Improper Handling of Unicode Encoding| ID: 176 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Variant |
Description
The software does not properly handle when an input contains
Unicode encoding.
Applicable PlatformsLanguage Class: All
Time Of Introduction
Related Attack Patterns
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Integrity | Unexpected state | |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and Design | Input Validation | Avoid making decisions based on names of resources (e.g. files) if
those resources can have alternate names. | | |
| Implementation | Input Validation | Assume all input is malicious. Use an "accept known good" input
validation strategy, i.e., use a whitelist of acceptable inputs that
strictly conform to specifications. Reject any input that does not
strictly conform to specifications, or transform it into something that
does.When performing input validation, consider all potentially relevant
properties, including length, type of input, the full range of
acceptable values, missing or extra inputs, syntax, consistency across
related fields, and conformance to business rules. As an example of
business rule logic, "boat" may be syntactically valid because it only
contains alphanumeric characters, but it is not valid if the input is
only expected to contain colors such as "red" or "blue."Do not rely exclusively on looking for malicious or malformed inputs
(i.e., do not rely on a blacklist). A blacklist is likely to miss at
least one undesirable input, especially if the code's environment
changes. This can give attackers enough room to bypass the intended
validation. However, blacklists can be useful for detecting potential
attacks or determining which inputs are so malformed that they should be
rejected outright. | | |
| Implementation | Input Validation | Inputs should be decoded and canonicalized to the application's
current internal representation before being validated (CWE-180). Make
sure that the application does not decode the same input twice
(CWE-174). Such errors could be used to bypass whitelist validation
schemes by introducing dangerous inputs after they have been
checked. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-176 ChildOf CWE-896 | Category | CWE-888 | |
Demonstrative Examples (Details)
- Windows provides the MultiByteToWideChar(), WideCharToMultiByte(),
UnicodeToBytes(), and BytesToUnicode() functions to convert between
arbitrary multibyte (usually ANSI) character strings and Unicode (wide
character) strings. The size arguments to these functions are specified in
different units, (one in bytes, the other in characters) making their use
prone to error.
Observed Examples
- CVE-2000-0884 : Server allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain Unicode encoded characters.
- CVE-2001-0709 : Server allows a remote attacker to obtain source code of ASP files via a URL encoded with Unicode.
- CVE-2001-0669 : Overlaps interaction error.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | Unicode Encoding | |
| CERT C Secure Coding | MSC10-C | Character Encoding - UTF8 Related Issues | |
| CERT C++ Secure Coding | MSC10-CPP | Character Encoding - UTF8 Related Issues | |
References:
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 8, "Character Sets and Unicode", Page
446.'. Published on 2006.
