VOOZH about

URL: https://cwe.mitre.org/data/definitions/96.html

⇱ CWE - CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') (4.20)

👁 CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

👁 New to CWE? click here!
👁 CWE Most Important Hardware Weaknesses
👁 CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') (4.20)  
CWE Glossary Definition
 👁 x

CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

Weakness ID: 96
Vulnerability Mapping: ALLOWED This CWE ID may be used to map to real-world vulnerabilities
Abstraction: Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.
View customized information:
For users who are interested in more notional aspects of a weakness. Example: educators, technical writers, and project/program managers. For users who are concerned with the practical application and details about the nature of a weakness and how to prevent it from happening. Example: tool developers, security researchers, pen-testers, incident response analysts. For users who are mapping an issue to CWE/CAPEC IDs, i.e., finding the most appropriate CWE for a specific issue (e.g., a CVE record). Example: tool developers, security researchers. For users who wish to see all available information for the CWE/CAPEC entry. For users who want to customize what details are displayed.
×

Edit Custom Filter


👁 +
Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.
👁 +
Common Consequences
👁 Section Help
This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
Impact Details

Read Files or Directories; Read Application Data

Scope: Confidentiality
The injected code could access restricted data / files.

Bypass Protection Mechanism

Scope: Access Control
In some cases, injectable code controls authentication; this may lead to a remote vulnerability.

Gain Privileges or Assume Identity

Scope: Access Control
Injected code can access resources that the attacker is directly prevented from accessing.

Execute Unauthorized Code or Commands

Scope: Integrity, Confidentiality, Availability, Other
Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code.

Hide Activities

Scope: Non-Repudiation
Often the actions performed by injected control code are unlogged.
👁 +
Potential Mitigations
Phase(s) Mitigation

Implementation

Strategy: Input Validation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."

Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

Implementation

Strategy: Output Encoding

Perform proper output validation and escaping to neutralize all code syntax from data written to code files.
👁 +
 Relationships
👁 Section Help
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.
👁 +
Relevant to the view "Research Concepts" (View-1000)
Nature Type ID Name
ChildOf 👁 Base
Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. 		94 Improper Control of Generation of Code ('Code Injection')
ParentOf 👁 Variant
Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. 		97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
👁 +
Relevant to the view "Architectural Concepts" (View-1008)
Nature Type ID Name
MemberOf 👁 Category
Category - a CWE entry that contains a set of other entries that share a common characteristic. 		1019 Validate Inputs
👁 +
Modes Of Introduction
👁 Section Help
The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.
Phase Note
Implementation REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Implementation This issue is frequently found in PHP applications that allow users to set configuration variables that are stored within executable PHP files. Technically, this could also be performed in some compiled code (e.g., by byte-patching an executable), although it is highly unlikely.
👁 +
Applicable Platforms
👁 Section Help
This listing shows possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.
Languages

PHP (Undetermined Prevalence)

Perl (Undetermined Prevalence)

Class: Interpreted (Undetermined Prevalence)

👁 +
Demonstrative Examples

Example 1


This example attempts to write user messages to a message file and allow users to view them.

(bad code)
Example Language: PHP 
$MessageFile = "messages.out";
if ($_GET["action"] == "NewMessage") {
$name = $_GET["name"];
$message = $_GET["message"];
$handle = fopen($MessageFile, "a+");
fwrite($handle, "<b>$name</b> says '$message'<hr>\n");
fclose($handle);
echo "Message Saved!<p>\n";
}
else if ($_GET["action"] == "ViewMessages") {
include($MessageFile);
}

While the programmer intends for the MessageFile to only include data, an attacker can provide a message such as:

(attack code)
name=h4x0r
message=%3C?php%20system(%22/bin/ls%20-l%22);?%3E

which will decode to the following:

(attack code)
<?php system("/bin/ls -l");?>

The programmer thought they were just including the contents of a regular data file, but PHP parsed it and executed the code. Now, this code is executed any time people view messages.

Notice that XSS (CWE-79) is also possible in this situation.



👁 +
Selected Observed Examples

Note: this is a curated list of examples for users to understand the variety of ways in which this weakness can be introduced. It is not a complete list of all CVEs that are related to this CWE entry.

