Validate request parameters
Summary
The system must validate the content and length of all request parameters (GET, POST, cookies, headers, etc.), as well as their amount.
Description
Proper data validation prevents a vast majority of injection attacks. Its implementation includes validations of request parameters content, length and amount. This increases the defenses against HTTP parameter pollution attacks and mass parameter assignment attacks, and provides countermeasures to protect against unsafe parameter assignment.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🟢 |
| Advanced | 🟢 |
References
- CAPEC™-6. Argument injection
- CAPEC™-31. Accessing/Intercepting/Modifying HTTP cookies
- CAPEC™-32. XSS through HTTP query strings
- CAPEC™-137. Parameter injection
- CAPEC™-153. Input data manipulation
- CWE™-130. Buffer copy without checking size of input ("classic buffer overflow")
- CWE™-233. Improper handling of parameters
- CWE™-235. Improper handling of extra parameters
- CWE™-290. Authentication bypass by spoofing
- CWE™-539. Use of persistent cookies containing sensitive information
- CWE™-598. Use of GET request method with sensitive query strings
- CWE™-915. Improperly controlled modification of dynamically-determined object attributes
- OWASP TOP 10-A3. Injection
- OWASP TOP 10-A8. Software and data integrity failures
- CERT-J-IDS16-J. Prevent XML injection
- SANS 25-5. Improper neutralization of special elements used in an OS command (OS command injection)
- SANS 25-6. Improper input validation
- SANS 25-8. Improper limitation of a pathname to a restricted directory (path traversal)
- HITRUST CSF-10_b. Input data validation
- ISO/IEC 27002-8_28. Secure coding
- WASSEC-6_2_5_3. Information disclosure - Path traversal
- OSSTMM3-11_6_2. Data networks security (trust verification) - Pishing
- WASC-A_12. Content spoofing
- WASC-A_33. Path traversal
- NIST SSDF-PW_5_1. Archive and protect each software release
- ISSAF-F_5_9. Network security - Router security assessment (configure ingress filtering)
- ISSAF-T_16_1. Web application assessment - Input validation (validate data)
- ISSAF-U_15. Web application SQL injections – Countermeasures
- ISSAF-V_7. Application security - Source code auditing (session management)
- ISSAF-V_9. Application security - Source code auditing (data and input validation)
- OWASP SCP-1. Input validation
- CWE TOP 25-20. Improper input validation
- CWE TOP 25-22. Improper limitation of a pathname to a restricted directory (path traversal)
- CWE TOP 25-78. Improper neutralization of special elements used in an OS command (OS command injection)
- OWASP ASVS-5_1_1. Input validation
- OWASP ASVS-5_1_3. Input validation
- OWASP ASVS-12_3_1. File execution
- SIG Core-I_3_4_6. Application security
- CWE™-22. Improper limitation of a pathname to a restricted directory ("path traversal")
- OWASP ASVS-5_1_4. Input validation
- OWASP ASVS-5_2_1. Sanitization and sandboxing
- OWASP ASVS-5_3_3. Output encoding and injection prevention
- OWASP ASVS-5_3_5. Output encoding and injection prevention
- OWASP ASVS-5_3_6. Output encoding and injection prevention
- OWASP ASVS-13_2_2. RESTful web service
- OWASP API Security Top 10-API4. Lack of Resources & Rate Limiting
- ISO/IEC 27001-8_28. Secure coding
- CASA-5_1_1. Input Validation
- CASA-5_1_3. Input Validation
- CASA-5_1_4. Input Validation
- CASA-5_3_3. Output Encoding and Injection Prevention
- CASA-5_3_6. Output Encoding and Injection Prevention
- CASA-13_2_1. RESTful Web Service
- OWASP MASVS-CODE-4. The app validates and sanitizes all untrusted inputs
Vulnerabilities
- 063. Lack of data validation - Path Traversal
- 089. Lack of data validation - Trust boundary violation
- 121. HTTP parameter pollution
- 127. Lack of data validation - Type confusion
- 138. Inappropriate coding practices
- 184. Lack of data validation
- 185. Lack of data validation - Header x-amzn-RequestId
- 186. Lack of data validation - Web Service
- 187. Lack of data validation - Source Code
- 188. Lack of data validation - Modify DOM Elements
- 189. Lack of data validation - Content Spoofing
- 190. Lack of data validation - Session Cookie
- 191. Lack of data validation - Responses
- 192. Lack of data validation - Reflected Parameters
- 193. Lack of data validation - Host Header Injection
- 194. Lack of data validation - Input Length
- 195. Lack of data validation - Headers
- 196. Lack of data validation - Dates
- 197. Lack of data validation - Numbers
- 198. Lack of data validation - Out of range
- 199. Lack of data validation - Emails
- 432. Inappropriate coding practices - relative path command
free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.