CWE-20 Improper Input Validation – Detailed Weakness Analysis

Explore CAPEC attack patterns referencing this CWE.

What is CWE (Common Weakness Enumeration)?

The Common Weakness Enumeration (CWE) is a community-developed list of common software and hardware weaknesses. By identifying these weaknesses, developers and security practitioners can prioritize and address potential vulnerabilities early in the development cycle. Explore our comprehensive CWE list below to better understand and mitigate common security issues.

CAPEC Patterns referencing CWE-20

Below is a list of CAPEC attack patterns associated with this CWE-20. Click on each CAPEC to learn more. The right column shows the related weaknesses (including this one).

CAPEC Related Weaknesses
Buffer Overflow via Environment Variables
CWE-20 Improper Input Validation
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-99 Improper Control of Resource Identifiers ('Resource Injection')
CWE-118 Incorrect Access of Indexable Resource ('Range Error')
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-302 Authentication Bypass by Assumed-Immutable Data
CWE-680 Integer Overflow to Buffer Overflow
CWE-697 Incorrect Comparison
CWE-733 Compiler Optimization Removal or Modification of Security-critical Code
Server Side Include (SSI) Injection
CWE-20 Improper Input Validation
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
Cross Zone Scripting
CWE-20 Improper Input Validation
CWE-116 Improper Encoding or Escaping of Output
CWE-250 Execution with Unnecessary Privileges
CWE-285 Improper Authorization
CWE-638 Not Using Complete Mediation
Command Line Execution through SQL Injection
CWE-20 Improper Input Validation
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-114 Process Control
Object Relational Mapping Injection
CWE-20 Improper Input Validation
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-564 SQL Injection: Hibernate
SQL Injection through SOAP Parameter Tampering
CWE-20 Improper Input Validation
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Double Encoding
CWE-20 Improper Input Validation
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-172 Encoding Error
CWE-173 Improper Handling of Alternate Encoding
CWE-177 Improper Handling of URL Encoding (Hex Encoding)
CWE-181 Incorrect Behavior Order: Validate Before Filter
CWE-183 Permissive List of Allowed Inputs
CWE-184 Incomplete List of Disallowed Inputs
CWE-692 Incomplete Denylist to Cross-Site Scripting
CWE-697 Incorrect Comparison
Subverting Environment Variable Values
CWE-15 External Control of System or Configuration Setting
CWE-20 Improper Input Validation
CWE-73 External Control of File Name or Path
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-285 Improper Authorization
CWE-302 Authentication Bypass by Assumed-Immutable Data
CWE-353 Missing Support for Integrity Check
Format String Injection
CWE-20 Improper Input Validation
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-134 Use of Externally-Controlled Format String
LDAP Injection
CWE-20 Improper Input Validation
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Client-side Injection-induced Buffer Overflow
CWE-20 Improper Input Validation
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-118 Incorrect Access of Indexable Resource ('Range Error')
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-353 Missing Support for Integrity Check
CWE-680 Integer Overflow to Buffer Overflow
CWE-697 Incorrect Comparison
Input Data Manipulation
CWE-20 Improper Input Validation
Flash Injection
CWE-20 Improper Input Validation
CWE-184 Incomplete List of Disallowed Inputs
CWE-697 Incorrect Comparison
XSS Using MIME Type Mismatch
CWE-20 Improper Input Validation
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-646 Reliance on File Name or Extension of Externally-Supplied File
Exploiting Trust in Client
CWE-20 Improper Input Validation
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-287 Improper Authentication
CWE-290 Authentication Bypass by Spoofing
CWE-693 Protection Mechanism Failure
File Content Injection
CWE-20 Improper Input Validation
Serialized Data with Nested Payloads
CWE-20 Improper Input Validation
CWE-112 Missing XML Validation
CWE-674 Uncontrolled Recursion
CWE-770 Allocation of Resources Without Limits or Throttling
Oversized Serialized Data Payloads
CWE-20 Improper Input Validation
CWE-112 Missing XML Validation
CWE-674 Uncontrolled Recursion
CWE-770 Allocation of Resources Without Limits or Throttling
Filter Failure through Buffer Overflow
CWE-20 Improper Input Validation
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-118 Incorrect Access of Indexable Resource ('Range Error')
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-680 Integer Overflow to Buffer Overflow
CWE-697 Incorrect Comparison
CWE-733 Compiler Optimization Removal or Modification of Security-critical Code
XML Injection
CWE-20 Improper Input Validation
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-91 XML Injection (aka Blind XPath Injection)
CWE-707 Improper Neutralization
Fuzzing for garnering other adjacent user/sensitive data
CWE-20 Improper Input Validation
Leverage Alternate Encoding
CWE-20 Improper Input Validation
