Incorrect Behavior Order: Validate Before Filter
Draft Variant
Structure: Simple
Description
The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step.
This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection.
Common Consequences 1
Scope: Access Control
Impact: Bypass Protection Mechanism
Potential Mitigations 1
Phase: ImplementationArchitecture and Design
Inputs should be decoded and canonicalized to the application's current internal representation before being filtered.
Demonstrative Examples 1
ID : DX-36
This script creates a subdirectory within a user directory and sets the user as the owner.Code Example:
Bad
PHP
php//filter out '' because other scripts identify user directories by this prefix*
$dirName = str_replace('','',$dirName);
$newDir = $userDir . $dirName;
mkdir($newDir, 0700);
chown($newDir,$userName);}
While the script attempts to screen for '..' sequences, an attacker can submit a directory path including ".~.", which will then become ".." after the filtering step. This allows a Path Traversal (DEPRECATED: Pathname Traversal and Equivalence Errors) attack to occur.
Observed Examples 2
CVE-2002-0934Directory traversal vulnerability allows remote attackers to read or modify arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.
CVE-2003-0282Directory traversal vulnerability allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Related Attack Patterns
- 3DEPRECATED: Technology-specific Environment Issues
- 43Path Equivalence: 'filename....' (Multiple Trailing Dot)
- 78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- 79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- 80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
- 120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
- 267Privilege Defined With Unsafe Actions
Alternate Terms
Validate-before-cleanse
Functional Areas
- Protection Mechanism
Related Weaknesses
Taxonomy Mapping
- PLOVER
- OWASP Top Ten 2004
Notes
Research GapThis category is probably under-studied.