Encoding Error |
Weakness ID: 172 (Weakness Class) | Status: Draft |
Description Summary
Phase: Architecture and Design Assume all input is malicious. Use a standard input validation mechanism to validate all input for length, type, syntax, and business rules before accepting the data to be displayed or stored. Use an "accept known good" validation strategy. |
Use and specify a strong output encoding (such as ISO 8859-1 or UTF 8). |
Do not rely exclusively on blacklist validation to detect malicious input or to encode output. There are too many variants to encode a character; you're likely to miss some variants. |
Inputs should be decoded and canonicalized to the application's current internal representation before being validated. Make sure that your application does not decode the same input twice. Such errors could be used to bypass whitelist schemes by introducing dangerous inputs after they have been checked. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 171 | Cleansing, Canonicalization, and Comparison Errors | Development Concepts (primary)699 |
ChildOf | Weakness Class | 707 | Improper Enforcement of Message or Data Structure | Research Concepts (primary)1000 |
CanPrecede | Weakness Class | 22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | Research Concepts1000 |
CanPrecede | Weakness Base | 41 | Improper Resolution of Path Equivalence | Research Concepts1000 |
ParentOf | Weakness Variant | 173 | Failure to Handle Alternate Encoding | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 174 | Double Decoding of the Same Data | Development Concepts (primary)699 Research Concepts1000 |
ParentOf | Weakness Variant | 175 | Failure to Handle Mixed Encoding | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 176 | Failure to Handle Unicode Encoding | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 177 | Failure to Handle URL Encoding (Hex Encoding) | Development Concepts (primary)699 Research Concepts (primary)1000 |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
3 | Using Leading 'Ghost' Character Sequences to Bypass Input Filters | |
52 | Embedding NULL Bytes | |
53 | Postfix, Null Terminate, and Backslash | |
64 | Using Slashes and URL Encoding Combined to Bypass Validation Logic | |
72 | URL Encoding | |
78 | Using Escaped Slashes in Alternate Encoding | |
71 | Using Unicode Encoding to Bypass Validation Logic | |
80 | Using UTF-8 Encoding to Bypass Validation Logic |
This is more like a category than a weakness. |
Many other types of encodings should be listed in this category. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Potential Mitigations, Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Maintenance Notes, Relationships, Relationship Notes, Taxonomy Mappings | ||||
2009-07-27 | CWE Content Team | MITRE | Internal | |
updated Potential Mitigations |