CWE-73 External Control of File Name or Path
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-172 Encoding Error
CWE-173 Improper Handling of Alternate Encoding
CWE-180 Incorrect Behavior Order: Validate Before Canonicalize
CWE-181 Incorrect Behavior Order: Validate Before Filter
CWE-692 Incomplete Denylist to Cross-Site Scripting
CWE-697 Incorrect Comparison
Fuzzing
CWE-20 Improper Input Validation
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Using Leading 'Ghost' Character Sequences to Bypass Input Filters
CWE-20 Improper Input Validation
CWE-41 Improper Resolution of Path Equivalence
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-172 Encoding Error
CWE-173 Improper Handling of Alternate Encoding
CWE-179 Incorrect Behavior Order: Early Validation
CWE-180 Incorrect Behavior Order: Validate Before Canonicalize
CWE-181 Incorrect Behavior Order: Validate Before Filter
CWE-183 Permissive List of Allowed Inputs
CWE-184 Incomplete List of Disallowed Inputs
CWE-697 Incorrect Comparison
CWE-707 Improper Neutralization
Accessing/Intercepting/Modifying HTTP Cookies
CWE-20 Improper Input Validation
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CWE-302 Authentication Bypass by Assumed-Immutable Data
CWE-311 Missing Encryption of Sensitive Data
CWE-315 Cleartext Storage of Sensitive Information in a Cookie
CWE-384 Session Fixation
CWE-472 External Control of Assumed-Immutable Web Parameter
CWE-539 Use of Persistent Cookies Containing Sensitive Information
CWE-565 Reliance on Cookies without Validation and Integrity Checking
CWE-602 Client-Side Enforcement of Server-Side Security
CWE-642 External Control of Critical State Data
MIME Conversion
CWE-20 Improper Input Validation
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Exploiting Multiple Input Interpretation Layers
CWE-20 Improper Input Validation
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-179 Incorrect Behavior Order: Early Validation
CWE-181 Incorrect Behavior Order: Validate Before Filter
CWE-183 Permissive List of Allowed Inputs
CWE-184 Incomplete List of Disallowed Inputs
CWE-697 Incorrect Comparison
CWE-707 Improper Neutralization
Buffer Overflow via Symbolic Links
CWE-20 Improper Input Validation
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-118 Incorrect Access of Indexable Resource ('Range Error')
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-285 Improper Authorization
CWE-302 Authentication Bypass by Assumed-Immutable Data
CWE-680 Integer Overflow to Buffer Overflow
CWE-697 Incorrect Comparison
Overflow Variables and Tags
CWE-20 Improper Input Validation
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-118 Incorrect Access of Indexable Resource ('Range Error')
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-680 Integer Overflow to Buffer Overflow
CWE-697 Incorrect Comparison
CWE-733 Compiler Optimization Removal or Modification of Security-critical Code
Buffer Overflow via Parameter Expansion
CWE-20 Improper Input Validation
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-118 Incorrect Access of Indexable Resource ('Range Error')
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-130 Improper Handling of Length Parameter Inconsistency
CWE-131 Incorrect Calculation of Buffer Size
CWE-680 Integer Overflow to Buffer Overflow
CWE-697 Incorrect Comparison
Signature Spoof
CWE-20 Improper Input Validation
CWE-290 Authentication Bypass by Spoofing
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
Embedding NULL Bytes
CWE-20 Improper Input Validation
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-158 Improper Neutralization of Null Byte or NUL Character
CWE-172 Encoding Error
CWE-173 Improper Handling of Alternate Encoding
CWE-697 Incorrect Comparison
CWE-707 Improper Neutralization
Postfix, Null Terminate, and Backslash
CWE-20 Improper Input Validation
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-158 Improper Neutralization of Null Byte or NUL Character
CWE-172 Encoding Error
CWE-173 Improper Handling of Alternate Encoding
CWE-697 Incorrect Comparison
CWE-707 Improper Neutralization
DOM-Based XSS
CWE-20 Improper Input Validation
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-83 Improper Neutralization of Script in Attributes in a Web Page
Cross-Site Scripting (XSS)
CWE-20 Improper Input Validation
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Using Slashes and URL Encoding Combined to Bypass Validation Logic
CWE-20 Improper Input Validation
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-73 External Control of File Name or Path
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-172 Encoding Error
CWE-173 Improper Handling of Alternate Encoding
CWE-177 Improper Handling of URL Encoding (Hex Encoding)
CWE-697 Incorrect Comparison
CWE-707 Improper Neutralization
Server Side Request Forgery
CWE-20 Improper Input Validation
CWE-918 Server-Side Request Forgery (SSRF)
String Format Overflow in syslog()
CWE-20 Improper Input Validation
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-134 Use of Externally-Controlled Format String
CWE-680 Integer Overflow to Buffer Overflow
CWE-697 Incorrect Comparison
Blind SQL Injection
CWE-20 Improper Input Validation
