Incorrect Behavior Order: Validate Before Canonicalize| ID: 180 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Base |
Description
The software validates input before it is canonicalized, which
prevents the software from detecting data that becomes invalid after the
canonicalization step.
Extended DescriptionThis can be used by an attacker to bypass the validation and launch
attacks that expose weaknesses that would otherwise be prevented, such as
injection.
Applicable PlatformsLanguage Class: All
Time Of Introduction
Related Attack Patterns
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Access_Control | Bypass protection
mechanism | |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Implementation | Input Validation | Inputs should be decoded and canonicalized to the application's
current internal representation before being validated (CWE-180). Make
sure that the application does not decode the same input twice
(CWE-174). Such errors could be used to bypass whitelist validation
schemes by introducing dangerous inputs after they have been
checked. | | |
RelationshipsThis overlaps other categories.
| Related CWE | Type | View | Chain |
|---|
| CWE-180 ChildOf CWE-896 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following code attempts to validate a given input path by
checking it against a whitelist and then return the canonical path. In this
specific case, the path is considered valid if it starts with the string
"/safe_dir/". (Demonstrative Example Id DX-35)
Observed Examples
- CVE-2002-0433 : Product allows remote attackers to view restricted files via an HTTP request containing a "*" (wildcard or asterisk) character.
- CVE-2003-0332 : Product modifies the first two letters of a filename extension after performing a security check, which allows remote attackers to bypass authentication via a filename with a .ats extension instead of a .hts extension.
- CVE-2002-0802 : Database consumes an extra character when processing a character that cannot be converted, which could remove an escape character from the query and make the application subject to SQL injection attacks.
- CVE-2000-0191 : Overlaps "fakechild/../realchild"
- CVE-2004-2363 : Product checks URI for "<" and other literal characters, but does it before hex decoding the URI, so "%3E" and other sequences are allowed.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | Validate-Before-Canonicalize | |
| OWASP Top Ten 2004 | A1 | Unvalidated Input | CWE_More_Specific |
| CERT Java Secure Coding | IDS01-J | Normalize strings before validating them | |
References:None
