ByteOS Network

CWE-235:Improper Handling of Extra Parameters

Weakness ID:235

Version:v4.17

Weakness Name:Improper Handling of Extra Parameters

Vulnerability Mapping:Allowed

Abstraction:Variant

Structure:Simple

Status:Draft

Details Content History Observed CVE Examples Reports

▼Description

The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount.

▼Relationships

Relevant to the view"Research Concepts - (1000)"

Nature	Mapping	Type	ID	Name
ChildOf	Allowed	B	233	Improper Handling of Parameters

Nature: ChildOf

Mapping: Allowed

Type: Base

ID: 233

Name: Improper Handling of Parameters

▼Memberships

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	993	SFP Secondary Cluster: Incorrect Input Handling
MemberOf	Prohibited	C	1348	OWASP Top Ten 2021 Category A04:2021 - Insecure Design
MemberOf	Prohibited	C	1407	Comprehensive Categorization: Improper Neutralization

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 993

Name: SFP Secondary Cluster: Incorrect Input Handling

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1348

Name: OWASP Top Ten 2021 Category A04:2021 - Insecure Design

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1407

Name: Comprehensive Categorization: Improper Neutralization

▼Tags

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	BS	BOSS-294	Not Language-Specific Weaknesses
MemberOf	Prohibited	BS	BOSS-315	Unexpected State (impact)

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-294

Name: Not Language-Specific Weaknesses

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-315

Name: Unexpected State (impact)

▼Relevant To View

Relevant to the view"OWASP Top Ten (2021) - (1344)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	1348	OWASP Top Ten 2021 Category A04:2021 - Insecure Design

Nature: MemberOf

Mapping: Prohibited

Type: Category

ID: 1348

Name: OWASP Top Ten 2021 Category A04:2021 - Insecure Design

Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	993	SFP Secondary Cluster: Incorrect Input Handling

Nature: MemberOf

Mapping: Prohibited

Type: Category

ID: 993

Name: SFP Secondary Cluster: Incorrect Input Handling

▼Common Consequences

Scope	Likelihood	Impact	Note
Integrity	N/A	Unexpected State	N/A

Scope: Integrity

Likelihood: N/A

Impact: Unexpected State

Note:

N/A

▼Modes Of Introduction

Phase: Implementation

Note:

This typically occurs in situations when only one element is expected to be specified.

▼Applicable Platforms

Languages

Class: Not Language-Specific(Undetermined Prevalence)

▼Observed Examples

Reference	Description
CVE-2003-1014	MIE. multiple gateway/security products allow restriction bypass using multiple MIME fields with the same name, which are interpreted differently by clients.

Reference: CVE-2003-1014

Description:

MIE. multiple gateway/security products allow restriction bypass using multiple MIME fields with the same name, which are interpreted differently by clients.

▼Vulnerability Mapping Notes

Usage:Allowed

Reason:Acceptable-Use

Rationale:

This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

Comments:

Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

▼Notes

Relationship

This type of problem has a big role in multiple interpretation vulnerabilities and various HTTP attacks.

▼Taxonomy Mappings

Taxonomy Name	Entry ID	Fit	Entry Name
PLOVER	N/A	N/A	Extra Parameter Error

Taxonomy Name: PLOVER

Entry ID: N/A

Fit: N/A

Entry Name: Extra Parameter Error

▼Related Attack Patterns

ID	Name
CAPEC-460	HTTP Parameter Pollution (HPP)

ID: CAPEC-460

Name: HTTP Parameter Pollution (HPP)