CWE-1289: Improper Validation of Unsafe Equivalence in Input

The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

Attackers can sometimes bypass input validation schemes by finding inputs that appear to be safe, but will be dangerous when processed at a lower layer or by a downstream component. For example, a simple XSS protection mechanism might try to validate that an input has no " " tags using case-sensitive matching, but since HTML is case-insensitive when processed by web browsers, an attacker could inject " " and trigger XSS.

CWE-1289: Improper Validation of Unsafe Equivalence in Input

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Illustrative examples

Frequently asked questions

What is CWE-1289?

What CVEs are caused by CWE-1289?

How do you prevent CWE-1289?

What are the consequences of CWE-1289?

Is CWE-1289 actively exploited?

References

Stay ahead of CWE-1289

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Illustrative examples

Related weaknesses

Parent

Peer

Frequently asked questions

What is CWE-1289?

What CVEs are caused by CWE-1289?

How do you prevent CWE-1289?

What are the consequences of CWE-1289?

Is CWE-1289 actively exploited?

References

Stay ahead of CWE-1289