Data validation & encoding k

Due a failure of server-side input or output validation, encoding or sanitization, malicious code can be injected and treated as code rather than data, leading to code execution in the server application.

NB: This relates to actual exploitation of an injection vulnerability on the server-side. See VE Q for the same attack client-side, and other cards in this suit for individual data validation and encoding issues (e.g. missing/by-passable/badly-implemented input/output validation, encoding or sanitization).

How to play?

Gabe can inject data into an server-side interpreter (e.g. SQL, OS commands, Xpath, Server JavaScript, SMTP) because a strongly typed parameterised interface is not being used or has not been implemented correctly

Mappings

Owasp ASVS (4.0): 5.2.1 ,5.2.2 ,5.3.4 ,5.3.7-5.3.10

Capec: 23 ,28 ,76 ,152 ,160 ,261

Owasp SCP: 15,19,20,21,22,167,180,204,211,212

Owasp Appsensor: CIE1,CIE2

Safecode: 2,19,20

ASVS (4.0) Cheatsheetseries Index

ASVS V5.2 - Sanitization and Sandboxing Requirements

ASVS V5.3 - Output encoding and Injection Prevention Requirements

Attacks

SQL Injection

Cross-Site Scripting (XSS)

Command Injection

Loading comments 0%

View source on GitHub