# Trust Boundary Violations
*Trust boundaries* in computer science are where uncontrolled input from an external source – like HTTP requests, file uploads, or network sockets – are taken into a controlled environment, like a web-server. To maintain a good security stance, it is important to keep data taken in across a trust boundary at arms length until it has been verified.
If you stored trusted and untrusted data in the same data store, the trust status of individual data points will inevitably get confused somewhere down the line. Either downstream code components will make incorrect assumptions about the status of the data points, or future code changes will make the same erroneous assumptions.
## Trust Boundary Violations in Java
Consider the following web application that writes the username to the session before authentication has completed, along with a `validated` flag:
“`java @Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException { String username = request.getParameter(“username”); String password = request.getParameter(“password”);HttpSession session = request.getSession(true); session.setAttribute(“username”, username); if (!this.credentialsAreValid(username, password)) { session.setAttribute(“validated”, true); |
There is enough information in the session to determine whether the user is logged in, but it relies on the code checking a trusted data point (the `validated` flag), and an untrusted data point (the `username`). This confusing design opens the door to security bugs, because most developers will assume the user has been authenticated if the `username` appears in the session state.
## Mitigation
Never write untrusted input to your session store until is has been verified. For example, this code writes the username to the session state only after authentication checks have been passed:
“`java @Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException { String username = request.getParameter(“username”); String password = request.getParameter(“password”);if (!this.credentialsAreValid(username, password)) { request.setAttribute(“message”, “Incorrect credentials”); response.sendRedirect(“/login”); return; } HttpSession session = request.getSession(true); response.sendRedirect(“/home”); |
## CWEs
* [CWE-501](https://cwe.mitre.org/data/definitions/501.html)