Skip to main content

Lack of data validation - Source Code

Description

Within the source code there is evidence of the use of dangerous regular expressions, because they make use of complex operations to find matches, which can lead an attacker to send a specific string of data that could cause the server to crash when evaluating the string with the dangerous regular expression.

Impact

Generate server crash.

Recommendation

Securely configure the vulnerable service so, it can only be accessed by authorized users.

Threat

Anonymous attacker from the Internet.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: H

Temporal

  • Exploit code madurity: P
  • Remediation level: X
  • Report confidence: R

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:P/RL:X/RC:R
  • Score:
    • Base: 8.2
    • Temporal: 7.4
  • Severity:
    • Base: High
    • Temporal: High

Code Examples

Compliant code

The application uses user input only after validating/sanitizing the information

function ValidateEmail(mail){
if ({simpleRegex}).test(myForm.emailAddr.value)){
return (true)
}
//handle the exception when the email input is not valid
}

Non compliant code

The application uses user input without server side validation

function ValidateEmail(mail){
regex = {ComplexRegEx}
if regex.test(myForm.emailAddr.value)){
return (true)
}
//Code to handle the exception after the regex
}

Requirements