User Tools

Site Tools


en:security:software:web-applications:outputs
 
 

Establish and maintain control over all outputs

Use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.

For mitigating the low-hanging fruit, the same list as for Establish and maintain control over all inputs can be used, except for “Inclusion of functionality from untrusted control sphere” and “Missing authorisation”. Understand the context in which the data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

Likelihood of exploit: High

Description Impact Scope
Improper validation of array index CWE-129 DoS; exposure or modification of sensitive data; execution of arbitrary code Integrity; Confidentiality; Availability
Information exposure through an error message CWE-209 Read application data Confidentiality
Path traversal CWE-22 Read and modify files or directories; DoS; execution of arbitrary code Integrity; Confidentiality; Availability
Improper authorisation CWE-285 Read and modify application data, files or directories; Gain privileges or assume identity Confidentiality; Integrity; Access control
Missing authentication for critical function CWE-306 Gain privileges or assume identity; + Access control
Missing encryption of sensitive data CWE-311 Read and modify application data Confidentiality; Integrity
Use of a broken or risky cryptographic algorithm CWE-327 Read and modify data; Source of the data cannot be proven Confidentiality; Integrity; Accountability; Non-Repudiation
Incorrect permission assignment for critical resource CWE-732 Read and modify application data; read files or directories; gain privileges or assume identity Confidentiality; Access control; Integrity; +
Allocation of resources without limits or throttling CWE-770 DoS Availability
Shell injection CWE-78 Execute arbitrary code; DoS; read and modify files or directories or application data; hide activities Confidentiality; Integrity; Availability; Non-Repudiation
Cross-site scripting (XSS) CWE-79 Execute arbitrary code; bypass protection mechanism; read application data Access Control; Confidentiality; Integrity; Availability
Use of hard-coded credentials CWE-798 Bypass protection mechanism; Read application data; gain privileges or assume identity; execute arbitrary code; + Access control; Integrity; Confidentiality; Availability; +
Buffer access with incorrect length value CWE-805 Execute arbitrary code; DoS Integrity; Confidentiality; Availability
Reliance on untrusted inputs in a security decision CWE-807 Bypass protection mechanism; gain privileges or assume identity; varies by context Confidentiality; Access control; Availability; +
SQL Injection CWE-89 Read and modify application data; bypass protection mechanism Confidentiality; Access control; Integrity

Likelihood of exploit: Medium

Description Impact Scope
Integer overflow or wraparound CWE-190 Various forms of DoS; execution of arbitrary code; modification of sensitive data; bypassing protection mechanism Integrity; Confidentiality; Availability; Access control
Cross-site request forgery (CSRF) CWE-352 Gain privileges or assume identity; bypass protection mechanism; read and modify application data; DoS Confidentiality; Integrity; Availability; Non-Repudiation; Access control
Race Condition CWE-362 DoS; read and modify files or directories or application data Availability; Confidentiality; Integrity
Unrestricted upload of file with dangerous type CWE-434 Execute arbitrary code Integrity; Confidentiality; Availability
Download of code without integrity check CWE-494 Execute arbitrary code Integrity; Availability; Confidentiality; +
Improper check for unusual or exceptional conditions CWE-754 DoS; unexpected state Integrity; Availability

Likelihood of exploit: Low

Description Impact Scope
Open redirect CWE-601 Bypass protection mechanism; gain privileges or assume identity Access Control; Confidentiality; +

en/security/software/web-applications/outputs.txt · Last modified: 2019/11/30 08:01 by Digital Dot