Discard unsafe inputs

Summary

The system must discard all potentially harmful information received via data inputs.

Description

Technological devices and, in particular, applications must be able to notice if the received information does not correspond to its operational purposes, in order to treat it properly (for example, rejecting and/or generating timely alerts) and ensure that it does not impact the operation negatively. Typical examples of this are: SQL queries, JavaScript code, OS commands or LDAP queries in fields and application parameters; text with undesired special characters and their possible combinations in fields and parameters; files manipulated in structure and extension to be loaded in an application or technology artifact; and in general any type of information that does not correspond to the requested format. A large amount of the incoming traffic (which does not correspond to operational purposes) of a technological artifact must also be considered, and controls and proper treatment must be applied.

Supported In

This requirement is verified in following services:

Plan	Supported
Machine	🟢
Squad	🟢

References

• CAPEC™-3. Using leading 'ghost' character sequences to bypass input filters
• CAPEC™-4. Using alternative IP address encodings
• CAPEC™-6. Argument injection
• CAPEC™-7. Blind SQL injection
• CAPEC™-15. Command delimiters
• CAPEC™-18. XSS targeting non-script elements
• CAPEC™-19. Embedding scripts within scripts
• CAPEC™-22. Exploiting trust in client
• CAPEC™-24. Filter failure through buffer overflow
• CAPEC™-32. XSS through HTTP query strings
• CAPEC™-34. HTTP response splitting
• CAPEC™-41. Using meta-characters in e-mail headers to inject malicious payloads
• CAPEC™-48. Passing local filenames to functions that expect a URL
• CAPEC™-130. Excessive allocation
• CAPEC™-137. Parameter injection
• CAPEC™-153. Input data manipulation
• CAPEC™-175. Code inclusion
• CAPEC™-240. Resource injection
• CAPEC™-242. Code injection
• CAPEC™-248. Command injection
• CAPEC™-676. NoSQL Injection
• CAPEC™-690. Metadata Spoofing
• CAPEC™-691. Spoof Open-Source Software Metadata
• CAPEC™-692. Spoof Version Control System Commit Metadata
• CIS-16_10. Apply secure design principles in application architectures
• CWE™-20. Improper input validation
• CWE™-74. Improper neutralization of special elements in output used by a downstream component ("injection")
• CWE™-78. Improper neutralization of special elements used in an OS command ("OS command injection")
• CWE™-79. Improper neutralization of input during web page generation ("cross-site scripting")
• CWE™-80. Improper neutralization of script-related HTML tags in a web page (basic XSS)
• CWE™-89. Improper neutralization of special elements used in an SQL command ("SQL injection")
• CWE™-94. Improper control of generation of code ("code injection")
• CWE™-138. Improper neutralization of special elements
• CWE™-147. Improper neutralization of input terminators
• CWE™-643. Improper neutralization of data within XPath expressions ("XPath injection")
• CWE™-22. Improper limitation of a pathname to a restricted directory ("path traversal")
• CWE™-36. Absolute path traversal
• CWE™-90. Improper neutralization of special elements used in an LDAP query ('LDAP Injection')
• CWE™-91. XML injection
• CWE™-95. Improper neutralization of directives in dynamically evaluated code ("eval injection")
• CWE™-98. Improper control of filename for include/require statement in PHP program ("PHP remote file inclusion")
• CWE™-112. Missing XML validation
• CWE™-116. Improper encoding or escaping of output
• CWE™-150. Improper neutralization of escape, meta, or control sequences
• CWE™-290. Authentication bypass by spoofing
• CWE™-400. Uncontrolled resource consumption
• CWE™-444. Inconsistent interpretation of HTTP requests ("HTTP request smuggling")
• CWE™-611. Improper restriction of XML External Entity reference
• CWE™-918. Server-side request forgery (SSRF)
• CWE™-1284. Improper validation of specified quantity in input
• CWE™-1287. Improper validation of specified type of input
