Class weakness

Incomplete

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

1,262

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

High

Likelihood of exploit

Per MITRE

Class

Abstraction

MITRE classification

Overview

CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')) is a class-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection.

Vulnerable example

php

$userName = $_POST["user"];

Attack input

plaintext

;rm -rf /

Resulting query

plaintext

ls -l /home/;rm -rf /

The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.

Vulnerable example

java

String author = request.getParameter(AUTHOR_PARAM);

Resulting query

plaintext

HTTP/1.1 200 OK

Attack input

plaintext

Wiley Hacker\r\nHTTP/1.1 200 OK\r\n

Resulting query

plaintext

HTTP/1.1 200 OK

Consider the following program. It intends to perform an "ls -l" on an input filename. The validate_name() subroutine performs validation on the input to make sure that only alphanumeric and "-" characters are allowed, which avoids path traversal (CWE-22) and OS command injection (CWE-78) weaknesses. Only filenames like "abc" or "d-e-f" are intended to be allowed.

Vulnerable example

perl

my $arg = GetArgument("filename");

Safe example

perl

if ($name =~ /^\w[\w\-]+$/) ...

However, validate_name() allows filenames that begin with a "-". An adversary could supply a filename like "-aR", producing the "ls -l -aR" command (CWE-88), thereby getting a full recursive listing of the entire directory and all of its sub-directories.

There are a couple possible mitigations for this weakness. One would be to refactor the code to avoid using system() altogether, instead relying on internal functions.

Another option could be to add a "--" argument to the ls command, such as "ls -l --", so that any remaining arguments are treated as filenames, causing any leading "-" to be treated as part of a filename instead of another option.

Another fix might be to change the regular expression used in validate_name to force the first character of the filename to be a letter or number, such as:

Consider a "CWE Differentiator" application that uses an an LLM generative AI based "chatbot" to explain the difference between two weaknesses. As input, it accepts two CWE IDs, constructs a prompt string, sends the prompt to the chatbot, and prints the results. The prompt string effectively acts as a command to the chatbot component. Assume that invokeChatbot() calls the chatbot and returns the response as a string; the implementation details are not important here.

Vulnerable example

python

prompt = "Explain the difference between {} and {}".format(arg1, arg2)

Example

plaintext

Explain the difference between CWE-77 and CWE-78

Attack input

plaintext

Arg1 = CWE-77

Resulting query

plaintext

Explain the difference between CWE-77 and CWE-78.

Safe example

python

cweRegex = re.compile("^CWE-\d+$")

The following code is a workflow job written using YAML. The code attempts to download pull request artifacts, unzip from the artifact called pr.zip and extract the value of the file NR into a variable "pr_number" that will be used later in another job. It attempts to create a github workflow environment variable, writing to $GITHUB_ENV. The environment variable value is retrieved from an external resource.

Vulnerable example

other

deploy:

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-74?

What CVEs are caused by CWE-74?

Is CWE-74 part of the OWASP Top 10?

How do you prevent CWE-74?

How is CWE-74 detected?

What are the consequences of CWE-74?

Is CWE-74 actively exploited?

References

Stay ahead of CWE-74

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Related

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-74?

What CVEs are caused by CWE-74?

Is CWE-74 part of the OWASP Top 10?

How do you prevent CWE-74?

How is CWE-74 detected?

What are the consequences of CWE-74?

Is CWE-74 actively exploited?

References

Stay ahead of CWE-74