CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Causes

• This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection. The $userName variable is not checked for malicious input. An attacker could set the $userName variable to an arbitrary OS command such as:,Which would result in $command being:,Since the semi-colon is a command separator in Unix, the OS would first execute the ls command, then the rm command, deleting the entire file system.,Also note that this example code is vulnerable to Path Traversal (CWE-22) and Untrusted Search Path (CWE-426) attacks.
• The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response. Assuming a string consisting of standard alpha-numeric characters, such as "Jane Smith", is submitted in the request the HTTP response including this cookie might take the following form:,However, because the value of the cookie is composed of unvalidated user input, the response will only maintain this form if the value submitted for AUTHOR_PARAM does not contain any CR and LF characters. If an attacker submits a malicious string, such as,then the HTTP response would be split into two responses of the following form:,The second response is completely controlled by the attacker and can be constructed with any header and body content desired. The ability to construct arbitrary HTTP responses permits a variety of resulting attacks, including:,[object Object]
• Consider the following program. It intends to perform an "ls -l" on an input filename. The validate_name() subroutine performs validation on the input to make sure that only alphanumeric and "-" characters are allowed, which avoids path traversal (CWE-22) and OS command injection (CWE-78) weaknesses. Only filenames like "abc" or "d-e-f" are intended to be allowed. [object Object]
• Consider a "CWE Differentiator" application that uses an an LLM generative AI based "chatbot" to explain the difference between two weaknesses. As input, it accepts two CWE IDs, constructs a prompt string, sends the prompt to the chatbot, and prints the results. The prompt string effectively acts as a command to the chatbot component. Assume that invokeChatbot() calls the chatbot and returns the response as a string; the implementation details are not important here. To avoid XSS risks, the code ensures that the response from the chatbot is properly encoded for HTML output. If the user provides CWE-77 and CWE-78, then the resulting prompt would look like:,However, the attacker could provide malformed CWE IDs containing malicious prompts such as:,This would produce a prompt like:,Instead of providing well-formed CWE IDs, the adversary has performed a "prompt injection" attack by adding an additional prompt that was not intended by the developer. The result from the maliciously modified prompt might be something like this:,While the attack in this example is not serious, it shows the risk of unexpected results. Prompts can be constructed to steal private information, invoke unexpected agents, etc.,In this case, it might be easiest to fix the code by validating the input CWE IDs:
• The following code is a workflow job written using YAML. The code attempts to download pull request artifacts, unzip from the artifact called pr.zip and extract the value of the file NR into a variable "pr_number" that will be used later in another job. It attempts to create a github workflow environment variable, writing to $GITHUB_ENV. The environment variable value is retrieved from an external resource. [object Object],[object Object]

Remediation

• Requirements: Programming languages and supporting technologies might be chosen which are not subject to these issues.
• Implementation: Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.

Detection

• Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Related CWEs

• CWE-116: Improper Encoding or Escaping of Output
• CWE-1236: Improper Neutralization of Formula Elements in a CSV File
• CWE-1236: Improper Neutralization of Formula Elements in a CSV File
• CWE-20: Improper Input Validation
• CWE-707: Improper Neutralization
• CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
• CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
• CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
• CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
• CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
• CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
• CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Related CVEs

Related CVE mappings appear after CVE records are cross-indexed.

ATT&CK Relevance

ATT&CK relevance is shown only when reviewed or responsibly inferred.