Category: SFP Secondary Cluster: Faulty Input Transformation
Incomplete
Summary
This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-116 | Improper Encoding or Escaping of Output | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
| CWE-166 | Improper Handling of Missing Special Element | The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing. |
| CWE-167 | Improper Handling of Additional Special Element | The product receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided. |
| CWE-168 | Improper Handling of Inconsistent Special Elements | The product does not properly handle input in which an inconsistency exists between two or more special characters or reserved words. |
| CWE-172 | Encoding Error | The product does not properly encode or decode the data, resulting in unexpected values. |
| CWE-173 | Improper Handling of Alternate Encoding | The product does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent. |
| CWE-174 | Double Decoding of the Same Data | The product decodes the same input twice, which can limit the effectiveness of any protection mechanism that occurs in between the decoding operations. |
| CWE-175 | Improper Handling of Mixed Encoding | The product does not properly handle when the same input uses several different (mixed) encodings. |
| CWE-176 | Improper Handling of Unicode Encoding | The product does not properly handle when an input contains Unicode encoding. |
| CWE-177 | Improper Handling of URL Encoding (Hex Encoding) | The product does not properly handle when all or part of an input has been URL encoded. |
| CWE-178 | Improper Handling of Case Sensitivity | The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results. |
| CWE-179 | Incorrect Behavior Order: Early Validation | The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification. |
| CWE-180 | Incorrect Behavior Order: Validate Before Canonicalize | The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step. |
| CWE-181 | Incorrect Behavior Order: Validate Before Filter | The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step. |
| CWE-182 | Collapse of Data into Unsafe Value | The product filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property. |
| CWE-888 | Software Fault Pattern (SFP) Clusters | CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.