CWE-627

Dynamic Variable Evaluation

In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.

Mitigation

Phase: Implementation

Strategy: Refactoring

Description:

Refactor the code to avoid dynamic variable evaluation whenever possible.

Mitigation

Phase: Implementation

Strategy: Input Validation

Description:

Use only allowlists of acceptable variable or function names.

Mitigation

Phase: Implementation

Description:

For function names, ensure that you are only calling functions that accept the proper number of arguments, to avoid unexpected null arguments.

No CAPEC attack patterns related to this CWE.

Back to CWE stats page