Skip to main content

Lack of data validation - Responses

Description

The response data of some requests are sent in subsequent requests, so when the values of these responses are changed to invalid data, subsequent requests take this erroneous information without any type of validation.

Impact

Compromise the integrity of the information requests that are processed by the server.

Recommendation

Validate at all times from the server the types of data that are entered into different types of fields in the application.

Threat

Attacker from intranet with access to the application.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: A
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 3.5
    • Temporal: 3.5
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

The application uses user input only after validating the contents

const signinHandler = (req, res) => {
// get users credentials from the JSON body
const { username, password } = req.body
const expectedPassword = users[username]
if (!expectedPassword || expectedPassword !== password) {
res.status(401).end()
return
}
}

const returnSessionInfo(req, res)=>{
res1 = signinHandler(req, res);
//Validate first request and avoid its use
if res1.status == 200{
getuserInfo(req, res, res1.sessionData);
}
}

Non compliant code

The application uses user input without server side validation

const signinHandler = (req, res) => {
// get users credentials from the JSON body
const { username, password } = req.body
const expectedPassword = users[username]
if (!expectedPassword || expectedPassword !== password) {
res.status(401).end()
return
}
}

const returnSessionInfo(req, res)=>{
res1 = signinHandler(req, res);
//Request data is sent again without validating response
if isValid(res1){
getInfo(res1, res);
}
}

Requirements