Name Using Unicode Encoding to Bypass Validation Logic
Summary An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly.
Prerequisites Filtering is performed on data that has not be properly canonicalized.
Solutions Ensure that the system is Unicode aware and can properly process Unicode data. Do not make an assumption that data will be in ASCII. Ensure that filtering or input validation is applied to canonical data. Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system.
Related Weaknesses
CWE ID Description
CWE-20 Improper Input Validation
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-171 DEPRECATED: Cleansing, Canonicalization, and Comparison Errors
CWE-172 Encoding Error
CWE-173 Improper Handling of Alternate Encoding
CWE-176 Improper Handling of Unicode Encoding
CWE-179 Incorrect Behavior Order: Early Validation
CWE-180 Incorrect Behavior Order: Validate Before Canonicalize
CWE-183 Permissive List of Allowed Inputs
CWE-184 Incomplete List of Disallowed Inputs
CWE-692 Incomplete Denylist to Cross-Site Scripting
CWE-697 Incorrect Comparison
Back to Top