CWE-145 – Improper Neutralization of Section Delimiters

Read Time:1 Minute, 15 Second

Description

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as section delimiters when they are sent to a downstream component.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-140
CWE-93

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase:

Description: 

Developers should anticipate that section delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

CWE-144 – Improper Neutralization of Line Delimiters

Read Time:1 Minute, 25 Second

Description

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as line delimiters when they are sent to a downstream component.

As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-140
CWE-93

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase:

Description: 

Developers should anticipate that line delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2002-0267
    • Linebreak in field of PHP script allows admin privileges when written to data file.

CWE-143 – Improper Neutralization of Record Delimiters

Read Time:1 Minute, 28 Second

Description

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.

As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-140

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase:

Description: 

Developers should anticipate that record delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2004-1982
    • Carriage returns in subject field allow adding new records to data file.
  • CVE-2001-0527
    • Attacker inserts carriage returns and “|” field separator characters to add new user/privileges.

CWE-142 – Improper Neutralization of Value Delimiters

Read Time:1 Minute, 24 Second

Description

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.

As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-140

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase:

Description: 

Developers should anticipate that value delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2000-0293
    • Multiple internal space, insufficient quoting – program does not use proper delimiter between values.

CWE-141 – Improper Neutralization of Parameter/Argument Delimiters

Read Time:1 Minute, 24 Second

Description

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.

As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-140

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase:

Description: 

Developers should anticipate that parameter/argument delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2003-0307
    • Attacker inserts field separator into input to specify admin privileges.

CWE-140 – Improper Neutralization of Delimiters

Read Time:1 Minute, 7 Second

Description

The software does not neutralize or incorrectly neutralizes delimiters.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-138

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase: Implementation

Description: 

Developers should anticipate that delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

CWE-14 – Compiler Removal of Code to Clear Buffers

Read Time:42 Second

Description

Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka “dead store removal.”

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-733

 

Consequences

Confidentiality, Access Control: Read Memory, Bypass Protection Mechanism

This weakness will allow data that has not been cleared from memory to be read. If this data contains sensitive password information, then an attacker can read the password and use the information to bypass protection mechanisms.

 

Potential Mitigations

Phase: Implementation

Description: 

Store the sensitive data in a “volatile” memory location if available.

Phase: Build and Compilation

Description: 

If possible, configure your compiler so that it does not remove dead stores.

Phase: Architecture and Design

Description: 

Where possible, encrypt sensitive data that are used by a software system.

CVE References

CWE-1385 – Missing Origin Validation in WebSockets

Read Time:2 Minute, 12 Second

Description

The software uses a WebSocket, but it does not properly verify that the source of data or communication is valid.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-346

 

Consequences

Confidentiality, Integrity, Availability, Non-Repudiation, Access Control: Varies by Context, Gain Privileges or Assume Identity, Bypass Protection Mechanism, Read Application Data, Modify Application Data, DoS: Crash, Exit, or Restart

The consequences will vary depending on the nature of the functionality that is vulnerable to CSRF. An attacker could effectively perform any operations as the victim. If the victim is an administrator or privileged user, the consequences may include obtaining complete control over the web application – deleting or stealing data, uninstalling the product, or using it to launch other attacks against all of the product’s users. Because the attacker has the identity of the victim, the scope of the CSRF is limited only by the victim’s privileges.

 

Potential Mitigations

Phase: Implementation

Description: 

Enable CORS-like access restrictions by verifying the ‘Origin’ header during the WebSocket handshake.

Phase: Implementation

Description: 

Use a randomized CSRF token to verify requests.

Phase: Implementation

Description: 

Use TLS to securely communicate using ‘wss’ (WebSocket Secure) instead of ‘ws’.

Phase: Architecture and Design, Implementation

Description: 

Require user authentication prior to the WebSocket connection being established. For example, the WS library in Node has a ‘verifyClient’ function.

