R044. Define a explicit charset

Requirement

All system files generated dynamically must have a explicitly defined character set (charset).

References

  1. CAPEC-242: Code Injection. An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing.

  2. CWE-116: Improper Encoding or Escaping of Output. The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  3. CWE-173: Improper Handling of Alternate Encoding. The software does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent.

  4. OWASP-ASVS v4.0.1 V5.3 Output encoding and Injection Prevention Requirements.(5.3.1) Verify that output encoding is relevant for the interpreter and context required. For example, use encoders specifically for HTML values, HTML attributes, JavaScript, URL Parameters, HTTP headers, SMTP, and others as the context requires, especially from untrusted inputs (e.g., names with Unicode or apostrophes, such as ねこ or O’Hara).

  5. OWASP-ASVS v4.0.1 V14.4 HTTP Security Headers Requirements.(14.4.1) Verify that every HTTP response contains a content type header specifying a safe character set (e.g., UTF-8, ISO 8859-1).

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy