CWE-86 Invalid Characters in Identifiers
Coverage: 1 rule in the SiteShadow rule registry targets this CWE (registry v2.0.0). Regex 1 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged identifiers (filenames, IDs, usernames, resource names) containing unexpected characters that can bypass validation or change interpretation (path separators, control chars, quotes).
Why it matters
Invalid characters can enable injection or path manipulation.
- Traversal and path tricks:
../,..\\,%2f, null bytes, etc. - Header/URL manipulation when control characters like CRLF are present.
- Confusable bypasses: normalization issues allow "same but different" identifiers.
Safer examples
1) Validate with allowlists (recommended)
import re
if not re.fullmatch(r"[a-zA-Z0-9_.-]{1,64}", identifier):
raise ValueError("Invalid identifier")
2) Normalize before validating
Normalize Unicode and URL-decode once (carefully) before applying allowlists.
3) Reject control characters outright
Reject \r, \n, null bytes, and other control characters for identifiers.
How SiteShadow detects it (high level)
- Flags identifiers used in security-sensitive contexts (paths, headers, redirects) without strict allowlists.
- Detects suspicious character classes and normalization/decoding pitfalls.
References
- CWE-86: https://cwe.mitre.org/data/definitions/86.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.