CWE-180 Variante Brouillon

Incorrect Behavior Order: Validate Before Canonicalize

This vulnerability occurs when a system checks user input for malicious content before standardizing its format, allowing specially crafted data to bypass security checks.

Définition

What is CWE-180?

This vulnerability occurs when a system checks user input for malicious content before standardizing its format, allowing specially crafted data to bypass security checks.
When validation runs before canonicalization (the process of converting data into a standard, consistent form), attackers can exploit the gap between these two steps. They can submit input that appears safe during the initial check but transforms into a dangerous payload after it's standardized. For example, an attacker might use alternate character encodings, multiple slashes, or dot sequences that resolve to a forbidden path after canonicalization. This flaw effectively neutralizes security defenses like allow-lists or injection filters, creating a false sense of security. To prevent this, always canonicalize input first—convert it to its simplest, canonical form—and then perform validation and sanitization on that standardized data. This ensures your security logic evaluates the actual data the application will use.
Impact réel

Real-world CVEs caused by CWE-180

  • CVE-2002-0433

    Product allows remote attackers to view restricted files via an HTTP request containing a "*" (wildcard or asterisk) character.

  • CVE-2003-0332

    Product modifies the first two letters of a filename extension after performing a security check, which allows remote attackers to bypass authentication via a filename with a .ats extension instead of a .hts extension.

  • CVE-2002-0802

    Database consumes an extra character when processing a character that cannot be converted, which could remove an escape character from the query and make the application subject to SQL injection attacks.

  • CVE-2000-0191

    Overlaps "fakechild/../realchild"

  • CVE-2004-2363

    Product checks URI for "<" and other literal characters, but does it before hex decoding the URI, so "%3E" and other sequences are allowed.

Comment les attaquants l'exploitent

Parcours de l'attaquant étape par étape

  1. 1

    The following code attempts to validate a given input path by checking it against an allowlist and then return the canonical path. In this specific case, the path is considered valid if it starts with the string "/safe_dir/".

  2. 2

    The problem with the above code is that the validation step occurs before canonicalization occurs. An attacker could provide an input path of "/safe_dir/../" that would pass the validation step. However, the canonicalization process sees the double dot as a traversal to the parent directory and hence when canonicized the path would become just "/".

  3. 3

    To avoid this problem, validation should occur after canonicalization takes place. In this case canonicalization occurs during the initialization of the File object. The code below fixes the issue.

Exemple de code vulnérable

Vulnerable Java

The following code attempts to validate a given input path by checking it against an allowlist and then return the canonical path. In this specific case, the path is considered valid if it starts with the string "/safe_dir/".

Vulnérable Java 
String path = getInputPath();
  if (path.startsWith("/safe_dir/"))
  {
  	File f = new File(path);
  	return f.getCanonicalPath();
  }
Exemple de code sécurisé

Secure Java

To avoid this problem, validation should occur after canonicalization takes place. In this case canonicalization occurs during the initialization of the File object. The code below fixes the issue.

Sécurisé Java 
String path = getInputPath();
  File f = new File(path);
  if (f.getCanonicalPath().startsWith("/safe_dir/"))
  {
  	return f.getCanonicalPath();
  }
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Liste de contrôle de prévention

How to prevent CWE-180

  • Implementation Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Signaux de détection

How to detect CWE-180

SAST High

Exécuter une analyse statique (SAST) sur le code source à la recherche du motif non sécurisé dans le flux de données.

DAST Moderate

Exécuter des tests de sécurité applicative dynamique (DAST) contre le point de terminaison en ligne.

Runtime Moderate

Surveiller les journaux runtime pour détecter des traces d'exception inhabituelles, des entrées malformées ou des tentatives de contournement d'autorisation.

Code review Moderate

Revue de code : signaler tout nouveau code qui traite les entrées de cette surface sans utiliser les helpers du framework validés.

Correction automatique Plexicus

Plexicus détecte automatiquement CWE-180 et ouvre une PR de correction en moins de 60 secondes.

Codex Remedium analyse chaque commit, identifie cette faiblesse précise et livre une pull request prête à être relue avec le correctif. Pas de tickets. Pas de transferts.

Obtenir une démo Essayer Plexicus gratuitement
Questions fréquentes

Frequently asked questions

Qu'est-ce que CWE-180 ?

This vulnerability occurs when a system checks user input for malicious content before standardizing its format, allowing specially crafted data to bypass security checks.

Quelle est la gravité de CWE-180 ?

MITRE n'a pas publié de note de probabilité d'exploitation pour cette faiblesse. Traitez-la comme un impact moyen jusqu'à ce que votre modèle de menace prouve le contraire.

Quels langages ou plateformes sont affectés par CWE-180 ?

MITRE n'a pas spécifié les plateformes affectées pour ce CWE — il peut s'appliquer à la plupart des stacks applicatives.

Comment puis-je prévenir CWE-180 ?

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Comment Plexicus détecte et corrige CWE-180 ?

Le moteur SAST de Plexicus reconnaît la signature de flux de données de CWE-180 à chaque commit. Lorsqu'une correspondance est trouvée, notre agent Codex Remedium ouvre une PR de correction avec le code corrigé, les tests et un résumé d'une ligne pour le relecteur.

Où puis-je en savoir plus sur CWE-180 ?

MITRE publie la définition canonique à https://cwe.mitre.org/data/definitions/180.html. Vous pouvez également consulter la documentation OWASP et NIST pour des conseils adjacents.

Faiblesses associées

Weaknesses related to CWE-180

CWE-179 Parent

Incorrect Behavior Order: Early Validation

This vulnerability occurs when an application validates user input before applying security filters or data normalization. Attackers can…

CWE-181 Frère

Incorrect Behavior Order: Validate Before Filter

This vulnerability occurs when a system checks user input for validity before cleaning or filtering it. This flawed sequence allows…

Ressources

Further reading

Prêt quand vous l'êtes

Arrêtez de payer par développeur.
Commencez à fermer la boucle.

Plexicus est l'ASPM natif IA qui scanne, filtre, corrige, penteste et explique — de façon autonome. Développeurs illimités, dépôts illimités, actions IA à usage équitable. Vrai niveau gratuit, €269/mo annuel quand vous êtes prêt.

Commencer gratuitement Réserver une démo