SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-76 Improper Neutralization of Special Elements

Coverage: 4 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 2Other-pattern 2 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged input containing "special elements" (characters or sequences) that can change how another system interprets the input, often bypassing validation. Examples include ../, %2f, \0, quotes, wildcards, or control characters.

Why it matters

Special elements can alter parsing or execution.

Safer examples

1) Canonicalize then validate (decode once, normalize once)

Decode/normalize at the boundary and validate the canonical form (see CWE-116 / CWE-436).

2) Prefer allowlists for identifiers

import re

if not re.fullmatch(r"[a-zA-Z0-9_.-]{1,64}", name):
    raise ValueError("Invalid name")

3) Don't "sanitize for everything"

Escaping rules are context-specific (HTML vs SQL vs LDAP vs XPath). Use the right encoder/escaping for the sink rather than a one-size-fits-all sanitizer.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.