CWE-181: Incorrect Behavior Order: Validate Before Filter
Also known as: Validate-before-cleanse
The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step.
Last updated
Overview
This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection.
Common consequences
What can happen when CWE-181 is exploited.
Bypass Protection Mechanism
Affects: Access Control
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-181, grouped by where in the lifecycle they apply.
Inputs should be decoded and canonicalized to the application's current internal representation before being filtered.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.