Reference Description
Perl code directly injected into CGI library file from parameters to another CGI program.
Direct PHP code injection into supporting template file.
Direct code injection into PHP script that can be accessed by attacker.
PHP code from User-Agent HTTP header directly inserted into log file implemented as PHP script.
chain: execution after redirect allows non-administrator to perform static code injection.
👁 +
Weakness Ordinalities
Ordinality Description
Primary
(where the weakness exists independent of other weaknesses)
👁 +
Detection Methods
Method Details

Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
👁 +
Affected Resources
  • File or Directory
👁 +
Memberships
👁 Section Help
This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources.
Nature Type ID Name
MemberOf 👁 View
View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).		 884 CWE Cross-section
MemberOf 👁 Category
Category - a CWE entry that contains a set of other entries that share a common characteristic.		 990 SFP Secondary Cluster: Tainted Input to Command
MemberOf 👁 Category
Category - a CWE entry that contains a set of other entries that share a common characteristic.		 1347 OWASP Top Ten 2021 Category A03:2021 - Injection
MemberOf 👁 Category
Category - a CWE entry that contains a set of other entries that share a common characteristic.		 1409 Comprehensive Categorization: Injection
MemberOf 👁 Category
Category - a CWE entry that contains a set of other entries that share a common characteristic.		 1440 OWASP Top Ten 2025 Category A05:2025 - Injection
👁 +
Vulnerability Mapping Notes
Usage ALLOWED
(this CWE ID may be used to map to real-world vulnerabilities)
Reason Acceptable-Use

Rationale

This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

Comments

Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
👁 +
Notes

Relationship

"HTML injection" (see CWE-79: XSS) could be thought of as an example of this, but the code is injected and executed on the client side, not the server side. Server-Side Includes (SSI) are an example of direct static code injection.
👁 +
Taxonomy Mappings
Mapped Taxonomy Name Node ID Fit Mapped Node Name
PLOVER Direct Static Code Injection
Software Fault Patterns SFP24 Tainted Input to Command
👁 +
Content History
👁 +
Submissions
Submission Date Submitter Organization
2006-07-19
(CWE Draft 3, 2006-07-19) 		PLOVER
👁 +
Modifications
Modification Date Modifier Organization
2025-12-11
(CWE 4.19, 2025-12-11) 		CWE Content Team MITRE
updated Detection_Factors, Relationships
2023-06-29
(CWE 4.12, 2023-06-29) 		CWE Content Team MITRE
updated Mapping_Notes
2023-04-27
(CWE 4.11, 2023-04-27) 		CWE Content Team MITRE
updated Modes_of_Introduction, Relationships, Time_of_Introduction
2023-01-31
(CWE 4.10, 2023-01-31) 		CWE Content Team MITRE
updated Description
2022-10-13
(CWE 4.9, 2022-10-13) 		CWE Content Team MITRE
updated Relationships, Taxonomy_Mappings
2021-10-28
(CWE 4.6, 2021-10-28) 		CWE Content Team MITRE
updated Relationships
2021-03-15
(CWE 4.4, 2021-03-15) 		CWE Content Team MITRE
updated Demonstrative_Examples
2020-06-25
(CWE 4.1, 2020-06-25) 		CWE Content Team MITRE
updated Potential_Mitigations
2020-02-24
(CWE 4.0, 2020-02-24) 		CWE Content Team MITRE
updated Potential_Mitigations, Relationships, Taxonomy_Mappings
2017-11-08
(CWE 3.0, 2017-11-08) 		CWE Content Team MITRE
updated Affected_Resources, Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Relationships
2017-05-03
(CWE 2.11, 2017-05-05) 		CWE Content Team MITRE
updated Related_Attack_Patterns
2014-07-30
(CWE 2.8, 2014-07-31) 		CWE Content Team MITRE
updated Relationships, Taxonomy_Mappings
2014-06-23
(CWE 2.7, 2014-06-23) 		CWE Content Team MITRE
updated Enabling_Factors_for_Exploitation, Other_Notes, Relationship_Notes
2013-02-21
(CWE 2.4, 2013-02-21) 		CWE Content Team MITRE
updated Observed_Examples
2012-10-30
(CWE 2.3, 2012-10-30) 		CWE Content Team MITRE
updated Potential_Mitigations
2012-05-11
(CWE 2.2, 2012-05-15) 		CWE Content Team MITRE
updated Common_Consequences, Demonstrative_Examples, Relationships
2011-06-01
(CWE 1.13, 2011-06-01) 		CWE Content Team MITRE
updated Common_Consequences
2010-06-21
(CWE 1.9, 2010-06-21) 		CWE Content Team MITRE
updated Potential_Mitigations
2010-04-05
(CWE 1.8.1, 2010-04-05) 		CWE Content Team MITRE
updated Description, Name
2009-05-27
(CWE 1.4, 2009-05-27) 		CWE Content Team MITRE
updated Description, Name
2008-09-08
(CWE 1.0, 2008-09-09) 		CWE Content Team MITRE
updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities
2008-07-01
(CWE 1.0, 2008-09-09) 		Eric Dalci Cigital
updated Potential_Mitigations, Time_of_Introduction
👁 +
Previous Entry Names
Change Date Previous Entry Name
2010-04-05 Improper Sanitization of Directives in Statically Saved Code ('Static Code Injection')
2009-05-27 Insufficient Control of Directives in Statically Saved Code (Static Code Injection)
2008-04-11 Direct Static Code Injection
More information is available — Please edit the custom filter or select a different filter.
Page Last Updated: April 30, 2026

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2026, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.