Permissive Whitelist |
Weakness ID: 183 (Weakness Base) | Status: Draft |
Description Summary
Define rigid requirements specifications for input and strictly accept input based on those specifications. Determine if any of the valid data include special characters that are associated with security exploits (use this taxonomy and the Common Vulnerabilities and Exposures as a start to determine what characters are potentially malicious). If permitted, then follow the potential mitigations associated with the weaknesses in this taxonomy. Always handle these data carefully and anticipate attempts to exploit your system. |
Phase: Architecture and Design Assume all input is malicious. Use a standard input validation mechanism to validate all input for length, type, syntax, and business rules before accepting the data to be displayed or stored. Use an "accept known good" validation strategy. |
Ordinality | Description |
---|---|
Primary | (where the weakness exists independent of other weaknesses) |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 171 | Cleansing, Canonicalization, and Comparison Errors | Development Concepts (primary)699 |
ChildOf | Weakness Class | 693 | Protection Mechanism Failure | Research Concepts (primary)1000 |
ChildOf | Weakness Class | 697 | Insufficient Comparison | Research Concepts1000 |
ChildOf | Category | 722 | OWASP Top Ten 2004 Category A1 - Unvalidated Input | Weaknesses in OWASP Top Ten (2004) (primary)711 |
CanPrecede | Weakness Base | 434 | Unrestricted Upload of File with Dangerous Type | Research Concepts1000 |
PeerOf | Weakness Base | 625 | Permissive Regular Expression | Research Concepts1000 |
PeerOf | Weakness Base | 627 | Dynamic Variable Evaluation | Research Concepts1000 |
CanAlsoBe | Weakness Base | 186 | Overly Restrictive Regular Expression | Research Concepts1000 |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Potential Mitigations, Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Description, Relationships, Taxonomy Mappings, Weakness Ordinalities | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2009-07-27 | CWE Content Team | MITRE | Internal | |
updated Potential Mitigations |