Skip to main content

Discard unsafe inputs

Requirement#

The system must discard all potentially harmful information received via data inputs.

Description#

Technological devices and, in particular, applications must be able to notice if the received information does not correspond to its operational purposes, in order to treat it properly (for example, rejecting and/or generating timely alerts) and ensure that it does not impact the operation negatively. Typical examples of this are: SQL queries, JavaScript code, OS commands or LDAP queries in fields and application parameters; text with undesired special characters and their possible combinations in fields and parameters; files manipulated in structure and extension to be loaded in an application or technology artifact; and in general any type of information that does not correspond to the requested format. A large amount of the incoming traffic (which does not correspond to operational purposes) of a technological artifact must also be considered, and controls and proper treatment must be applied.

Implementation#

  1. Perform whitelisting instead of blacklisting: By using this principle, the control implementation will be configured to reject all inputs that are not explicitly approved, thus discarding all possible scenarios and forcing enumeration of strictly allowed inputs (e.g., allow only a-z, A-Z and 0-9).

  2. Use variable highlighting: If supported, language and compiler can detect foreign variables that are not validated by a filter. To this end, you may use techniques to highlight those variables and compilers, or pre-processors to detect that they are not validated.

  3. Not only user validation but also input validation: Any input from outside the application must be considered malicious. In other words, the user can enter incorrect information, as well as potentially harmful inputs, that may also compromise external systems, and therefore this information must be validated.

Attacks#

  1. Inject malicious software or code.
  2. Denial of service caused by register overload.
  3. Cross-Site Scripting (XSS).
  4. OS command injection.
  5. SQL injection.
  6. LDAP injection.
  7. Redirect to untrusted pages.

Attributes#

  • Layer: Application layer
  • Asset: Source code
  • Scope: Maturity
  • Phase: Building
  • Type of control: Recommendation

References#