CWE-1289: Improper Validation of Unsafe Equivalence in Input

BaseIncomplete

The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.

View on MITRE
Back to CWE Lookup

Extended Description

Attackers can sometimes bypass input validation schemes by finding inputs that appear to be safe, but will be dangerous when processed at a lower layer or by a downstream component. For example, a simple XSS protection mechanism might try to validate that an input has no "<script>" tags using case-sensitive matching, but since HTML is case-insensitive when processed by web browsers, an attacker could inject "<ScrIpT>" and trigger XSS.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-1289: Improper Validation of Unsafe Equivalence in Input?+

CWE-1289: Improper Validation of Unsafe Equivalence in Input is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value. Attackers can sometimes bypass input validation schemes by finding inputs that appear to be safe, but will be dangerous when processed at a lower layer or by a downstream component. For example, a simple XSS protection mechanism might try to validate that an input has no "<script>" tags using case-sensitive matching, but since HTML is case-insensitive when processed by web browsers, an attacker could inject "<ScrIpT>" and trigger XSS.

What are the security consequences of Improper Validation of Unsafe Equivalence in Input?+

If exploited, CWE-1289 (Improper Validation of Unsafe Equivalence in Input) it can compromise Other, leading to outcomes such as Varies by Context.

Which programming languages are affected by Improper Validation of Unsafe Equivalence in Input?+

CWE-1289 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Improper Validation of Unsafe Equivalence in Input?+

MITRE documents real CVEs mapped to CWE-1289, including CVE-2021-39155, CVE-2020-11053, CVE-2005-0269, CVE-2001-1238 and CVE-2004-2214. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-1289 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More