CWE-184

Incomplete List of Disallowed Inputs

AI Translation Available

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

Status

draft

Abstraction

base

Affected Platforms

Technical Details

AI Translation

Common Consequences

access control

Impacts

bypass protection mechanism

Detection Methods

black box

Potential Mitigations

Phases:

implementation

Descriptions:

• Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.

AI Generated Translation

Common Consequences

controllo degli accessi

Impacts

elusione del meccanismo di protezione

Detection Methods

black box

Potential Mitigations

Phases:

implementazione

Descriptions:

• Non fare affidamento esclusivamente sulla rilevazione di input non consentiti. Ci sono troppe varianti per codificare un carattere, specialmente quando vengono utilizzati ambienti diversi, quindi c'è un'alta probabilità di perdere alcune varianti. Usa la rilevazione di input non consentiti solo come meccanismo per individuare attività sospette. Assicurati di utilizzare altri meccanismi di protezione che identificano solo input "sicuri" — come elenchi di input consentiti — e assicurati di codificare correttamente i tuoi output.

CWE-184

Common Consequences

Impacts

Detection Methods

Potential Mitigations

Common Consequences

Impacts

Detection Methods

Potential Mitigations

Iscriviti alla newsletter