CWE-180: Incorrect Behavior Order: Validate Before Canonicalize

VariantDraft

The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.

View on MITRE
Back to CWE Lookup

Extended Description

This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-180: Incorrect Behavior Order: Validate Before Canonicalize?+

CWE-180: Incorrect Behavior Order: Validate Before Canonicalize is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step. This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection.

What are the security consequences of Incorrect Behavior Order: Validate Before Canonicalize?+

If exploited, CWE-180 (Incorrect Behavior Order: Validate Before Canonicalize) it can compromise Access Control, leading to outcomes such as Bypass Protection Mechanism.

Which programming languages are affected by Incorrect Behavior Order: Validate Before Canonicalize?+

CWE-180 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Incorrect Behavior Order: Validate Before Canonicalize?+

MITRE documents real CVEs mapped to CWE-180, including CVE-2002-0433, CVE-2003-0332, CVE-2002-0802, CVE-2000-0191 and CVE-2004-2363. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-180 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More