CWE-1173: Improper Use of Validation Framework
Official CWE-1173 CWE context with Glexia analysis, remediation guidance, related CVEs, and ATT&CK context.
Glexia's Take
CWE-1173: Improper Use of Validation Framework
Improper Use of Validation Framework represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Executive Impact
- Integrity: Unexpected State: Unchecked input leads to cross-site scripting, process control, and SQL injection vulnerabilities, among others.
Developer Pattern
CWE-1173 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.
Confidence
high confidence from CWE-1173, 4.20.
Official CWE Definition
CWE-1173: Improper Use of Validation Framework
The product does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library.
Many modern coding languages provide developers with input validation frameworks to make the task of input validation easier and less error-prone. These frameworks will automatically check all input against specified criteria and direct execution to error handlers when invalid input is received. The improper use (i.e., an incorrect implementation or missing altogether) of these frameworks is not directly exploitable, but can lead to an exploitable condition if proper input validation is not performed later in the product. Not using provided input validation frameworks can also hurt the maintainability of code as future developers may not recognize the downstream input validation being used in the place of the validation framework.
Developer And Remediation Guidance
How teams prevent and detect this weakness
Causes
- Missing validation
- Unsafe defaults
- Insufficient authorization or memory-safety invariant
Remediation
- Implementation: Properly use provided input validation frameworks.
Detection
- Automated Static Analysis: [object Object]
Mappings
Related CVEs, CWEs, and ATT&CK context
Related CWEs
- CWE-102: Struts: Duplicate Validation Forms
- CWE-105: Struts: Form Field Without Validator
- CWE-106: Struts: Plug-in Framework not in Use
- CWE-108: Struts: Unvalidated Action Form
- CWE-109: Struts: Validator Turned Off
- CWE-20: Improper Input Validation
- CWE-1174: ASP.NET Misconfiguration: Improper Model Validation
- CWE-554: ASP.NET Misconfiguration: Not Using Input Validation Framework
ATT&CK Relevance
ATT&CK relevance is shown only when reviewed or responsibly inferred.