CWE-76 Improper Neutralization of Special Elements

What this means

SiteShadow flagged input containing "special elements" (characters or sequences) that can change how another system interprets the input—often bypassing validation. Examples include ../, %2f, \0, quotes, wildcards, or control characters.

Why it matters

Special elements can alter parsing or execution.

Traversal/escaping: special sequences can break out of intended directories or selectors.
Injection bypass: special characters change the meaning of queries/filters (LDAP/XPath/SQL) or commands.
Security control bypass when validators don't account for alternative encodings or equivalent representations.

Safer examples

1) Canonicalize then validate (decode once, normalize once)

Decode/normalize at the boundary and validate the canonical form (see CWE-116 / CWE-436).

2) Prefer allowlists for identifiers

import re

if not re.fullmatch(r"[a-zA-Z0-9_.-]{1,64}", name):
    raise ValueError("Invalid name")

3) Don't "sanitize for everything"

Escaping rules are context-specific (HTML vs SQL vs LDAP vs XPath). Use the right encoder/escaping for the sink rather than a one-size-fits-all sanitizer.

How SiteShadow detects it (high level)

Flags suspicious special sequences and control characters in security-sensitive flows (paths, queries, headers, redirects).
Detects validation that happens before canonicalization/decoding and highlights bypass risk.

References

CWE-76: https://cwe.mitre.org/data/definitions/76.html

---

← Back to Vulnerability Library

Request access View coverage