CWE-1286: Improper Validation of Syntactic Correctness of Input

Description

The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.

Submission Date :

June 24, 2020, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE

Extended Description

Often, complex inputs are expected to follow a particular syntax, which is either assumed by the input itself, or declared within metadata such as headers. The syntax could be for data exchange formats, markup languages, or even programming languages. When untrusted input is not properly validated for the expected syntax, attackers could cause parsing failures, trigger unexpected errors, or expose latent vulnerabilities that might not be directly exploitable if the input had conformed to the syntax.

Example Vulnerable Codes

Example - 1

The following code loads and parses an XML file.


// // Read DOM// 

...DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();factory.setValidating( false );....c_dom = factory.newDocumentBuilder().parse( xmlFile );...try {} catch(Exception ex) {}

The XML file is loaded without validating it against a known XML Schema or DTD.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-20: Improper Input Validation

Go to

CWE-112: Missing XML Validation

Go to

Visit http://cwe.mitre.org/ for more details.