1. Home
  2. CWE Database
  3. CWE-168
Base · Medium

CWE-168: Improper Handling of Inconsistent Special Elements

The product does not properly handle input in which an inconsistency exists between two or more special characters or reserved words.

CWE-168 · Base Level ·3 Mitigations

Description

The product does not properly handle input in which an inconsistency exists between two or more special characters or reserved words.

An example of this problem would be if paired characters appear in the wrong order, or if the special characters are not properly nested.

Potential Impact

Availability, Access Control, Non-Repudiation

DoS: Crash, Exit, or Restart, Bypass Protection Mechanism, Hide Activities

Mitigations & Prevention

General

Developers should anticipate that inconsistent special elements will be injected/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Implementation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across relat

Implementation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CWE-159: Improper Handling of Invalid Use of Special Elements

The product does not properly filter, remove, quote, or otherwise manage the invalid use of special elements in user-con...

CWE-228: Improper Handling of Syntactically Invalid Structure

The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the assoc...

Taxonomy Mappings

  • PLOVER: — Inconsistent Special Elements

Frequently Asked Questions

What is CWE-168?

CWE-168 (Improper Handling of Inconsistent Special Elements) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product does not properly handle input in which an inconsistency exists between two or more special characters or reserved words.

How can CWE-168 be exploited?

Attackers can exploit CWE-168 (Improper Handling of Inconsistent Special Elements) to dos: crash, exit, or restart, bypass protection mechanism, hide activities. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-168?

Key mitigations include: Developers should anticipate that inconsistent special elements will be injected/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure

What is the severity of CWE-168?

CWE-168 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.