Without knowing the character encoding accurately, data validation routines could be inadequate. A web application firewall, a web server, an application server, a database server, and other interpreters could each be susceptible, and susceptible in different ways, to malicious character encoding issues.
Common protection techniques include:
Specify proper character sets, such as UTF-8, for all sources of input. Encode data to a common character set before validating (Canonicalize). Use system components that support UTF-8 extended character sets and validate data after UTF-8 decoding is completed. NB: The key concept for this card is encoding.
Jan can craft special payloads to foil input validation because the character set is not specified/enforced, or the data is encoded multiple times, or the data is not fully converted into the same format the application uses (e.g. canonicalization) before being validated, or variables are not strongly typed
Owasp ASVS (4.0): 1.5.3 ,13.2.2 ,13.2.5
Owasp SCP: 4,5,7,150
Owasp Appsensor: IE2-3,EE1-2
Safecode: 3,16,24
ASVS V1.5 - Input and Output Architectural Requirements
ASVS V13.2 - RESTful Web Service Verification Requirements
Loading comments 0%