1. Home
  2. CWE Database
  3. CWE-1286
Base · Medium

CWE-1286: Improper Validation of Syntactic Correctness of Input

The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.

CWE-1286 · Base Level ·2 CVEs ·1 Mitigations

Description

The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.

Often, complex inputs are expected to follow a particular syntax, which is either assumed by the input itself, or declared within metadata such as headers. The syntax could be for data exchange formats, markup languages, or even programming languages. When untrusted input is not properly validated for the expected syntax, attackers could cause parsing failures, trigger unexpected errors, or expose latent vulnerabilities that might not be directly exploitable if the input had conformed to the syntax.

Potential Impact

Other

Varies by Context

Demonstrative Examples

The following code loads and parses an XML file.
Bad
// Read DOM
                     try {...DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();factory.setValidating( false );....c_dom = factory.newDocumentBuilder().parse( xmlFile );} catch(Exception ex) {...}
The XML file is loaded without validating it against a known XML Schema or DTD.

Mitigations & Prevention

Implementation High

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across relat

Real-World CVE Examples

CVE IDDescription
CVE-2016-4029Chain: incorrect validation of intended decimal-based IP address format (CWE-1286) enables parsing of octal or hexadecimal formats (CWE-1389), allowing bypass of an SSRF protection mechanism (CWE-918)
CVE-2007-5893HTTP request with missing protocol version number leads to crash

CWE-20: Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the ...

Frequently Asked Questions

What is CWE-1286?

CWE-1286 (Improper Validation of Syntactic Correctness of Input) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.

How can CWE-1286 be exploited?

Attackers can exploit CWE-1286 (Improper Validation of Syntactic Correctness of Input) to varies by context. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-1286?

Key mitigations include: Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not stric

What is the severity of CWE-1286?

CWE-1286 is classified as a Base-level weakness (Medium abstraction). It has been observed in 2 real-world CVEs.