1. Home
  2. CWE Database
  3. CWE-501
Base · Medium

CWE-501: Trust Boundary Violation

The product mixes trusted and untrusted data in the same data structure or structured message.

CWE-501 · Base Level

Description

The product mixes trusted and untrusted data in the same data structure or structured message.

A trust boundary can be thought of as line drawn through a program. On one side of the line, data is untrusted. On the other side of the line, data is assumed to be trustworthy. The purpose of validation logic is to allow data to safely cross the trust boundary - to move from untrusted to trusted. A trust boundary violation occurs when a program blurs the line between what is trusted and what is untrusted. By combining trusted and untrusted data in the same data structure, it becomes easier for programmers to mistakenly trust unvalidated data.

Potential Impact

Access Control

Bypass Protection Mechanism

Demonstrative Examples

The following code accepts an HTTP request and stores the username parameter in the HTTP session object before checking to ensure that the user has been authenticated.
Bad
usrname = request.getParameter("usrname");if (session.getAttribute(ATTR_USR) == null) {session.setAttribute(ATTR_USR, usrname);}
Bad
usrname = request.Item("usrname");if (session.Item(ATTR_USR) == null) {session.Add(ATTR_USR, usrname);}
Without well-established and maintained trust boundaries, programmers will inevitably lose track of which pieces of data have been validated and which have not. This confusion will eventually allow some data to be used without first being validated.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-664: Improper Control of a Resource Through its Lifetime

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use,...

CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data

The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treat...

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — Trust Boundary Violation
  • Software Fault Patterns: SFP23 — Exposed Data

Frequently Asked Questions

What is CWE-501?

CWE-501 (Trust Boundary Violation) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product mixes trusted and untrusted data in the same data structure or structured message.

How can CWE-501 be exploited?

Attackers can exploit CWE-501 (Trust Boundary Violation) to bypass protection mechanism. This weakness is typically introduced during the Architecture and Design phase of software development.

How do I prevent CWE-501?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-501?

CWE-501 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.