
| Python-based dependency management tool avoids OS command injection when generating Git commands but allows injection of optional arguments with input beginning with a dash, potentially allowing for code execution. |
| Canonical example of OS command injection. CGI program does not neutralize "|" metacharacter when invoking a phonebook program. |
| injection of sed script syntax ("sed injection") |
| Chain: improper input validation ( CWE-20) in username parameter, leading to OS command injection ( CWE-78), as exploited in the wild per CISA KEV. |
| Product does not neutralize ${xyz} style expressions, allowing remote code execution. (log4shell vulnerability) |
Potential Mitigations
Phase: Requirements Programming languages and supporting technologies might be chosen which are not subject to these issues. |
Phase: Implementation Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input. |
Weakness Ordinalities Ordinality | Description |
Primary | (where the weakness exists independent of other weaknesses) |
Detection Methods
Automated Static Analysis Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) |
Memberships This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources. Vulnerability Mapping Notes Usage: DISCOURAGED (this CWE ID should not be used to map to real-world vulnerabilities) | Reasons: Frequent Misuse, Abstraction | Rationale: CWE-74 is high-level and often misused when lower-level weaknesses are more appropriate. | Comments: Examine the children and descendants of this entry to find a more precise mapping. |
Notes Theoretical Many people treat injection only as an input validation problem ( CWE-20) because many people do not distinguish between the consequence/attack (injection) and the protection mechanism that prevents the attack from succeeding. However, input validation is only one potential protection mechanism (output encoding is another), and there is a chaining relationship between improper input validation and the improper enforcement of the structure of messages to other components. Other issues not directly related to input validation, such as race conditions, could similarly impact message structure. Taxonomy Mappings Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
CLASP | | | Injection problem ('data' used as something else) |
OWASP Top Ten 2004 | A6 | CWE More Specific | Injection Flaws |
Software Fault Patterns | SFP24 | | Tainted input to command |
References Content History Submissions |
---|
Submission Date | Submitter | Organization |
---|
2006-07-19 (CWE Draft 3, 2006-07-19) | CLASP | | | Modifications |
---|
Modification Date | Modifier | Organization |
---|
2008-07-01 | Eric Dalci | Cigital | updated Time_of_Introduction | 2008-08-15 | | Veracode | Suggested OWASP Top Ten 2004 mapping | 2008-09-08 | CWE Content Team | MITRE | updated Common_Consequences, Description, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities | 2009-01-12 | CWE Content Team | MITRE | updated Relationships | 2009-05-27 | CWE Content Team | MITRE | updated Name, Related_Attack_Patterns | 2009-07-27 | CWE Content Team | MITRE | updated Relationships | 2009-10-29 | CWE Content Team | MITRE | updated Description, Other_Notes | 2010-02-16 | CWE Content Team | MITRE | updated Relationships | 2010-04-05 | CWE Content Team | MITRE | updated Related_Attack_Patterns | 2010-06-21 | CWE Content Team | MITRE | updated Description, Name | 2010-12-13 | CWE Content Team | MITRE | updated Common_Consequences, Relationship_Notes | 2011-06-01 | CWE Content Team | MITRE | updated Common_Consequences | 2012-05-11 | CWE Content Team | MITRE | updated Related_Attack_Patterns, Relationships | 2012-10-30 | CWE Content Team | MITRE | updated Potential_Mitigations | 2014-02-18 | CWE Content Team | MITRE | updated Related_Attack_Patterns | 2014-06-23 | CWE Content Team | MITRE | updated Relationships | 2014-07-30 | CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | 2015-12-07 | CWE Content Team | MITRE | updated Relationships | 2017-01-19 | CWE Content Team | MITRE | updated Relationships | 2017-05-03 | CWE Content Team | MITRE | updated Potential_Mitigations, Related_Attack_Patterns | 2017-11-08 | CWE Content Team | MITRE | updated Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, Relationships | 2018-03-27 | CWE Content Team | MITRE | updated Relationships | 2019-01-03 | CWE Content Team | MITRE | updated Related_Attack_Patterns | 2019-06-20 | CWE Content Team | MITRE | updated Related_Attack_Patterns, Relationships | 2020-02-24 | CWE Content Team | MITRE | updated References, Relationship_Notes, Relationships, Theoretical_Notes | 2020-06-25 | CWE Content Team | MITRE | updated Potential_Mitigations | 2020-08-20 | CWE Content Team | MITRE | updated Related_Attack_Patterns, Relationships | 2021-10-28 | CWE Content Team | MITRE | updated Relationships | 2022-04-28 | CWE Content Team | MITRE | updated Demonstrative_Examples, Related_Attack_Patterns | 2022-06-28 | CWE Content Team | MITRE | updated Observed_Examples | 2022-10-13 | CWE Content Team | MITRE | updated Observed_Examples | 2023-01-31 | CWE Content Team | MITRE | updated Description | 2023-04-27 | CWE Content Team | MITRE | updated Detection_Factors, Relationships, Time_of_Introduction | 2023-06-29 | CWE Content Team | MITRE | updated Mapping_Notes | Previous Entry Names |
---|
Change Date | Previous Entry Name |
---|
2008-04-11 | Injection | | 2009-05-27 | Failure to Sanitize Data into a Different Plane (aka 'Injection') | | 2010-06-21 | Failure to Sanitize Data into a Different Plane ('Injection') | |
More information is available — Please edit the custom filter or select a different filter.
|