Incorrect Behavior Order: Validate Before Filter
Weakness ID: 181 (Weakness Base)Status: Draft
+ Description

Description Summary

The software validates data before it has been filtered or cleansed, which prevents the software from detecting data that becomes invalid after the filtering step.

Extended Description

This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection.

+ Alternate Terms
Validate-before-cleanse
+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

All

+ Observed Examples
ReferenceDescription
CVE-2002-0934
CVE-2003-0282
CVE-2003-0417Possibly
+ Potential Mitigations

Inputs should be decoded and canonicalized to the application's current internal representation before being filtered

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory171Cleansing, Canonicalization, and Comparison Errors
Development Concepts (primary)699
ChildOfWeakness BaseWeakness Base179Incorrect Behavior Order: Early Validation
Research Concepts (primary)1000
ChildOfCategoryCategory722OWASP Top Ten 2004 Category A1 - Unvalidated Input
Weaknesses in OWASP Top Ten (2004) (primary)711
+ Research Gaps

This category is probably under-studied.

+ Functional Areas
  • Protection Mechanism
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERValidate-Before-Filter
OWASP Top Ten 2004A1CWE More SpecificUnvalidated Input
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
3Using Leading 'Ghost' Character Sequences to Bypass Input Filters
43Exploiting Multiple Input Interpretation Layers
78Using Escaped Slashes in Alternate Encoding
79Using Slashes in Alternate Encoding
80Using UTF-8 Encoding to Bypass Validation Logic
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential Mitigations, Time of Introduction
2008-08-15VeracodeExternal
Suggested OWASP Top Ten 2004 mapping
2008-09-08CWE Content TeamMITREInternal
updated Functional Areas, Relationships, Research Gaps, Taxonomy Mappings, Type
2008-10-14CWE Content TeamMITREInternal
updated Description
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Validate-before-filter
Back to top