CWE-228 Detail

CWE-228

Name

Improper Handling of Syntactically Invalid Structure

Status

Incomplete

Published

2006-07-19
00h00 +00:00

Modified

2024-02-29
00h00 +00:00

Official links

CWE Mitre.org

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Notifications manage

List of Notifications

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CWE ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Name: Improper Handling of Syntactically Invalid Structure

The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.

General Informations

Modes Of Introduction

Implementation

Common Consequences

Scope	Impact	Likelihood
Integrity Availability	Unexpected State, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU) Note: If an input is syntactically invalid, then processing the input could place the system in an unexpected state that could lead to a crash, consume available system resources or other unintended behaviors.

Observed Examples

References	Description
CVE-2004-0270	Anti-virus product has assert error when line length is non-numeric.

Detection Methods

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness : High

Vulnerability Mapping Notes

Justification : This CWE entry is a Class and might have Base-level children that would be more appropriate
Comment : Examine children of this entry to see if there is a better fit

NotesNotes

This entry needs more investigation. Public vulnerability research generally focuses on the manipulations that generate invalid structure, instead of the weaknesses that are exploited by those manipulations. For example, a common attack involves making a request that omits a required field, which can trigger a crash in some cases. The crash could be due to a named chain such as CWE-690 (Unchecked Return Value to NULL Pointer Dereference), but public reports rarely cover this aspect of a vulnerability.
The validity of input could be roughly classified along "syntactic", "semantic", and "lexical" dimensions. If the specification requires that an input value should be delimited with the "[" and "]" square brackets, then any input that does not follow this specification would be syntactically invalid. If the input between the brackets is expected to be a number, but the letters "aaa" are provided, then the input is syntactically invalid. If the input is a number and enclosed in brackets, but the number is outside of the allowable range, then it is semantically invalid. The inter-relationships between these properties - and their associated weaknesses- need further exploration.

Submission

Name	Organization	Date	Date release	Version
PLOVER		2006-07-19 +00:00	2006-07-19 +00:00	Draft 3

Modifications

Name	Organization	Date	Comment
Eric Dalci	Cigital	2008-07-01 +00:00	updated Time_of_Introduction
CWE Content Team	MITRE	2008-09-08 +00:00	updated Description, Maintenance_Notes, Name, Relationships, Relevant_Properties, Taxonomy_Mappings
CWE Content Team	MITRE	2009-03-10 +00:00	updated Description, Name
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences
CWE Content Team	MITRE	2011-06-27 +00:00	updated Common_Consequences
CWE Content Team	MITRE	2012-05-11 +00:00	updated Common_Consequences, Relationships
CWE Content Team	MITRE	2014-02-18 +00:00	updated Demonstrative_Examples
CWE Content Team	MITRE	2014-07-30 +00:00	updated Relationships
CWE Content Team	MITRE	2017-01-19 +00:00	updated Relationships
CWE Content Team	MITRE	2017-11-08 +00:00	updated Relevant_Properties
CWE Content Team	MITRE	2020-02-24 +00:00	updated Relationships
CWE Content Team	MITRE	2021-03-15 +00:00	updated Demonstrative_Examples, Maintenance_Notes, Theoretical_Notes
CWE Content Team	MITRE	2023-04-27 +00:00	updated Detection_Factors, Relationships, Time_of_Introduction
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes
CWE Content Team	MITRE	2024-02-29 +00:00	updated Observed_Examples, Relationships