Use consistent encoding
Summary
System components must use the same encodings and parsers.
Description
System components use structured messages to communicate with other components. When these messages include input from untrusted sources and this input is not properly escaped, they become prone to the insertion of malicious commands. A part of the escaping process can be done by encoding the output messages. However, all components must use consistent encoding in order to prevent attacks that benefit from the presence of different parsing behaviors, e.g., Server-Side Request Forgery (SSRF) and Remote File Inclusion (RFI) attacks.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🔴 |
| Advanced | 🟢 |
References
- CAPEC™-33. HTTP request smuggling
- CAPEC™-43. Exploiting multiple input interpretation layers
- CAPEC™-153. Input data manipulation
- CWE™-116. Improper encoding or escaping of output
- CWE™-838. Inappropriate encoding for output context
- OWASP TOP 10-A4. Insecure design
- OWASP-M TOP 10-M1. Improper platform usage
- OWASP-M TOP 10-M7. Poor code quality
- Agile Alliance-11. Best architectures, requirements, and designs
- BIZEC-APP-APP-05. Directory traversal
- HITRUST CSF-09_v. Electronic messaging
- HITRUST CSF-10_e. Output data validation
- ISO/IEC 27002-8_28. Secure coding
- ISA/IEC 62443-IAC-1_13. Access via untrusted networks
- WASSEC-5_3. Parser tolerance
- NIST SSDF-PW_4_1. Reuse existing, well-secured software when feasible instead of duplicating functionality
- PTES-6_2_1_1. Exploitation - Countermeasures (anti-virus encoding)
- CWE TOP 25-918. Server-side request forgery (SSRF)
- OWASP SAMM-SA. Security Architecture
- OWASP ASVS-5_3_9. Output encoding and injection prevention
- OWASP ASVS-12_3_3. File execution
- OWASP ASVS-13_1_1. Generic web service security
- ISO/IEC 27001-8_28. Secure coding
- CASA-5_3_9. Output Encoding and Injection Prevention
- CASA-13_1_1. Generic Web Service Security
- OWASP API Security Top 10-API7. Server Side Request Forgery
- SANS 25-19. Server-side request forgery (SSRF)
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.