1. Home
  2. CWE Database
  3. CWE-99
Class · High

CWE-99: Improper Control of Resource Identifiers ('Resource Injection')

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sp...

CWE-99 · Class Level ·1 CVEs ·1 Mitigations

Description

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

A resource injection issue occurs when the following two conditions are met: This may enable an attacker to access or modify otherwise protected system resources.

Potential Impact

Confidentiality, Integrity

Read Application Data, Modify Application Data, Read Files or Directories, Modify Files or Directories

Demonstrative Examples

The following Java code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files.
Bad
String rName = request.getParameter("reportName");File rFile = new File("/usr/local/apfr/reports/" + rName);...rFile.delete();
The following code uses input from the command line to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can create soft links to the file, they can use the program to read the first part of any file on the system.
Bad
ifstream ifs(argv[0]);string s;ifs >> s;cout << s;
The kind of resource the data affects indicates the kind of content that may be dangerous. For example, data containing special characters like period, slash, and backslash, are risky when used in methods that interact with the file system. (Resource injection, when it is related to file system resources, sometimes goes by the name "path manipulation.") Similarly, data that contains URLs and URIs is risky for functions that create remote connections.

Mitigations & Prevention

Implementation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across relat

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2013-4787chain: mobile OS verifies cryptographic signature of file in an archive, but then installs a different file with the same name that is also listed in the archive.

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an ups...

CWE-706: Use of Incorrectly-Resolved Name or Reference

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside...

CWE-73: External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations.

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — Resource Injection
  • Software Fault Patterns: SFP24 — Tainted input to command
  • OMG ASCSM: ASCSM-CWE-99 —

Frequently Asked Questions

What is CWE-99?

CWE-99 (Improper Control of Resource Identifiers ('Resource Injection')) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sp...

How can CWE-99 be exploited?

Attackers can exploit CWE-99 (Improper Control of Resource Identifiers ('Resource Injection')) to read application data, modify application data, read files or directories, modify files or directories. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-99?

Key mitigations include: Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not stric

What is the severity of CWE-99?

CWE-99 is classified as a Class-level weakness (High abstraction). It has been observed in 1 real-world CVEs.