• CWE™-1325. Improperly controlled sequential memory allocation
• OWASP TOP 10-A3. Injection
• OWASP-M TOP 10-M2. Insecure data storage
• Agile Alliance-9. Continuous attention to technical excellence and good design
• BIZEC-APP-APP-01. ABAP command injection
• BIZEC-APP-APP-02. OS command injection
• BIZEC-APP-APP-03. Native SQL injection
• BIZEC-APP-APP-06. Direct database modifications
• BIZEC-APP-APP-08. Open SQL injection
• CERT-C-FIO30-C. Exclude user input from format strings
• CERT-J-IDS00-J. Prevent SQL injection
• CERT-J-IDS16-J. Prevent XML injection
• MITRE ATT&CK®-M1013. Application developer guidance
• MITRE ATT&CK®-M1037. Filter network traffic
• PA-DSS-5_2_1. Injection flaws, particularly SQL injection
• PA-DSS-5_2_2. Buffer Overflow
• PA-DSS-5_2_7. Cross-site scripting (XSS)
• SANS 25-2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
• SANS 25-3. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
• SANS 25-4. Improper Input Validation
• SANS 25-6. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
• SANS 25-17. Improper Neutralization of Special Elements used in a Command ('Command Injection')
• SANS 25-19. Improper Restriction of Operations within the Bounds of a Memory Buffer
• SANS 25-21. Server-Side Request Forgery (SSRF)
• SANS 25-24. Improper Restriction of XML External Entity Reference
• SANS 25-25. Improper Control of Generation of Code ('Code Injection')
• HITRUST CSF-10_b. Input data validation
• HITRUST CSF-13_k. Use and disclosure
• FedRAMP-PE-16. Delivery and removal
• FedRAMP-SI-5. Security alerts, advisories, and directives
• ISO/IEC 27002-8_20. Network controls
• ISO/IEC 27002-8_26. Application security requirements
• ISA/IEC 62443-SI-3_5. Input validation
• WASSEC-6_2_3_2. Client-side attacks - Cross-site scripting
• WASSEC-6_2_3_4. Client-side attacks - HTML injection
• WASSEC-6_2_4_2. Command execution - LDAP injection
• WASSEC-6_2_4_3. Command execution - OS command injection
• WASSEC-6_2_4_4. Command execution - SQL injection
• WASSEC-6_2_4_6. Command execution - Xpath injection
• WASSEC-6_2_4_8. Command execution - Remote file includes
• WASSEC-6_2_4_9. Command execution - Local file includes
• WASSEC-6_2_5_3. Information disclosure - Path traversal
• WASC-A_07. Buffer overflow
• WASC-A_12. Content spoofing
• WASC-A_18. Credential and session prediction
• WASC-A_08. Cross-site scripting
• WASC-A_26. HTTP request smuggling
• WASC-A_29. LDAP injection
• WASC-A_31. OS commanding
• WASC-A_33. Path traversal
• WASC-A_05. Remote file inclusion (RFI)
• WASC-A_19. SQL injection
• WASC-A_39. XPath injection
• WASC-A_46. XML injection
• WASC-W_20. Improper input handling
• ISSAF-F_5_9. Network security - Router security assessment (configure ingress filtering)
• ISSAF-G_12. Network security - Firewalls (port redirection)
• ISSAF-P_6_1. Host security - Linux security (remote attacks)
• ISSAF-P_6_3. Host security - Linux security (buffer overflows)
• ISSAF-P_6_15. Host security - Linux security (local attacks)
• ISSAF-Q_16_20. Host security - Windows security (local attacks)
• ISSAF-T_13_2. Web application assessment - Test invalidated parameters (Cross Site Scripting)
• ISSAF-T_14_2. Web application assessment - Hidden form fields manipulation
• ISSAF-T_16_1. Web application assessment - Input validation (validate data)
• ISSAF-T_17. Web application assessment - Test SQL injection
• ISSAF-T_19_1. Web application assessment - Global Countermeasures (client-side)
• ISSAF-U_8. Web application SQL injections - Check SQL injection vulnerability
• ISSAF-U_11. Web application SQL injections - Get control on host
• ISSAF-U_15. Web application SQL injections – Countermeasures
• ISSAF-V_9. Application security - Source code auditing (data and input validation)
• ISSAF-V_10. Application security - Source code auditing (Cross Site Scripting XSS)
• ISSAF-V_13. Application security - Source code auditing (command injection)
• PTES-5_2_3_1. Vulnerability analysis - Web application scanners (application flaw scanners)
• PTES-6_2_3. Exploitation - Countermeasures (data execution prevention)
