Use consistent encoding
Summary
System components must use the same encodings and parsers.
Description
System components use structured messages to communicate with other components. When these messages include input from untrusted sources and this input is not properly escaped, they become prone to the insertion of malicious commands. A part of the escaping process can be done by encoding the output messages. However, all components must use consistent encoding in order to prevent attacks that benefit from the presence of different parsing behaviors, e.g., Server-Side Request Forgery (SSRF) and Remote File Inclusion (RFI) attacks.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🔴 |
| Squad | 🟢 |
References
- CAPEC™-33. HTTP request smuggling
- CAPEC™-43. Exploiting multiple input interpretation layers
- CAPEC™-153. Input data manipulation
- CWE™-116. Improper encoding or escaping of output
- CWE™-838. Inappropriate encoding for output context
- OWASP TOP 10-A4. Insecure design
- OWASP-M TOP 10-M1. Improper platform usage
- OWASP-M TOP 10-M7. Poor code quality
- Agile Alliance-11. Best architectures, requirements, and designs
- BIZEC-APP-APP-05. Directory traversal
- HITRUST CSF-09_v. Electronic messaging
- HITRUST CSF-10_e. Output data validation
- ISO/IEC 27002-8_28. Secure coding
- ISA/IEC 62443-IAC-1_13. Access via untrusted networks
- WASSEC-5_3. Parser tolerance
- NIST SSDF-PW_4_1. Reuse existing, well-secured software when feasible instead of duplicating functionality
- PTES-6_2_1_1. Exploitation - Countermeasures (anti-virus encoding)
- CWE TOP 25-918. Server-side request forgery (SSRF)
- OWASP SAMM-SA_3. Control the software design process and validate utilization of secure components
- OWASP ASVS-5_3_9. Output encoding and injection prevention
- OWASP ASVS-12_3_3. File execution
- OWASP ASVS-13_1_1. Generic web service security
- SANS 25-21. Server-Side Request Forgery (SSRF)
- ISO/IEC 27001-8_28. Secure coding
- CASA-5_3_9. Output Encoding and Injection Prevention
- CASA-13_1_1. Generic Web Service Security
Vulnerabilities
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.