#SecurityExplained S-63: CWE - 20: Improper Input Validation [CWE Top 25]
The product/program does not validate or validate poorly or input that can disrupt a program's control flow or data flow.
1/N 🧵
The product/program does not validate or validate poorly or input that can disrupt a program's control flow or data flow.
1/N 🧵
2/N
When software fails to properly validate input, an attacker can construct it in a way that the rest of the application does not expect. As a result, components of the system may receive unwanted input, resulting in a change in control flow or even arbitrary code execution.
When software fails to properly validate input, an attacker can construct it in a way that the rest of the application does not expect. As a result, components of the system may receive unwanted input, resulting in a change in control flow or even arbitrary code execution.
3/N
The flaw appears during the Architecture and Design, as well as the implementation stages.
It allows to:
- Cause the Program to Stop
- Set Arbitrary Command Execution
- Cause Excessive Expenditure of Resources
- Read and Compromise Personal Information
The flaw appears during the Architecture and Design, as well as the implementation stages.
It allows to:
- Cause the Program to Stop
- Set Arbitrary Command Execution
- Cause Excessive Expenditure of Resources
- Read and Compromise Personal Information
4/N
Input validation can be applied to -
1. Raw Data - Strings, Numbers, Parameters, File Contents, etc.
2. Metadata - Information about the raw data, such as headers or size
Upon entering the code, many properties of raw data or metadata may need to be checked, such as:
Input validation can be applied to -
1. Raw Data - Strings, Numbers, Parameters, File Contents, etc.
2. Metadata - Information about the raw data, such as headers or size
Upon entering the code, many properties of raw data or metadata may need to be checked, such as:
5/N
- Size, length, frequency, price, rate, number of operations, duration, and so on (all defined quantities).
- Incorporate symbolic keys or other items into hash tables, associative arrays, etc.
- Size, length, frequency, price, rate, number of operations, duration, and so on (all defined quantities).
- Incorporate symbolic keys or other items into hash tables, associative arrays, etc.
6/N
- Individual data items, raw data and metadata, references, and so on must all be consistent.
- Implied or derived quantities, such as the real file size rather than defined file size.
- More complicated data structures like indices, offsets, or placements.
- Individual data items, raw data and metadata, references, and so on must all be consistent.
- Implied or derived quantities, such as the real file size rather than defined file size.
- More complicated data structures like indices, offsets, or placements.
7/N
It's important to keep in mind that "input validation" might have a variety of meanings depending upon whether you ask or whatever classification scheme you use. When referring or mapping to this CWE entry, take caution.
It's important to keep in mind that "input validation" might have a variety of meanings depending upon whether you ask or whatever classification scheme you use. When referring or mapping to this CWE entry, take caution.
8/N
Possible attacks –
+ SQL Injection
+ Cross-Site Scripting (XSS)
+ Command Injection
+ Arbitrary Code Execution
+ Application-Level DOS Attack
+ and other similar attacks
Possible attacks –
+ SQL Injection
+ Cross-Site Scripting (XSS)
+ Command Injection
+ Arbitrary Code Execution
+ Application-Level DOS Attack
+ and other similar attacks
9/N
Mitigations –
1. Use a framework like Struts or the OWASP ESAPI Validation API to validate input. It's important to remember that adopting a framework doesn't solve all input validation issues; be aware of any flaws in the framework itself.
Mitigations –
1. Use a framework like Struts or the OWASP ESAPI Validation API to validate input. It's important to remember that adopting a framework doesn't solve all input validation issues; be aware of any flaws in the framework itself.
10/N
2. Parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and.........
2. Parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and.........
N/N
.....any external systems that provide data to the application are all potential areas where untrusted inputs can enter your software. Keep in mind that API calls can be used to obtain such inputs.
.....any external systems that provide data to the application are all potential areas where untrusted inputs can enter your software. Keep in mind that API calls can be used to obtain such inputs.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