• PTES-7_4_2_3. Post exploitation - Pillaging (database servers)
• OWASP Top 10 Privacy Risks-P7. Insufficient data quality
• MVSP-1_8. Business controls - Data handling
• MVSP-2_5. Application design controls - Security libraries
• MVSP-3_3. Application implementation controls - Vulnerability prevention
• OWASP SCP-1. Input validation
• OWASP SCP-11. Database security
• OWASP SCP-12. File management
• OWASP SCP-13. Memory management
• BSAFSS-SC_3-2. Secure Coding (secure software against unsafe functions)
• BSAFSS-SC_3-3. Secure Coding (secure software against unsafe functions)
• BSAFSS-LO_2-4. Implement securely logging mechanisms
• OWASP MASVS-V6_2. Platform interaction requirements
• CWE TOP 25-20. Improper input validation
• CWE TOP 25-22. Improper limitation of a pathname to a restricted directory (path traversal)
• CWE TOP 25-78. Improper neutralization of special elements used in an OS command (OS command injection)
• CWE TOP 25-79. Improper neutralization of input during web page generation (cross-site scripting)
• CWE TOP 25-89. Improper neutralization of special elements used in an SQL command (SQL injection)
• CWE TOP 25-77. Improper neutralization of special elements used in a command (command injection)
• CWE TOP 25-94. Improper Control of Generation of Code ('Code Injection')
• CWE TOP 25-611. Improper restriction of XML external entity reference
• CWE TOP 25-918. Server-side request forgery (SSRF)
• OWASP ASVS-1_5_3. Input and output architecture
• OWASP ASVS-5_2_5. Sanitization and sandboxing
• OWASP ASVS-5_2_6. Sanitization and sandboxing
• OWASP ASVS-5_3_7. Output encoding and injection prevention
• OWASP ASVS-5_3_8. Output encoding and injection prevention
• OWASP ASVS-5_3_10. Output encoding and injection prevention
• OWASP ASVS-5_4_1. Memory, string, and unmanaged code
• OWASP ASVS-8_1_3. General data protection
• OWASP ASVS-12_3_1. File execution
• C2M2-9_4_d. Implement software security for cybersecurity architecture
• PCI DSS-1_4_3. Implement anti-spoofing measures
• PCI DSS-6_2_4. Software engineering techniques to prevent or mitigate common software attacks
• SIG Lite-SL_18. Are there regular privacy risk assessments conducted?
• SIG Lite-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
• SIG Core-D_6_7. Asset and information management
• SIG Core-I_1_14. Application security
• SIG Core-I_2_1. Application security
• SIG Core-I_2_7_1. Application security
• OWASP ASVS-5_1_4. Input validation
• OWASP ASVS-5_2_1. Sanitization and sandboxing
• OWASP ASVS-5_2_2. Sanitization and sandboxing
• OWASP ASVS-5_2_3. Sanitization and sandboxing
• OWASP ASVS-5_2_7. Sanitization and sandboxing
• OWASP ASVS-5_3_3. Output encoding and injection prevention
• OWASP ASVS-5_3_5. Output encoding and injection prevention
• OWASP ASVS-5_3_6. Output encoding and injection prevention
• OWASP ASVS-5_4_2. Memory, string, and unmanaged code
• OWASP ASVS-5_5_3. Deserialization prevention
• OWASP ASVS-5_5_4. Deserialization prevention
• OWASP ASVS-7_3_1. Log protection
• OWASP ASVS-12_3_2. File execution
• OWASP ASVS-12_3_5. File execution
• OWASP ASVS-12_6_1. SSRF protection
• OWASP ASVS-13_3_1. SOAP web service
• OWASP ASVS-14_5_1. HTTP request header validation
• OWASP API Security Top 10-API4. Lack of Resources & Rate Limiting
• OWASP API Security Top 10-API8. Injection
• ISO/IEC 27001-8_20. Network controls
• ISO/IEC 27001-8_26. Application security requirements
• CASA-1_5_3. Input and Output Architecture
• CASA-3_5_1. Token-based Session Management
• CASA-5_1_4. Input Validation
• CASA-5_2_3. Sanitization and Sandboxing
• CASA-5_2_5. Sanitization and Sandboxing
• CASA-5_2_6. Sanitization and Sandboxing
• CASA-5_2_7. Sanitization and Sandboxing
• CASA-5_3_3. Output Encoding and Injection Prevention
• CASA-5_3_6. Output Encoding and Injection Prevention
• CASA-5_3_7. Output Encoding and Injection Prevention
• CASA-5_3_8. Output Encoding and Injection Prevention
• CASA-5_3_10. Output Encoding and Injection Prevention
• CASA-7_3_1. Log Protection
• CASA-8_1_3. General Data Protection

