Category: OWASP Top Ten 2004 Category A1 - Unvalidated Input
Obsolete
Summary
Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2004.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-102 | Struts: Duplicate Validation Forms | The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect. |
| CWE-103 | Struts: Incomplete validate() Method Definition | The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate(). |
| CWE-104 | Struts: Form Bean Does Not Extend Validation Class | If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation. |
| CWE-106 | Struts: Plug-in Framework not in Use | When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient input validation. |
| CWE-109 | Struts: Validator Turned Off | Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation. |
| CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
| CWE-166 | Improper Handling of Missing Special Element | The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing. |
| CWE-167 | Improper Handling of Additional Special Element | The product receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided. |
| CWE-179 | Incorrect Behavior Order: Early Validation | The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification. |
| CWE-180 | Incorrect Behavior Order: Validate Before Canonicalize | The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step. |
| CWE-181 | Incorrect Behavior Order: Validate Before Filter | The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step. |
| CWE-182 | Collapse of Data into Unsafe Value | The product filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property. |
| CWE-183 | Permissive List of Allowed Inputs | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses. |
| CWE-20 | Improper Input Validation | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-425 | Direct Request ('Forced Browsing') | The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. |
| CWE-472 | External Control of Assumed-Immutable Web Parameter | The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields. |
| CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
| CWE-602 | Client-Side Enforcement of Server-Side Security | The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-711 | Weaknesses in OWASP Top Ten (2004) | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.