Incorrect Behavior Order: Validate Before Filter

Draft Variant

Structure: Simple

Description

This vulnerability occurs when a system checks user input for validity before cleaning or filtering it. This flawed sequence allows malicious data to pass validation, only to be altered by later filters into a dangerous form.

Extended Description

The core issue is a logic flaw in the data handling pipeline. When validation runs before filtering, an attacker can craft input that passes the initial checks but transforms into a malicious payload after filtering. For example, a validator might allow a string containing certain special characters, but a subsequent filter designed to neutralize those same characters might inadvertently create valid attack syntax, like SQL commands or script tags. This flaw effectively bypasses security controls, turning defensive filters into weapons. It exposes the application to injection attacks (like SQLi or XSS) that the validation step was meant to prevent. To fix this, developers must always sanitize or normalize user input first, then validate the cleaned data against security rules. This ensures the data you check is the exact same data your application processes.

Common Consequences 1

Scope: Access Control

Impact: Bypass Protection Mechanism

Potential Mitigations 1

Phase: ImplementationArchitecture and Design

Inputs should be decoded and canonicalized to the application's current internal representation before being filtered.

Demonstrative Examples 1

ID : DX-36

This script creates a subdirectory within a user directory and sets the user as the owner.

Code Example:

Bad

PHP

php

//filter out '~~' because other scripts identify user directories by this prefix* $dirName = str_replace('~~','',$dirName); $newDir = $userDir . $dirName; mkdir($newDir, 0700); chown($newDir,$userName);}

While the script attempts to screen for '..' sequences, an attacker can submit a directory path including ".~.", which will then become ".." after the filtering step. This allows a Path Traversal (DEPRECATED: Pathname Traversal and Equivalence Errors) attack to occur.

Observed Examples 2

CVE-2002-0934Directory traversal vulnerability allows remote attackers to read or modify arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.

CVE-2003-0282Directory traversal vulnerability allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Implementation

Related Attack Patterns

Alternate Terms

Validate-before-cleanse

Functional Areas

Protection Mechanism

Related Weaknesses

ChildOf:

Incorrect Behavior Order: Early Validation (CWE-179)

Taxonomy Mapping

PLOVER
OWASP Top Ten 2004

Notes

Research GapThis category is probably under-studied.