Cleansing, Canonicalization, and Comparison Errors
Category ID: 171 (Category)Status: Draft
+ Description

Description Summary

Weaknesses in this category are related to improper handling of data within protection mechanisms that attempt to perform sanity checks for untrusted data.
+ Applicable Platforms



+ Potential Mitigations

Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.

Assume all input is malicious. Use an appropriate combination of black lists and white lists to ensure only valid, expected and appropriate input is processed by the system. For example, valid input may be in the form of an absolute pathname(s). You can also limit pathnames to exist on selected drives, have the format specified to include only separator characters (forward or backward slashes) and alphanumeric characters, and follow a naming convention such as having a maximum of 32 characters followed by a '.' and ending with specified extensions.

Canonicalize the name to match that of the file system's representation of the name. This can sometimes be achieved with an available API (e.g. in Win32 the GetFullPathName function).

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory137Representation Errors
Development Concepts (primary)699
CanPrecedeWeakness VariantWeakness Variant289Authentication Bypass by Alternate Name
Research Concepts1000
ParentOfWeakness ClassWeakness Class172Encoding Error
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base178Failure to Resolve Case Sensitivity
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base179Incorrect Behavior Order: Early Validation
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base180Incorrect Behavior Order: Validate Before Canonicalize
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base181Incorrect Behavior Order: Validate Before Filter
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base182Collapse of Data Into Unsafe Value
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base183Permissive Whitelist
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base184Incomplete Blacklist
Development Concepts (primary)699
ParentOfWeakness ClassWeakness Class185Incorrect Regular Expression
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base187Partial Comparison
Development Concepts (primary)699
ParentOfWeakness VariantWeakness Variant478Missing Default Case in Switch Statement
Development Concepts699
ParentOfWeakness VariantWeakness Variant486Comparison of Classes by Name
Development Concepts699
ParentOfWeakness BaseWeakness Base595Comparison of Object References Instead of Object Contents
Development Concepts699
ParentOfWeakness BaseWeakness Base596Incorrect Semantic Object Comparison
Development Concepts699
ParentOfWeakness ClassWeakness Class697Insufficient Comparison
Development Concepts (primary)699
ParentOfWeakness VariantWeakness Variant768Incorrect Short Circuit Evaluation
Development Concepts (primary)699
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERCleansing, Canonicalization, and Comparison Errors
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
3Using Leading 'Ghost' Character Sequences to Bypass Input Filters
43Exploiting Multiple Input Interpretation Layers
52Embedding NULL Bytes
53Postfix, Null Terminate, and Backslash
64Using Slashes and URL Encoding Combined to Bypass Validation Logic
72URL Encoding
78Using Escaped Slashes in Alternate Encoding
79Using Slashes in Alternate Encoding
71Using Unicode Encoding to Bypass Validation Logic
80Using UTF-8 Encoding to Bypass Validation Logic
+ References
M. Howard and D. LeBlanc. "Writing Secure Code". 2nd Edition. Microsoft. 2003.
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy Mappings
2009-05-27CWE Content TeamMITREInternal
updated Relationships
2009-12-28CWE Content TeamMITREInternal
updated Applicable Platforms