CWE
Home > CWE List > CWE-180 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-180 Individual Dictionary Definition (Draft 9)

Incorrect Behavior Order: Validate Before Canonicalize
Weakness ID
Status: Draft

180 (Weakness Variant)

Description

Summary

Software "validates" data before it is canonicalized, which leaves it vulnerable to certain manipulations that are later removed during canonicalization. Invalid data can then avoid detection before it is produced by canonicalization.

Functional Area

Non-specific

Potential Mitigations

Validate data after attempts to canonicalize the resource name.

Observed Examples
ReferenceDescription
CVE-2002-0433
CVE-2003-0332
CVE-2002-0802
CVE-2000-0191Overlaps "fakechild/../realchild"
CVE-2004-2363Product checks URI for "<" and other literal characters, but does it before hex decoding the URI, so "%3E" and other sequences are allowed.
Context Notes

This overlaps other categories.

Relationships
NatureTypeIDName
ChildOfCategoryCategory171Cleansing, Canonicalization, and Comparison Errors
ChildOfWeakness ClassWeakness ClassWeakness Class693Protection Mechanism Failure
Source Taxonomies

PLOVER - Validate-Before-Canonicalize

Applicable Platforms

All

Time of Introduction

Architecture and Design

Implementation

Related Attack Patterns
CAPEC-IDAttack Pattern Name
80Using UTF-8 Encoding to Bypass Validation Logic
79Using Slashes in Alternate Encoding
71Using Unicode Encoding to Bypass Validation Logic
3Using Leading 'Ghost' Character Sequences to Bypass Input Filters
4Using Alternative IP Address Encodings
78Using Escaped Slashes in Alternate Encoding
Back to top
Page Last Updated: April 21, 2008
 

CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is hosted by The MITRE Corporation.
Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us