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-209 Generation of Error Message Containing Sensitive Information
CWE-697 Incorrect Comparison
CWE-707 Improper Neutralization
Using Unicode Encoding to Bypass Validation Logic
CWE-20 Improper Input Validation
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-172 Encoding Error
CWE-173 Improper Handling of Alternate Encoding
CWE-176 Improper Handling of Unicode Encoding
CWE-179 Incorrect Behavior Order: Early Validation
CWE-180 Incorrect Behavior Order: Validate Before Canonicalize
CWE-183 Permissive List of Allowed Inputs
CWE-184 Incomplete List of Disallowed Inputs
CWE-692 Incomplete Denylist to Cross-Site Scripting
CWE-697 Incorrect Comparison
URL Encoding
CWE-20 Improper Input Validation
CWE-73 External Control of File Name or Path
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-172 Encoding Error
CWE-173 Improper Handling of Alternate Encoding
CWE-177 Improper Handling of URL Encoding (Hex Encoding)
User-Controlled Filename
CWE-20 Improper Input Validation
CWE-86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
CWE-96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
CWE-116 Improper Encoding or Escaping of Output
CWE-184 Incomplete List of Disallowed Inputs
CWE-348 Use of Less Trusted Source
CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action
CWE-697 Incorrect Comparison
Using Escaped Slashes in Alternate Encoding
CWE-20 Improper Input Validation
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-73 External Control of File Name or Path
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-172 Encoding Error
CWE-173 Improper Handling of Alternate Encoding
CWE-180 Incorrect Behavior Order: Validate Before Canonicalize
CWE-181 Incorrect Behavior Order: Validate Before Filter
CWE-697 Incorrect Comparison
CWE-707 Improper Neutralization
Using Slashes in Alternate Encoding
CWE-20 Improper Input Validation
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-73 External Control of File Name or Path
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-173 Improper Handling of Alternate Encoding
CWE-180 Incorrect Behavior Order: Validate Before Canonicalize
CWE-181 Incorrect Behavior Order: Validate Before Filter
CWE-185 Incorrect Regular Expression
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-697 Incorrect Comparison
CWE-707 Improper Neutralization
Buffer Overflow in an API Call
CWE-20 Improper Input Validation
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-118 Incorrect Access of Indexable Resource ('Range Error')
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-680 Integer Overflow to Buffer Overflow
CWE-697 Incorrect Comparison
CWE-733 Compiler Optimization Removal or Modification of Security-critical Code
Using UTF-8 Encoding to Bypass Validation Logic
CWE-20 Improper Input Validation
CWE-73 External Control of File Name or Path
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-172 Encoding Error
CWE-173 Improper Handling of Alternate Encoding
CWE-180 Incorrect Behavior Order: Validate Before Canonicalize
CWE-181 Incorrect Behavior Order: Validate Before Filter
CWE-692 Incomplete Denylist to Cross-Site Scripting
CWE-697 Incorrect Comparison
Web Server Logs Tampering
CWE-20 Improper Input Validation
CWE-75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE-96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
CWE-116 Improper Encoding or Escaping of Output
CWE-117 Improper Output Neutralization for Logs
CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences
CWE-221 Information Loss or Omission
CWE-276 Incorrect Default Permissions
CWE-279 Incorrect Execution-Assigned Permissions
XPath Injection
CWE-20 Improper Input Validation
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-91 XML Injection (aka Blind XPath Injection)
CWE-707 Improper Neutralization
AJAX Footprinting
CWE-20 Improper Input Validation
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
CWE-96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CWE-116 Improper Encoding or Escaping of Output
CWE-184 Incomplete List of Disallowed Inputs
CWE-348 Use of Less Trusted Source
CWE-692 Incomplete Denylist to Cross-Site Scripting
OS Command Injection
CWE-20 Improper Input Validation
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CWE-697 Incorrect Comparison
Buffer Overflow in Local Command-Line Utilities
CWE-20 Improper Input Validation
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-118 Incorrect Access of Indexable Resource ('Range Error')
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-680 Integer Overflow to Buffer Overflow
CWE-697 Incorrect Comparison
CWE-733 Compiler Optimization Removal or Modification of Security-critical Code

About CWE-20: Improper Input Validation

CWE-20 is one of the established Common Weakness Enumerations that identifies a specific type of vulnerability in software. Detailed analysis of CWE-20 helps organizations understand the risks associated with this weakness and implement effective countermeasures.

Explore related attack patterns, best practices, and expert recommendations on this page. By understanding CWE-20, you can enhance your security posture and better protect your applications against exploitation.