1. Home
  2. CWE Database
  3. CWE-450
Base · Medium

CWE-450: Multiple Interpretations of UI Input

The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation.

CWE-450 · Base Level ·2 Mitigations

Description

The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation.

Potential Impact

Other

Varies by Context

Mitigations & Prevention

Implementation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across relat

Implementation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CWE-357: Insufficient UI Warning of Dangerous Operations

The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noti...

Taxonomy Mappings

  • PLOVER: — Multiple Interpretations of UI Input

Frequently Asked Questions

What is CWE-450?

CWE-450 (Multiple Interpretations of UI Input) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation.

How can CWE-450 be exploited?

Attackers can exploit CWE-450 (Multiple Interpretations of UI Input) to varies by context. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-450?

Key mitigations include: Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not stric

What is the severity of CWE-450?

CWE-450 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.