CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.8)  

Presentation Filter:

CWE-181: Incorrect Behavior Order: Validate Before Filter

 
Incorrect Behavior Order: Validate Before Filter
Weakness ID: 181 (Weakness Base)Status: Draft
+ Description

Description Summary

The software validates data before it has been filtered, which prevents the software from detecting data that becomes invalid after the filtering step.

Extended Description

This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection.

+ Alternate Terms
Validate-before-cleanse
+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Access Control

Technical Impact: Bypass protection mechanism

+ Demonstrative Examples

Example 1

This script creates a subdirectory within a user directory and sets the user as the owner.

(Bad Code)
Example Language: PHP 
function createDir($userName,$dirName){
$userDir = '/users/'. $userName;
if(strpos($dirName,'..') !== false){
echo 'Directory name contains invalid sequence';
return;
}
//filter out '~' because other scripts identify user directories by this prefix
$dirName = str_replace('~','',$dirName);
$newDir = $userDir . $dirName;
mkdir($newDir, 0700);
chown($newDir,$userName);
}

While the script attempts to screen for '..' sequences, an attacker can submit a directory path including ".~.", which will then become ".." after the filtering step. This allows a Path Traversal (CWE-21) attack to occur.

+ Observed Examples
ReferenceDescription
Directory traversal vulnerability allows remote attackers to read or modify arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.
Directory traversal vulnerability allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.
+ Potential Mitigations

Phases: Implementation; Architecture and Design

Inputs should be decoded and canonicalized to the application's current internal representation before being filtered.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory171Cleansing, Canonicalization, and Comparison Errors
Development Concepts (primary)699
ChildOfWeakness BaseWeakness Base179Incorrect Behavior Order: Early Validation
Research Concepts (primary)1000
ChildOfCategoryCategory722OWASP Top Ten 2004 Category A1 - Unvalidated Input
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfCategoryCategory992SFP Secondary Cluster: Faulty Input Transformation
Software Fault Pattern (SFP) Clusters (primary)888
+ Research Gaps

This category is probably under-studied.

+ Functional Areas
  • Protection Mechanism
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERValidate-Before-Filter
OWASP Top Ten 2004A1CWE More SpecificUnvalidated Input
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential_Mitigations, Time_of_Introduction
2008-08-15VeracodeExternal
Suggested OWASP Top Ten 2004 mapping
2008-09-08CWE Content TeamMITREInternal
updated Functional_Areas, Relationships, Research_Gaps, Taxonomy_Mappings, Type
2008-10-14CWE Content TeamMITREInternal
updated Description
2010-06-21CWE Content TeamMITREInternal
updated Description, Observed_Examples
2011-03-29CWE Content TeamMITREInternal
updated Demonstrative_Examples
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Demonstrative_Examples, Observed_Examples, Related_Attack_Patterns, Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2014-07-30CWE Content TeamMITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Validate-before-filter
Page Last Updated: July 30, 2014