Skip to main content

Lack of data validation

Description

The application does not control the the server side where you have permission to modify certain fields and allows the use of invalid data in some fields, for example, an ID composed of only letters.

Impact

Inject potentially malicious characters into application fields.

Recommendation

Validate on the server side the data types that are entered into different kind of fields in the application.

Threat

External attacker with access to the application.

Expected Remediation Time

⌚ 30 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 4.3
    • Temporal: 4.3
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

All user input is validated and sanitize before using it to access resources

func ErroneousString(request *http.Request) {
userId := request.id
if /[0-9]/.test(str){
sql.QueryRow(`INSERT INTO tbl $1`, userId)
}else{
return "Invalid User ID"
}

Non compliant code

The application performs a query with unvalidated user input

func ErroneousString(request *http.Request) {
userId := request.id
sql.QueryRow(`INSERT INTO tbl $1`, userId)
}

Requirements