160 – Encode system outputs

Summary

The system output must be encoded in the corresponding language (escaping).

Description

System components use structured messages to communicate with other components. When these messages include input from untrusted sources and this input is not properly escaped, they become prone to the insertion of malicious commands. For this reason, encoding or escaping must occur before sending the messages.

Supported In

Advanced: True

References

• CAPEC-18. XSS targeting non-script elements
• CAPEC-19. Embedding scripts within scripts
• CAPEC-32. XSS through HTTP query strings
• CAPEC-48. Passing local filenames to functions that expect a URL
• CAPEC-130. Excessive allocation
• CAPEC-153. Input data manipulation
• CAPEC-240. Resource injection
• CAPEC-242. Code injection
• CAPEC-248. Command injection
• CWE-116. Improper encoding or escaping of output
• CWE-117. Improper output neutralization for logs
• CWE-173. Improper handling of alternate encoding
• OWASP10-A3. Injection
• OWASP10-A9. Security logging and monitoring failures
• CERTC-FIO30-C. Exclude user input from format strings
• MITRE-M1013. Application developer guidance
• PADSS-1_1_1. Do not store full contents of any track from the magnetic stripe
• PADSS-1_1_2. Do not store the card verification value or code used to verify transactions
• PADSS-5_2_1. Injection flaws, particularly SQL injection
• SANS25-2. Improper neutralization of input during web page generation (cross-site scripting)
• HITRUST-09_v. Electronic messaging
• HITRUST-10_e. Output data validation
• FEDRAMP-PE-16. Delivery and removal
• IEC62443-IAC-1_13. Access via untrusted networks
• WASC-W_22. Improper output handling
• PTES-6_2_1_1. Exploitation - Countermeasures (anti-virus encoding)
• MVSP-2_5. Application design controls - Security libraries
• OWASPSCP-2. Output encoding
• OWASPSCP-9. Communication security
• OWASPSCP-11. Database security
• OWASPSCP-13. Memory management
• BSAFSS-SC_3-2. Secure Coding (secure software against unsafe functions)
• BSAFSS-LO_2-4. Implement securely logging mechanisms
• ASVS-1_5_4. Input and output architecture
• ASVS-5_3_1. Output encoding and injection prevention
• OWASPAPI-API8. Security Misconfiguration
• CASA-1_5_4. Input and Output Architecture
• CASA-5_3_1. Output Encoding and Injection Prevention
• CWE25-79. Improper neutralization of input during web page generation (cross-site scripting)
• OWASPLLM-LLM01:2025. Prompt Injection
• OWASPLLM-LLM08:2025. Vector and Embedding Weaknesses

Weaknesses

• 452 – Prompt injection

Last updated

2025/06/17