Phase: Implementation

Effectiveness: Defense in Depth

Description: 

Leverage rate limiting to prevent against DoS. Use of the leaky bucket algorithm can help with this.

Phase: Implementation

Effectiveness: Defense in Depth

Description: 

Use a library that provides restriction of the payload size. For example, WS library for Node includes ‘maxPayloadoption’ that can be set.

Phase: Implementation

Description: 

Treat data/input as untrusted in both directions and apply the same data/input sanitization as XSS, SQLi, etc.

CVE References

  • CVE-2020-25095
    • web console for SIEM product does not check Origin header, allowing Cross Site WebSocket Hijacking (CSWH)
  • CVE-2018-6651
    • Chain: gaming client attempts to validate the Origin header, but only uses a substring, allowing Cross-Site WebSocket hijacking by forcing requests from an origin whose hostname is a substring of the valid origin.
  • CVE-2018-14730
    • WebSocket server does not check the origin of requests, allowing attackers to steal developer’s code using a ws://127.0.0.1:3123/ connection.
  • CVE-2018-14731
    • WebSocket server does not check the origin of requests, allowing attackers to steal developer’s code using a ws://127.0.0.1/ connection to a randomized port number.
  • CVE-2018-14732
    • WebSocket server does not check the origin of requests, allowing attackers to steal developer’s code using a ws://127.0.0.1:8080/ connection.

CWE-1384 – Improper Handling of Extreme Physical Environment Conditions

Read Time:46 Second

Description

The product does not properly detect and handle extreme conditions in the product’s physical environment, such as temperature, radiation, humidity, power, or other physical phenomena.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-703

 

Consequences

Confidentiality, Integrity, Availability: Varies by Context, Unexpected State

Consequences of this weakness are highly dependent on the role of affected components within the larger product.

 

Potential Mitigations

Phase: Requirements

Description: 

In requirements, be specific about expectations for how the product will perform when it exceeds high environmental conditions, e.g., by shutting down.

Phase: Architecture and Design, Implementation

Description: 

Where possible, include independent components that can detect excess environmental conditions and have the capability to shut down the product.

Phase: Architecture and Design, Implementation

Description: 

Where possible, use shielding or other materials that can increase the adversary’s workload and reduce the likelihood of being able to successfully trigger a security-related failure.

CVE References

CWE-138 – Improper Neutralization of Special Elements

Read Time:2 Minute, 23 Second

Description

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.

Most languages and protocols have their own special elements such as characters and reserved words. These special elements can carry control implications. If software does not prevent external control or influence over the inclusion of such special elements, the control flow of the program may be altered from what was intended. For example, both Unix and Windows interpret the symbol < ("less than") as meaning "read input from a file". Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-707

 

Consequences

Confidentiality, Integrity, Availability, Other: Execute Unauthorized Code or Commands, Alter Execution Logic, DoS: Crash, Exit, or Restart

 

Potential Mitigations

Phase: Implementation

Description: 

Developers should anticipate that special elements (e.g. delimiters, symbols) will be injected into input vectors of their software system. One defense is to create an allowlist (e.g. a regular expression) that defines valid input according to the requirements specifications. Strictly filter any input that does not match against the allowlist. Properly encode your output, and quote any elements that have special meaning to the component with which you are communicating.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

Use and specify an appropriate output encoding to ensure that the special elements are well-defined. A normal byte sequence in one encoding could be a special element in another.

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Phase: Implementation

Description: 

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

CVE References

  • CVE-2001-0677
    • Read arbitrary files from mail client by providing a special MIME header that is internally used to store pathnames for attachments.
  • CVE-2000-0703
    • Setuid program does not cleanse special escape sequence before sending data to a mail program, causing the mail program to process those sequences.
  • CVE-2003-0020
    • Multi-channel issue. Terminal escape sequences not filtered from log files.
  • CVE-2003-0083
    • Multi-channel issue. Terminal escape sequences not filtered from log files.