R117. Do not interpret HTML code

Requirement

The client of business emails must not display HTML code by default.

Findings

References

  1. CAPEC-242: Code Injection. An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing.

  2. CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page. The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

  3. OWASP Top 10 A1:2017-Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

  4. PCI DSS v3.2.1 - Requirement 6.5.1 Address common coding vulnerabilities in software-development processes such as injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy