All posts by rocco

CWE-197 – Numeric Truncation Error

Read Time:1 Minute, 11 Second

Description

Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.

When a primitive is cast to a smaller primitive, the high order bits of the large value are lost in the conversion, potentially resulting in an unexpected value that is not equal to the original value. This value may be required as an index into a buffer, a loop iterator, or simply necessary state data. In any case, the value cannot be trusted and the system will be in an undefined state. While this method may be employed viably to isolate the low bits of a value, this usage is rare, and truncation usually implies that an implementation error has occurred.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-681
CWE-681
CWE-681
CWE-195
CWE-196
CWE-192
CWE-194

 

Consequences

Integrity: Modify Memory

The true value of the data is lost and corrupted data is used.

 

Potential Mitigations

Phase: Implementation

Description: 

Ensure that no casts, implicit or explicit, take place that move from a larger size primitive or a smaller size primitive.

CVE References

  • CVE-2009-0231
    • Integer truncation of length value leads to heap-based buffer overflow.
  • CVE-2008-3282
    • Size of a particular type changes for 64-bit platforms, leading to an integer truncation in document processor causes incorrect index to be generated.

CWE-198 – Use of Incorrect Byte Ordering

Read Time:18 Second

Description

The software receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-188

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

CVE References

CWE-20 – Improper Input Validation

Read Time:4 Minute, 52 Second

Description

The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-707
CWE-345
CWE-22
CWE-41
CWE-74
CWE-119
CWE-770

 

Consequences

Availability: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)

An attacker could provide unexpected values and cause a program crash or excessive consumption of resources, such as memory and CPU.

Confidentiality: Read Memory, Read Files or Directories

An attacker could read confidential data if they are able to control resource references.

Integrity, Confidentiality, Availability: Modify Memory, Execute Unauthorized Code or Commands

An attacker could use malicious input to modify data or possibly alter control flow in unexpected ways, including arbitrary command execution.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build “recognizers” for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]

Phase: Architecture and Design

Description: 

Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).

Phase: Architecture and Design, Implementation

Description: 

Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.

Phase: Implementation

Effectiveness: High

Description: 

Phase: Architecture and Design

Description: 

Phase: Implementation

Description: 

When your application combines data from multiple sources, perform the validation after the sources have been combined. The individual data elements may pass the validation step but violate the intended restrictions after they have been combined.

Phase: Implementation

Description: 

Be especially careful to validate all input when invoking code that crosses language boundaries, such as from an interpreted language to native code. This could create an unexpected interaction between the language boundaries. Ensure that you are not violating any of the expectations of the language with which you are interfacing. For example, even though Java may not be susceptible to buffer overflows, providing a large argument in a call to native code might trigger an overflow.

Phase: Implementation

Description: 

Directly convert your input type into the expected data type, such as using a conversion function that translates a string into a number. After converting to the expected data type, ensure that the input’s values fall within the expected range of allowable values and that multi-field consistencies are maintained.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.

CVE References

  • CVE-2008-5305
    • Eval injection in Perl program using an ID that should only contain hyphens and numbers.
  • CVE-2008-2223
    • SQL injection through an ID that was supposed to be numeric.
  • CVE-2008-3477
    • lack of input validation in spreadsheet program leads to buffer overflows, integer overflows, array index errors, and memory corruption.
  • CVE-2008-3174
    • driver in security product allows code execution due to insufficient validation
  • CVE-2007-3409
    • infinite loop from DNS packet with a label that points to itself
  • CVE-2006-6870
    • infinite loop from DNS packet with a label that points to itself
  • CVE-2007-5893
    • HTTP request with missing protocol version number leads to crash
  • CVE-2006-6658
    • request with missing parameters leads to information exposure
  • CVE-2008-4114
    • system crash with offset value that is inconsistent with packet size
  • CVE-2006-3790
    • size field that is inconsistent with packet size leads to buffer over-read
  • CVE-2008-2309
    • product uses a denylist to identify potentially dangerous content, allowing attacker to bypass a warning
  • CVE-2008-1284
    • NUL byte in theme name causes directory traversal impact to be worse
  • CVE-2008-0600
    • kernel does not validate an incoming pointer before dereferencing it
  • CVE-2008-1738
    • anti-virus product has insufficient input validation of hooked SSDT functions, allowing code execution
  • CVE-2008-1737
    • anti-virus product allows DoS via zero-length field
  • CVE-2008-3464
    • driver does not validate input from userland to the kernel
  • CVE-2008-2252
    • kernel does not validate parameters sent in from userland, allowing code execution
  • CVE-2008-2374
    • lack of validation of string length fields allows memory consumption or buffer over-read
  • CVE-2008-1440
    • lack of validation of length field leads to infinite loop
  • CVE-2008-1625
    • lack of validation of input to an IOCTL allows code execution
  • CVE-2007-2442
    • zero-length input causes free of uninitialized pointer
  • CVE-2008-3680
    • packet with invalid version number leads to NULL pointer dereference
  • CVE-2008-3660
    • crash via multiple “.” characters in file extension

CWE-157 – Failure to Sanitize Paired Delimiters

Read Time:1 Minute, 27 Second

Description

The software does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-138

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase:

Description: 

Developers should anticipate that grouping elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2004-0956
    • Crash via missing paired delimiter (open double-quote but no closing double-quote).
  • CVE-2005-2933
    • Buffer overflow via mailbox name with an opening double quote but missing a closing double quote, causing a larger copy than expected.

CWE-158 – Improper Neutralization of Null Byte or NUL Character

Read Time:2 Minute, 12 Second

Description

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.

As data is parsed, an injected NUL character or null byte may cause the software to believe the input is terminated earlier than it actually is, or otherwise cause the input to be misinterpreted. This could then be used to inject potentially dangerous input that occurs after the null byte or otherwise bypass validation routines and other protection mechanisms.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-138

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase:

Description: 

Developers should anticipate that null characters or null bytes will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2008-1284
    • NUL byte in theme name causes directory traversal impact to be worse
  • CVE-2002-1774
    • Null character in MIME header allows detection bypass.
  • CVE-2000-0149
    • Web server allows remote attackers to view the source code for CGI programs via a null character (%00) at the end of a URL.
  • CVE-2000-0671
    • Web server earlier allows allows remote attackers to bypass access restrictions, list directory contents, and read source code by inserting a null character (%00) in the URL.
  • CVE-2001-0738
    • Logging system allows an attacker to cause a denial of service (hang) by causing null bytes to be placed in log messages.
  • CVE-2001-1140
    • Web server allows source code for executable programs to be read via a null character (%00) at the end of a request.
  • CVE-2002-1031
    • Protection mechanism for limiting file access can be bypassed using a null character (%00) at the end of the directory name.
  • CVE-2002-1025
    • Application server allows remote attackers to read JSP source code via an encoded null byte in an HTTP GET request, which causes the server to send the .JSP file unparsed.
  • CVE-2003-0768
    • XSS protection mechanism only checks for sequences with an alphabetical character following a (
  • CVE-2004-0189
    • Decoding function in proxy allows regular expression bypass in ACLs via URLs with null characters.
  • CVE-2005-3153
    • Null byte bypasses PHP regexp check (interaction error).
  • CVE-2005-4155
    • Null byte bypasses PHP regexp check (interaction error).

CWE-159 – Improper Handling of Invalid Use of Special Elements

Read Time:1 Minute, 13 Second

Description

The product does not properly filter, remove, quote, or otherwise manage the invalid use of special elements in user-controlled input, which could cause adverse effect on its behavior and integrity.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-138

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase:

Description: 

Developers should anticipate that special elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

CWE-160 – Improper Neutralization of Leading Special Elements

Read Time:1 Minute, 21 Second

Description

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component.

As data is parsed, improperly handled leading special elements may cause the process to take unexpected actions that result in an attack.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-138

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase:

Description: 

Developers should anticipate that leading special elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

CWE-161 – Improper Neutralization of Multiple Leading Special Elements

Read Time:1 Minute, 22 Second

Description

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component.

As data is parsed, improperly handled multiple leading special elements may cause the process to take unexpected actions that result in an attack.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-160

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase:

Description: 

Developers should anticipate that multiple leading special elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

CWE-162 – Improper Neutralization of Trailing Special Elements

Read Time:1 Minute, 21 Second

Description

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.

As data is parsed, improperly handled trailing special elements may cause the process to take unexpected actions that result in an attack.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-138

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase:

Description: 

Developers should anticipate that trailing special elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

CWE-163 – Improper Neutralization of Multiple Trailing Special Elements

Read Time:1 Minute, 22 Second

Description

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.

As data is parsed, improperly handled multiple trailing special elements may cause the process to take unexpected actions that result in an attack.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-162

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase:

Description: 

Developers should anticipate that multiple trailing special elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References