Incorrect Behavior Order: Validate Before Filter| ID: 181 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Base |
Description
The software validates data before it has been filtered, which
prevents the software from detecting data that becomes invalid after the
filtering step.
Extended DescriptionThis can be used by an attacker to bypass the validation and launch
attacks that expose weaknesses that would otherwise be prevented, such as
injection.
Applicable PlatformsLanguage Class: All
Time Of Introduction
Related Attack Patterns
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Access_Control | Bypass protection
mechanism | |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| ImplementationArchitecture and Design | | Inputs should be decoded and canonicalized to the application's
current internal representation before being filtered. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-181 ChildOf CWE-896 | Category | CWE-888 | |
Demonstrative Examples (Details)
- This script creates a subdirectory within a user directory and sets
the user as the owner. (Demonstrative Example Id DX-36)
Observed Examples
- CVE-2002-0934 : Directory traversal vulnerability allows remote attackers to read or modify arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.
- CVE-2003-0282 : Directory traversal vulnerability allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | Validate-Before-Filter | |
| OWASP Top Ten 2004 | A1 | Unvalidated Input | CWE_More_Specific |
References:None
