CWE-178: Improper Handling of Case Sensitivity

Description

The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Extended Description

Improperly handled case sensitive data can lead to several possible consequences, including:

  • case-insensitive passwords reducing the size of the key space, making brute force attacks easier
  • bypassing filters or access controls using alternate names
  • multiple interpretation errors using alternate names.

Example Vulnerable Codes

Example - 1

In the following example, an XSS neutralization method intends to replace script tags in user-supplied input with a safe equivalent:

return input.replaceAll("script", mask);public String preventXSS(String input, String mask) {}

The code only works when the "script" tag is in all lower-case, forming an incomplete denylist (CWE-184). Equivalent tags such as "SCRIPT" or "ScRiPt" will not be neutralized by this method, allowing an XSS attack.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-289: Authentication Bypass by Alternate Name
Go to
CWE-433: Unparsed Raw Web Content Delivery
Go to
CWE-706: Use of Incorrectly-Resolved Name or Reference
Go to
CWE-1289: Improper Validation of Unsafe Equivalence in Input
Go to

Visit http://cwe.mitre.org/ for more details.