Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.
Potential Impact
Confidentiality
Read Files or Directories, Read Application Data
Access Control
Bypass Protection Mechanism
Access Control
Gain Privileges or Assume Identity
Integrity, Confidentiality, Availability, Other
Execute Unauthorized Code or Commands
Non-Repudiation
Hide Activities
Demonstrative Examples
$MessageFile = "messages.out";if ($_GET["action"] == "NewMessage") {$name = $_GET["name"];$message = $_GET["message"];$handle = fopen($MessageFile, "a+");fwrite($handle, "<b>$name</b> says '$message'<hr>\n");fclose($handle);echo "Message Saved!<p>\n";}else if ($_GET["action"] == "ViewMessages") {include($MessageFile);}name=h4x0rmessage=%3C?php%20system(%22/bin/ls%20-l%22);?%3E<?php system("/bin/ls -l");?>Mitigations & Prevention
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across relat
Perform proper output validation and escaping to neutralize all code syntax from data written to code files.
Detection Methods
- Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2002-0495 | Perl code directly injected into CGI library file from parameters to another CGI program. |
| CVE-2005-1876 | Direct PHP code injection into supporting template file. |
| CVE-2005-1894 | Direct code injection into PHP script that can be accessed by attacker. |
| CVE-2003-0395 | PHP code from User-Agent HTTP header directly inserted into log file implemented as PHP script. |
| CVE-2007-6652 | chain: execution after redirect allows non-administrator to perform static code injection. |
Related Weaknesses
Taxonomy Mappings
- PLOVER: — Direct Static Code Injection
- Software Fault Patterns: SFP24 — Tainted Input to Command
Frequently Asked Questions
What is CWE-96?
CWE-96 (Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, conf...
How can CWE-96 be exploited?
Attackers can exploit CWE-96 (Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')) to read files or directories, read application data. This weakness is typically introduced during the Implementation, Implementation phase of software development.
How do I prevent CWE-96?
Key mitigations include: Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not stric
What is the severity of CWE-96?
CWE-96 is classified as a Base-level weakness (Medium abstraction). It has been observed in 5 real-world CVEs.