CWE-76 Improper Neutralization of Special Elements
Coverage: 4 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 2Other-pattern 2 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged input containing "special elements" (characters or sequences) that can change how another system interprets the input, often bypassing validation. Examples include ../, %2f, \0, quotes, wildcards, or control characters.
Why it matters
Special elements can alter parsing or execution.
- Traversal/escaping: special sequences can break out of intended directories or selectors.
- Injection bypass: special characters change the meaning of queries/filters (LDAP/XPath/SQL) or commands.
- Security control bypass when validators don't account for alternative encodings or equivalent representations.
Safer examples
1) Canonicalize then validate (decode once, normalize once)
Decode/normalize at the boundary and validate the canonical form (see CWE-116 / CWE-436).
2) Prefer allowlists for identifiers
import re
if not re.fullmatch(r"[a-zA-Z0-9_.-]{1,64}", name):
raise ValueError("Invalid name")
3) Don't "sanitize for everything"
Escaping rules are context-specific (HTML vs SQL vs LDAP vs XPath). Use the right encoder/escaping for the sink rather than a one-size-fits-all sanitizer.
How SiteShadow detects it (high level)
- Flags suspicious special sequences and control characters in security-sensitive flows (paths, queries, headers, redirects).
- Detects validation that happens before canonicalization/decoding and highlights bypass risk.
References
- CWE-76: https://cwe.mitre.org/data/definitions/76.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.