User Tools

Site Tools


en:security:software:web-applications:inputs:start
 
 

Establish and maintain control over all inputs

Use a standard input validation mechanism to validate input for length, type of input, syntax, missing or extra inputs, and consistency across related fields. Understand all the potential areas where untrusted inputs can enter the application: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, databases, and any external systems that provide data to the application. Inputs may be obtained indirectly through API calls.

  • Validate on the server side to protect against attacks. Server side validation is also important for compatibility.
  • Validate on the client side to give better feedback to users providing input.
  • Some validations can't be properly done in server-side application code, and are impossible in client-side code, because they depend on the current state of a database. Only the database can reliably validate data which depends on related data.

For mitigating the low hanging fruit, the OWASP has created a list of “Top 25 vulnerabilities” that can be helpful. The below are taken from that list. The links go to MITRE for more detailed descriptions and (coding) examples.

Likelihood of exploit: High

Description Impact Scope
Improper validation of array index CWE-129 DoS; exposure or modification of sensitive data; execution of arbitrary code Integrity; Confidentiality; Availability
Information exposure through an error message CWE-209 Read application data Confidentiality
Path traversal CWE-22 Read and modify files or directories; DoS; execution of arbitrary code Integrity; Confidentiality; Availability
Improper authorisation CWE-285 Read and modify application data, files or directories; Gain privileges or assume identity Confidentiality; Integrity; Access control
Missing authentication for critical function CWE-306 Gain privileges or assume identity; + Access control
Missing encryption of sensitive data CWE-311 Read and modify application data Confidentiality; Integrity
Use of a broken or risky cryptographic algorithm CWE-327 Read and modify data; Source of the data cannot be proven Confidentiality; Integrity; Accountability; Non-Repudiation
Incorrect permission assignment for critical resource CWE-732 Read and modify application data; read files or directories; gain privileges or assume identity Confidentiality; Access control; Integrity; +
Allocation of resources without limits or throttling CWE-770 DoS Availability
Shell injection CWE-78 Execute arbitrary code; DoS; read and modify files or directories or application data; hide activities Confidentiality; Integrity; Availability; Non-Repudiation
Cross-site scripting (XSS) CWE-79 Execute arbitrary code; bypass protection mechanism; read application data Access Control; Confidentiality; Integrity; Availability
Use of hard-coded credentials CWE-798 Bypass protection mechanism; Read application data; gain privileges or assume identity; execute arbitrary code; + Access control; Integrity; Confidentiality; Availability; +
Buffer access with incorrect length value CWE-805 Execute arbitrary code; DoS Integrity; Confidentiality; Availability
Reliance on untrusted inputs in a security decision CWE-807 Bypass protection mechanism; gain privileges or assume identity; varies by context Confidentiality; Access control; Availability; +
Inclusion of functionality from untrusted control sphere CWE-829 Execution of arbitrary code Confidentiality; Integrity; Availability
Missing authorisation CWE-862 Read and modify application data, files or directories; gain privileges or assume identity; bypass protection mechanism Confidentiality; Integrity; Access control
SQL Injection CWE-89 Read and modify application data; bypass protection mechanism Confidentiality; Access control; Integrity

Likelihood of exploit: Medium

Description Impact Scope
Integer overflow or wraparound CWE-190 Various forms of DoS; execution of arbitrary code; modification of sensitive data; bypassing protection mechanism Integrity; Confidentiality; Availability; Access control
Cross-site request forgery (CSRF) CWE-352 Gain privileges or assume identity; bypass protection mechanism; read and modify application data; DoS Confidentiality; Integrity; Availability; Non-Repudiation; Access control
Race Condition CWE-362 DoS; read and modify files or directories or application data Availability; Confidentiality; Integrity
Unrestricted upload of file with dangerous type CWE-434 Execute arbitrary code Integrity; Confidentiality; Availability
Download of code without integrity check CWE-494 Execute arbitrary code Integrity; Availability; Confidentiality; +
Improper check for unusual or exceptional conditions CWE-754 DoS; unexpected state Integrity; Availability

Likelihood of exploit: Low

Description Impact Scope
Open redirect CWE-601 Bypass protection mechanism; gain privileges or assume identity Access Control; Confidentiality; +

More to follow.


en/security/software/web-applications/inputs/start.txt · Last modified: 2019/11/30 08:47 by Digital Dot