CWE-436 Interpretation Conflict
What this means
SiteShadow flagged a pattern where two different parts of the system interpret the same input differently (encoding, normalization, parsing rules). This can create "bypass gaps" where validation happens in one interpretation but execution uses another.
Why it matters
Inconsistent parsing can allow bypasses or unexpected behavior.
- Validation bypass: input passes checks pre-decoding but becomes dangerous after decoding/normalization.
- Policy bypass: filters/allowlists applied to one representation don't match the executed representation.
- Often appears with URL decoding, Unicode normalization, path separators, and content-type parsing.
Safer examples
1) Canonicalize once, then validate
Decode/normalize to a single canonical form at the boundary, and validate that canonical form.
2) Reject ambiguous encodings
Disallow double-encoding, mixed separators, and suspicious Unicode confusables in security-sensitive inputs (see CWE-86 / CWE-116).
3) Use the same parser for validation and use
Don't validate with regex and then interpret with a different parser; validate using the same library/rules you'll execute with.
How SiteShadow detects it (high level)
- Detects sequences like "validate raw input" followed by "decode/normalize" or alternative parsing before use.
- Flags mismatches between validation routines and the eventual sinks.
References
- CWE-436: https://cwe.mitre.org/data/definitions/436.html
---