{"@ID": "228", "@Name": "Improper Handling of Syntactically Invalid Structure", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "703", "@View_ID": "1000"}, {"@Nature": "ChildOf", "@CWE_ID": "707", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": [{"Ordinality": "Primary"}, {"Ordinality": "Resultant"}]}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Implementation"}}, "Common_Consequences": {"Consequence": {"Scope": ["Integrity", "Availability"], "Impact": ["Unexpected State", "DoS: Crash, Exit, or Restart", "DoS: Resource Consumption (CPU)"], "Note": "If an input is syntactically invalid, then processing the input could place the system in an unexpected state that could lead to a crash, consume available system resources or other unintended behaviors."}}, "Detection_Methods": {"Detection_Method": {"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)", "Effectiveness": "High"}}, "Demonstrative_Examples": {"Demonstrative_Example": {"@Demonstrative_Example_ID": "DX-110", "Intro_Text": "This Android application has registered to handle a URL when sent an intent:", "Example_Code": {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null, null], "xhtml:i": ["...", "..."], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": null, "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "String URL = intent.getStringExtra(\"URLToOpen\");int length = URL.length();"}, "xhtml:br": [null, null], "xhtml:i": "...", "#text": "if(\"com.example.URLHandler.openURL\".equals(intent.getAction())) {\n                                 \n                                 \n                                 }"}}, "#text": "@Overridepublic void onReceive(Context context, Intent intent) {}"}}, "#text": "IntentFilter filter = new IntentFilter(\"com.example.URLHandler.openURL\");MyReceiver receiver = new MyReceiver();registerReceiver(receiver, filter);\n                     \n                     \n                     public class UrlHandlerReceiver extends BroadcastReceiver {}"}}, "Body_Text": "The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called."}}, "Observed_Examples": {"Observed_Example": {"Reference": "CVE-2004-0270", "Description": "Anti-virus product has assert error when line length is non-numeric.", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-0270"}}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "PLOVER", "Entry_Name": "Structure and Validity Problems"}, {"@Taxonomy_Name": "OWASP Top Ten 2004", "Entry_ID": "A7", "Entry_Name": "Improper Error Handling", "Mapping_Fit": "CWE More Specific"}]}, "Mapping_Notes": {"Usage": "Allowed-with-Review", "Rationale": "This CWE entry is a Class and might have Base-level children that would be more appropriate", "Comments": "Examine children of this entry to see if there is a better fit", "Reasons": {"Reason": {"@Type": "Abstraction"}}}, "Notes": {"Note": [{"@Type": "Maintenance", "#text": "This entry needs more investigation. Public vulnerability research generally focuses on the manipulations that generate invalid structure, instead of the weaknesses that are exploited by those manipulations. For example, a common attack involves making a request that omits a required field, which can trigger a crash in some cases. The crash could be due to a named chain such as CWE-690 (Unchecked Return Value to NULL Pointer Dereference), but public reports rarely cover this aspect of a vulnerability."}, {"@Type": "Theoretical", "#text": "The validity of input could be roughly classified along \"syntactic\", \"semantic\", and \"lexical\" dimensions. If the specification requires that an input value should be delimited with the \"[\" and \"]\" square brackets, then any input that does not follow this specification would be syntactically invalid. If the input between the brackets is expected to be a number, but the letters \"aaa\" are provided, then the input is syntactically invalid. If the input is a number and enclosed in brackets, but the number is outside of the allowable range, then it is semantically invalid. The inter-relationships between these properties - and their associated weaknesses- need further exploration."}]}, "Content_History": {"Submission": {"Submission_Name": "PLOVER", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Description, Maintenance_Notes, Name, Relationships, Relevant_Properties, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-03-10", "Modification_Version": "1.3", "Modification_ReleaseDate": "2009-03-10", "Modification_Comment": "updated Description, Name"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-27", "Modification_Version": "2.0", "Modification_ReleaseDate": "2011-06-27", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Common_Consequences, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-02-18", "Modification_Version": "2.6", "Modification_ReleaseDate": "2014-02-19", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-01-19", "Modification_Version": "2.10", "Modification_ReleaseDate": "2017-01-19", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Relevant_Properties"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-03-15", "Modification_Version": "4.4", "Modification_ReleaseDate": "2021-03-15", "Modification_Comment": "updated Demonstrative_Examples, Maintenance_Notes, Theoretical_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Detection_Factors, Relationships, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2024-02-29", "Modification_Version": "4.14", "Modification_ReleaseDate": "2024-02-29", "Modification_Comment": "updated Observed_Examples, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Applicable_Platforms, Weakness_Ordinalities"}], "Previous_Entry_Name": [{"@Date": "2008-09-09", "#text": "Structure and Validity Problems"}, {"@Date": "2009-03-10", "#text": "Failure to Handle Syntactically Invalid Structure"}]}}
