Incorrect Behavior Order: Early Validation| ID: 179 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Base |
Description
The software validates input before applying protection
mechanisms that modify the input, which could allow an attacker to bypass the
validation via dangerous inputs that only arise after the
modification.
Extended DescriptionSoftware needs to validate data at the proper time, after data has been
canonicalized and cleansed. Early validation is susceptible to various
manipulations that result in dangerous inputs that are produced by
canonicalization and cleansing.
Applicable PlatformsLanguage Class: All
Time Of Introduction
Related Attack Patterns
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Access_ControlIntegrity | Bypass protection
mechanismExecute unauthorized code or
commands | An attacker could include dangerous input that bypasses validation
protection mechanisms which can be used to launch various attacks
including injection attacks, execute arbitrary code or cause other
unintended behavior. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Implementation | Input Validation | Inputs should be decoded and canonicalized to the application's
current internal representation before being validated (CWE-180). Make
sure that the application does not decode the same input twice
(CWE-174). Such errors could be used to bypass whitelist validation
schemes by introducing dangerous inputs after they have been
checked. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-179 ChildOf CWE-896 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following code attempts to validate a given input path by
checking it against a whitelist and then return the canonical path. In this
specific case, the path is considered valid if it starts with the string
"/safe_dir/". (Demonstrative Example Id DX-35)
- This script creates a subdirectory within a user directory and sets
the user as the owner. (Demonstrative Example Id DX-36)
Observed Examples
- CVE-2002-0433 : Product allows remote attackers to view restricted files via an HTTP request containing a "*" (wildcard or asterisk) character.
- CVE-2003-0332 : Product modifies the first two letters of a filename extension after performing a security check, which allows remote attackers to bypass authentication via a filename with a .ats extension instead of a .hts extension.
- CVE-2002-0802 : Database consumes an extra character when processing a character that cannot be converted, which could remove an escape character from the query and make the application subject to SQL injection attacks.
- CVE-2000-0191 : Overlaps "fakechild/../realchild"
- CVE-2004-2363 : Product checks URI for "<" and other literal characters, but does it before hex decoding the URI, so "%3E" and other sequences are allowed.
- CVE-2002-0934 : Directory traversal vulnerability allows remote attackers to read or modify arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.
- CVE-2003-0282 : Directory traversal vulnerability allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | Early Validation Errors | |
References:
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 8, "Escaping Metacharacters", Page
439.'. Published on 2006.
