CWE-20: Improper Input Validation
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
常见后果
影响范围: Availability
技术影响: DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory)
说明: An attacker could provide unexpected values and cause a program crash or arbitrary control of resource allocation, leading to excessive consumption of resources such as memory and CPU.
影响范围: Confidentiality
技术影响: Read Memory Read Files or Directories
说明: An attacker could read confidential data if they are able to control resource references.
影响范围: Integrity Confidentiality Availability
技术影响: Modify Memory Execute Unauthorized Code or Commands
说明: An attacker could use malicious input to modify data or possibly alter control flow in unexpected ways, including arbitrary command execution.
潜在缓解措施
阶段: Architecture and Design
策略: Attack Surface Reduction
描述: Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]
阶段: Architecture and Design
策略: Libraries or Frameworks
描述: Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).
阶段: Architecture and Design Implementation
策略: Attack Surface Reduction
描述: Understand all the potential areas where untrusted inputs can enter the product, including but not limited to: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
阶段: Implementation
策略: Input Validation
有效性: High
阶段: Architecture and Design
阶段: Implementation
描述: When your application combines data from multiple sources, perform the validation after the sources have been combined. The individual data elements may pass the validation step but violate the intended restrictions after they have been combined.
阶段: Implementation
描述: Be especially careful to validate all input when invoking code that crosses language boundaries, such as from an interpreted language to native code. This could create an unexpected interaction between the language boundaries. Ensure that you are not violating any of the expectations of the language with which you are interfacing. For example, even though Java may not be susceptible to buffer overflows, providing a large argument in a call to native code might trigger an overflow.
阶段: Implementation
描述: Directly convert your input type into the expected data type, such as using a conversion function that translates a string into a number. After converting to the expected data type, ensure that the input's values fall within the expected range of allowable values and that multi-field consistencies are maintained.
阶段: Implementation
阶段: Implementation
描述: When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.
检测方法
方法: Automated Static Analysis
方法: Manual Static Analysis
When custom input validation is required, such as when enforcing business rules, manual analysis is necessary to ensure that the validation is properly implemented.
方法: Fuzzing
Fuzzing techniques can be useful for detecting input validation errors. When unexpected inputs are provided to the software, the software should not crash or otherwise become unstable, and it should generate application-controlled error messages. If exceptions or interpreter-generated error messages occur, this indicates that the input was not detected and handled within the application logic itself.
方法: Automated Static Analysis - Binary or Bytecode
有效性: SOAR Partial
方法: Manual Static Analysis - Binary or Bytecode
有效性: SOAR Partial
方法: Dynamic Analysis with Automated Results Interpretation
有效性: High
方法: Dynamic Analysis with Manual Results Interpretation
有效性: High
方法: Manual Static Analysis - Source Code
有效性: High
方法: Automated Static Analysis - Source Code
有效性: High
方法: Architecture or Design Review
有效性: High
观察示例
参考: CVE-2024-37032
Large language model (LLM) management tool does not validate the format of a digest value (CWE-1287) from a private, untrusted model registry, enabling relative path traversal (CWE-23), a.k.a. Probllama
参考: CVE-2022-45918
Chain: a learning management tool debugger uses external input to locate previous session logs (CWE-73) and does not properly validate the given path (CWE-20), allowing for filesystem path traversal using "../" sequences (CWE-24)
参考: CVE-2021-30860
Chain: improper input validation (CWE-20) leads to integer overflow (CWE-190) in mobile OS, as exploited in the wild per CISA KEV.
参考: CVE-2021-30663
Chain: improper input validation (CWE-20) leads to integer overflow (CWE-190) in mobile OS, as exploited in the wild per CISA KEV.
参考: CVE-2021-22205
Chain: backslash followed by a newline can bypass a validation step (CWE-20), leading to eval injection (CWE-95), as exploited in the wild per CISA KEV.
参考: CVE-2021-21220
Chain: insufficient input validation (CWE-20) in browser allows heap corruption (CWE-787), as exploited in the wild per CISA KEV.
