CWE-179 Software Weakness Details

CWE-179

Name

Incorrect Behavior Order: Early Validation

Status

Incomplete

Published

2006-07-19
00h00 +00:00

Modified

2023-06-29
00h00 +00:00

Official links

CWE Mitre.org

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Notifications manage

List of Notifications

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CWE ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Name: Incorrect Behavior Order: Early Validation

The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification.

CWE Description

Product needs to validate data at the proper time, after data has been canonicalized and cleansed. Early validation is susceptible to various manipulations that result in dangerous inputs that are produced by canonicalization and cleansing.

General Informations

Modes Of Introduction

Implementation : Since early validation errors usually arise from improperly implemented defensive mechanisms, it is likely that these will be introduced more frequently as secure programming becomes implemented more widely.

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Common Consequences

Scope	Impact	Likelihood
Access Control Integrity	Bypass Protection Mechanism, Execute Unauthorized Code or Commands Note: An attacker could include dangerous input that bypasses validation protection mechanisms which can be used to launch various attacks including injection attacks, execute arbitrary code or cause other unintended behavior.

Observed Examples

References	Description
CVE-2002-0433	Product allows remote attackers to view restricted files via an HTTP request containing a "*" (wildcard or asterisk) character.
CVE-2003-0332	Product modifies the first two letters of a filename extension after performing a security check, which allows remote attackers to bypass authentication via a filename with a .ats extension instead of a .hts extension.
CVE-2002-0802	Database consumes an extra character when processing a character that cannot be converted, which could remove an escape character from the query and make the application subject to SQL injection attacks.
CVE-2000-0191	Overlaps "fakechild/../realchild"
CVE-2004-2363	Product checks URI for "<" and other literal characters, but does it before hex decoding the URI, so "%3E" and other sequences are allowed.
CVE-2002-0934	Directory traversal vulnerability allows remote attackers to read or modify arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.
CVE-2003-0282	Directory traversal vulnerability allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.

Potential Mitigations

Phases : Implementation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Vulnerability Mapping Notes

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
CAPEC-3	Using Leading 'Ghost' Character Sequences to Bypass Input Filters Some APIs will strip certain leading characters from a string of parameters. An adversary can intentionally introduce leading "ghost" characters (extra characters that don't affect the validity of the request at the API layer) that enable the input to pass the filters and therefore process the adversary's input. This occurs when the targeted API will accept input data in several syntactic forms and interpret it in the equivalent semantic way, while the filter does not take into account the full spectrum of the syntactic forms acceptable to the targeted API.
CAPEC-43	Exploiting Multiple Input Interpretation Layers An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: --> --> . In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
CAPEC-71	Using Unicode Encoding to Bypass Validation Logic An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly.

NotesNotes

These errors are mostly reported in path traversal vulnerabilities, but the concept applies whenever validation occurs.

References

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

Submission

Name	Organization	Date	Date release	Version
PLOVER		2006-07-19 +00:00	2006-07-19 +00:00	Draft 3

Modifications

Name	Organization	Date	Comment
Eric Dalci	Cigital	2008-07-01 +00:00	updated Potential_Mitigations, Time_of_Introduction
	Veracode	2008-08-15 +00:00	Suggested OWASP Top Ten 2004 mapping
CWE Content Team	MITRE	2008-09-08 +00:00	updated Modes_of_Introduction, Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2008-10-14 +00:00	updated Description
CWE Content Team	MITRE	2009-03-10 +00:00	updated Relationships
CWE Content Team	MITRE	2010-06-21 +00:00	updated Research_Gaps
CWE Content Team	MITRE	2011-03-29 +00:00	updated Potential_Mitigations
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences
CWE Content Team	MITRE	2012-05-11 +00:00	updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships
CWE Content Team	MITRE	2014-07-30 +00:00	updated Relationships
CWE Content Team	MITRE	2017-01-19 +00:00	updated Relationships
CWE Content Team	MITRE	2017-11-08 +00:00	updated Applicable_Platforms
CWE Content Team	MITRE	2020-02-24 +00:00	updated Relationships
CWE Content Team	MITRE	2020-06-25 +00:00	updated Demonstrative_Examples, Potential_Mitigations, Relationships
CWE Content Team	MITRE	2023-01-31 +00:00	updated Description
CWE Content Team	MITRE	2023-04-27 +00:00	updated Relationships
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes

CWE-179 Detail