Category: Comprehensive Categorization: Improper Input Validation
Incomplete
Summary
Weaknesses in this category are related to improper input validation.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-105 | Struts: Form Field Without Validator | The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation. |
| CWE-106 | Struts: Plug-in Framework not in Use | When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient input validation. |
| CWE-108 | Struts: Unvalidated Action Form | Every Action Form must have a corresponding validation form. |
| CWE-109 | Struts: Validator Turned Off | Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation. |
| CWE-112 | Missing XML Validation | The product accepts XML from an untrusted source but does not validate the XML against the proper schema. |
| CWE-1173 | Improper Use of Validation Framework | The product does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library. |
| CWE-1174 | ASP.NET Misconfiguration: Improper Model Validation | The ASP.NET application does not use, or incorrectly uses, the model validation framework. |
| CWE-1284 | Improper Validation of Specified Quantity in Input | The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. |
| CWE-1285 | Improper Validation of Specified Index, Position, or Offset in Input | The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties. |
| CWE-1286 | Improper Validation of Syntactic Correctness of Input | The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax. |
| CWE-1287 | Improper Validation of Specified Type of Input | The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type. |
| CWE-1288 | Improper Validation of Consistency within Input | The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent. |
| CWE-1289 | Improper Validation of Unsafe Equivalence in Input | The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value. |
| CWE-20 | Improper Input Validation | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-554 | ASP.NET Misconfiguration: Not Using Input Validation Framework | The ASP.NET application does not use an input validation framework. |
| CWE-606 | Unchecked Input for Loop Condition | The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping. |
| CWE-622 | Improper Validation of Function Hook Arguments | The product adds hooks to user-accessible API functions, but it does not properly validate the arguments. This could lead to resultant vulnerabilities. |
| CWE-781 | Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code | The product defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided. |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.