1. Home
  2. CWE Database
  3. CWE-796
Variant · Low-Medium

CWE-796: Only Filtering Special Elements Relative to a Marker

The product receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. "at the beginning/end of a string; the second argument"), thereby mis...

CWE-796 · Variant Level

Description

The product receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. "at the beginning/end of a string; the second argument"), thereby missing remaining special elements that may exist before sending it to a downstream component.

Potential Impact

Integrity

Unexpected State

Demonstrative Examples

The following code takes untrusted input and uses a regular expression to filter a "../" element located at the beginning of the input string. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path.
Bad
my $Username = GetUntrustedInput();$Username =~ s/^\.\.\///;my $filename = "/home/user/" . $Username;ReadAndSendFile($filename);
Since the regular expression is only looking for an instance of "../" at the beginning of the string, it only removes the first "../" element. So an input value such as:
Attack
../../../etc/passwd
will have the first "../" stripped, resulting in:
Result
../../etc/passwd
This value is then concatenated with the /home/user/ directory:
Result
/home/user/../../etc/passwd
which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-22).

CWE-795: Only Filtering Special Elements at a Specified Location

The product receives data from an upstream component, but only accounts for special elements at a specified location, th...

Frequently Asked Questions

What is CWE-796?

CWE-796 (Only Filtering Special Elements Relative to a Marker) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. "at the beginning/end of a string; the second argument"), thereby mis...

How can CWE-796 be exploited?

Attackers can exploit CWE-796 (Only Filtering Special Elements Relative to a Marker) to unexpected state. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-796?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-796?

CWE-796 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.