1. Home
  2. CWE Database
  3. CWE-228
Class · High

CWE-228: Improper Handling of Syntactically Invalid Structure

The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.

CWE-228 · Class Level ·1 CVEs

Description

The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.

Potential Impact

Integrity, Availability

Unexpected State, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU)

Demonstrative Examples

This Android application has registered to handle a URL when sent an intent:
Bad
...
                     IntentFilter filter = new IntentFilter("com.example.URLHandler.openURL");MyReceiver receiver = new MyReceiver();registerReceiver(receiver, filter);
                     ...
                     
                     public class UrlHandlerReceiver extends BroadcastReceiver {
                        @Overridepublic void onReceive(Context context, Intent intent) {
                              if("com.example.URLHandler.openURL".equals(intent.getAction())) {String URL = intent.getStringExtra("URLToOpen");int length = URL.length();
                                 
                                 ...
                                 }
                           }
                     }
The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2004-0270Anti-virus product has assert error when line length is non-numeric.

CWE-703: Improper Check or Handling of Exceptional Conditions

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of t...

CWE-707: Improper Neutralization

The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain sec...

Taxonomy Mappings

  • PLOVER: — Structure and Validity Problems
  • OWASP Top Ten 2004: A7 — Improper Error Handling

Frequently Asked Questions

What is CWE-228?

CWE-228 (Improper Handling of Syntactically Invalid Structure) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.

How can CWE-228 be exploited?

Attackers can exploit CWE-228 (Improper Handling of Syntactically Invalid Structure) to unexpected state, dos: crash, exit, or restart, dos: resource consumption (cpu). This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-228?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-228?

CWE-228 is classified as a Class-level weakness (High abstraction). It has been observed in 1 real-world CVEs.