参考: CVE-2020-9054
Chain: improper input validation (CWE-20) in username parameter, leading to OS command injection (CWE-78), as exploited in the wild per CISA KEV.
参考: CVE-2020-3452
Chain: security product has improper input validation (CWE-20) leading to directory traversal (CWE-22), as exploited in the wild per CISA KEV.
参考: CVE-2020-3161
Improper input validation of HTTP requests in IP phone, as exploited in the wild per CISA KEV.
参考: CVE-2020-3580
Chain: improper input validation (CWE-20) in firewall product leads to XSS (CWE-79), as exploited in the wild per CISA KEV.
参考: CVE-2021-37147
Chain: caching proxy server has improper input validation (CWE-20) of headers, allowing HTTP response smuggling (CWE-444) using an "LF line ending"
参考: CVE-2008-5305
Eval injection in Perl program using an ID that should only contain hyphens and numbers.
参考: CVE-2008-2223
SQL injection through an ID that was supposed to be numeric.
参考: CVE-2008-3477
lack of input validation in spreadsheet program leads to buffer overflows, integer overflows, array index errors, and memory corruption.
参考: CVE-2008-3843
insufficient validation enables XSS
参考: CVE-2008-3174
driver in security product allows code execution due to insufficient validation
参考: CVE-2007-3409
infinite loop from DNS packet with a label that points to itself
参考: CVE-2006-6870
infinite loop from DNS packet with a label that points to itself
参考: CVE-2008-1303
missing parameter leads to crash
参考: CVE-2007-5893
HTTP request with missing protocol version number leads to crash
参考: CVE-2006-6658
request with missing parameters leads to information exposure
参考: CVE-2008-4114
system crash with offset value that is inconsistent with packet size
参考: CVE-2006-3790
size field that is inconsistent with packet size leads to buffer over-read
参考: CVE-2008-2309
product uses a denylist to identify potentially dangerous content, allowing attacker to bypass a warning
参考: CVE-2008-3494
security bypass via an extra header
参考: CVE-2008-3571
empty packet triggers reboot
参考: CVE-2006-5525
incomplete denylist allows SQL injection
参考: CVE-2008-1284
NUL byte in theme name causes directory traversal impact to be worse
参考: CVE-2008-0600
kernel does not validate an incoming pointer before dereferencing it
参考: CVE-2008-1738
anti-virus product has insufficient input validation of hooked SSDT functions, allowing code execution
参考: CVE-2008-1737
anti-virus product allows DoS via zero-length field
参考: CVE-2008-3464
driver does not validate input from userland to the kernel
参考: CVE-2008-2252
kernel does not validate parameters sent in from userland, allowing code execution
参考: CVE-2008-2374
lack of validation of string length fields allows memory consumption or buffer over-read
参考: CVE-2008-1440
lack of validation of length field leads to infinite loop
参考: CVE-2008-1625
lack of validation of input to an IOCTL allows code execution
参考: CVE-2008-3177
zero-length attachment causes crash
参考: CVE-2007-2442
zero-length input causes free of uninitialized pointer
参考: CVE-2008-5563
crash via a malformed frame structure
参考: CVE-2008-5285
infinite loop from a long SMTP request
参考: CVE-2008-3812
router crashes with a malformed packet
参考: CVE-2008-3680
packet with invalid version number leads to NULL pointer dereference
参考: CVE-2008-3660
crash via multiple "." characters in file extension
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| 7 Pernicious Kingdoms | - | Input validation and representation | - |
| OWASP Top Ten 2004 | A1 | Unvalidated Input | CWE More Specific |
| CERT C Secure Coding | ERR07-C | Prefer functions that support error checking over equivalent functions that don't | - |
| CERT C Secure Coding | FIO30-C | Exclude user input from format strings | CWE More Abstract |
| CERT C Secure Coding | MEM10-C | Define and use a pointer validation function | - |
| WASC | 20 | Improper Input Handling | - |
| Software Fault Patterns | SFP25 | Tainted input to variable | - |
关键信息
CWE ID: CWE-20
抽象级别: Class
结构: Simple
状态: Stable
利用可能性: High