Vulnerabilities

• 001. SQL injection - C Sharp SQL API
• 004. Remote command execution
• 008. Reflected cross-site scripting (XSS)
• 010. Stored cross-site scripting (XSS)
• 012. SQL injection - Java Persistence API
• 021. XPath injection
• 023. Uncontrolled external site redirect - Host Header Injection
• 032. Spoofing
• 045. HTML code injection
• 061. Remote File Inclusion
• 063. Lack of data validation - Path Traversal
• 067. Improper resource allocation
• 083. XML injection (XXE)
• 089. Lack of data validation - Trust boundary violation
• 090. CSV injection
• 091. Log injection
• 093. Hidden fields manipulation
• 096. Insecure deserialization
• 097. Reverse tabnabbing
• 100. Server-side request forgery (SSRF)
• 103. Insufficient data authenticity validation - APK signing
• 105. Apache lucene query injection
• 106. NoSQL injection
• 107. LDAP injection
• 110. HTTP request smuggling
• 112. SQL injection - Java SQL API
• 121. HTTP parameter pollution
• 123. Local file inclusion
• 127. Lack of data validation - Type confusion
• 141. Lack of data validation - URL
• 146. SQL injection
• 154. Time-based SQL Injection
• 155. SQL Injection - Headers
• 156. Uncontrolled external site redirect
• 184. Lack of data validation
• 185. Lack of data validation - Header x-amzn-RequestId
• 186. Lack of data validation - Web Service
• 187. Lack of data validation - Source Code
• 188. Lack of data validation - Modify DOM Elements
• 189. Lack of data validation - Content Spoofing
• 190. Lack of data validation - Session Cookie
• 191. Lack of data validation - Responses
• 192. Lack of data validation - Reflected Parameters
• 193. Lack of data validation - Host Header Injection
• 194. Lack of data validation - Input Length
• 195. Lack of data validation - Headers
• 196. Lack of data validation - Dates
• 197. Lack of data validation - Numbers
• 198. Lack of data validation - Out of range
• 199. Lack of data validation - Emails
• 274. Restricted fields manipulation
• 297. SQL injection - Code
• 316. Improper resource allocation - Buffer overflow
• 317. Improper resource allocation - Memory leak
• 321. Lack of data validation - HTML code
• 323. XML injection (XXE) - Unmarshaller
• 327. Insufficient data authenticity validation - Images
• 340. Lack of data validation - Special Characters
• 341. Lack of data validation - OTP
• 344. Lack of data validation - Non Sanitized Variables
• 353. Lack of data validation - Token
• 355. Insufficient data authenticity validation - Checksum verification
• 371. DOM-Based cross-site scripting (XSS)
• 377. Insufficient data authenticity validation - Device Binding
• 382. Insufficient data authenticity validation - Front bypass
• 389. Insufficient data authenticity validation - JAR signing
• 390. Prototype Pollution
• 398. Fragment Injection
• 404. OS Command Injection
• 416. XAML injection
• 420. Password reset poisoning
• 422. Server side template injection
• 425. Server side cross-site scripting
• 429. Universal cross-site scripting (UXSS)
• 434. Client-side template injection

free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.