CWE-116: Improper Encoding or Escaping of Output
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
常见后果
影响范围: Integrity
技术影响: Modify Application Data
说明: The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted.
影响范围: Integrity Confidentiality Availability Access Control
技术影响: Execute Unauthorized Code or Commands
说明: The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted.
影响范围: Confidentiality
技术影响: Bypass Protection Mechanism
说明: The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted.
潜在缓解措施
阶段: Architecture and Design
策略: Libraries or Frameworks
阶段: Architecture and Design
策略: Parameterization
阶段: Architecture and Design Implementation
描述: Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.
阶段: Architecture and Design
描述: In some cases, input validation may be an important strategy when output encoding is not a complete solution. For example, you may be providing the same output that will be processed by multiple consumers that use different encodings or representations. In other cases, you may be required to allow user-supplied input to contain control information, such as limited HTML tags that support formatting in a wiki or bulletin board. When this type of requirement must be met, use an extremely strict allowlist to limit which control sequences can be used. Verify that the resulting syntactic structure is what you expect. Use your normal encoding methods for the remainder of the input.
阶段: Architecture and Design
描述: Use input validation as a defense-in-depth measure to reduce the likelihood of output encoding errors (see CWE-20).
阶段: Requirements
描述: Fully specify which encodings are required by components that will be communicating with each other.
阶段: Implementation
描述: When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.
检测方法
方法: Automated Static Analysis
This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.
有效性: Moderate
方法: Automated Dynamic Analysis
This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
观察示例
参考: CVE-2021-41232
Chain: authentication routine in Go-based agile development product does not escape user name (CWE-116), allowing LDAP injection (CWE-90)
参考: CVE-2008-4636
OS command injection in backup software using shell metacharacters in a filename; correct behavior would require that this filename could not be changed.
参考: CVE-2008-0769
Web application does not set the charset when sending a page to a browser, allowing for XSS exploitation when a browser chooses an unexpected encoding.
参考: CVE-2008-0005
Program does not set the charset when sending a page to a browser, allowing for XSS exploitation when a browser chooses an unexpected encoding.
参考: CVE-2008-5573
SQL injection via password parameter; a strong password might contain "&"
参考: CVE-2008-3773
Cross-site scripting in chat application via a message subject, which normally might contain "&" and other XSS-related characters.
参考: CVE-2008-0757
Cross-site scripting in chat application via a message, which normally might be allowed to contain arbitrary content.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
| Operation | - |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| WASC | 22 | Improper Output Handling | - |
| The CERT Oracle Secure Coding Standard for Java (2011) | IDS00-J | Sanitize untrusted data passed across a trust boundary | Exact |
| The CERT Oracle Secure Coding Standard for Java (2011) | IDS05-J | Use a subset of ASCII for file and path names | - |
| SEI CERT Oracle Coding Standard for Java | IDS00-J | Prevent SQL injection | Imprecise |
| SEI CERT Perl Coding Standard | IDS33-PL | Sanitize untrusted data passed across a trust boundary | Exact |
关键信息
CWE ID: CWE-116
抽象级别: Class
结构: Simple
状态: Draft
利用可能性: High