R160. Encode system outputs

Requirement

The system output must be encoded in the corresponding language (escaping).

Description

System components use structured messages to communicate with other components. When these messages include input from untrusted sources and this input is not properly escaped, they become prone to the insertion of malicious commands. For this reason, enconding or escaping must occur before sending the messages.

References

  1. CAPEC-18: XSS Targeting Non-Script Elements. This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (<!-CDATA→), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines.

  2. CAPEC-19: Embedding Scripts within Scripts. An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The adversary leverages this capability to execute their own script by embedding it within other scripts that the target software is likely to execute. The adversary must have the ability to inject their script into a script that is likely to be executed.

  3. CAPEC-32: XSS Through HTTP Query Strings. An adversary embeds malicious script code in the parameters of an HTTP query string and convinces a victim to submit the HTTP request that contains the query string to a vulnerable web application. The web application then procedes to use the values parameters without properly validation them first and generates the HTML code that will be executed by the victim’s browser.

  4. CAPEC-48: Passing Local Filenames to Functions That Expect a URL. This attack relies on client side code to access local files and resources instead of URLs. When the client browser is expecting a URL string, but instead receives a request for a local file, that execution is likely to occur in the browser process space with the browser’s authority to local files.

  5. CAPEC-130: Excessive Allocation. An adversary causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources.

  6. CAPEC-153: Input Data Manipulation. An attacker exploits a weakness in input validation by controlling the format, structure, and composition of data to an input-processing interface. By supplying input of a non-standard or unexpected form an attacker can adversely impact the security of the target.

  7. CAPEC-240: Resource Injection. An adversary exploits weaknesses in input validation by manipulating resource identifiers enabling the unintended modification or specification of a resource.

  8. CAPEC-242: Code Injection. An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing.

  9. CAPEC-248: Command Injection. An adversary looking to execute a command of their choosing, injects new items into an existing command thus modifying interpretation away from what was intended.

  10. CWE-20: Improper Input Validation. The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  11. CWE-79: Cross-site Scripting. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

  12. CWE-116: Improper Encoding or Escaping of Output. The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  13. CWE-117: Improper Output Neutralization for Logs. The software does not neutralize or incorrectly neutralizes output that is written to logs.

  14. CWE-173: Improper Handling of Alternate Encoding. The software does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent.

  15. CWE-176: Improper Handling of Unicode Encoding. The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  16. OWASP Top 10 A1:2017-Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

  17. OWASP Top 10 A7:2017-Cross-Site Scripting (XSS). XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

  18. OWASP-ASVS v4.0.1 V1.5 Input and Output Architectural Requirements.(1.5.3) Verify that input validation is enforced on a trusted service layer.

  19. OWASP-ASVS v4.0.1 V1.5 Input and Output Architectural Requirements.(1.5.4) Verify that output encoding occurs close to or by the interpreter for which it is intended.

  20. OWASP-ASVS v4.0.1 V5.3 Output encoding and Injection Prevention Requirements.(5.3.1) Verify that output encoding is relevant for the interpreter and context required. For example, use encoders specifically for HTML values, HTML attributes, JavaScript, URL Parameters, HTTP headers, SMTP, and others as the context requires, especially from untrusted inputs (e.g., names with Unicode or apostrophes, such as ねこ or O’Hara).

  21. OWASP-ASVS v4.0.1 V5.3 Output encoding and Injection Prevention Requirements.(5.3.2) Verify that output encoding preserves the user’s chosen character set and locale, such that any Unicode character point is valid and safely handled.

  22. OWASP-ASVS v4.0.1 V5.3 Output encoding and Injection Prevention Requirements.(5.3.3) Verify that context-aware, preferably automated - or at worst, manual - output escaping protects against reflected, stored, and DOM based XSS.

  23. OWASP-ASVS v4.0.1 V5.3 Output encoding and Injection Prevention Requirements.(5.3.5) Verify that where parameterized or safer mechanisms are not present, context-specific output encoding is used to protect against injection attacks, such as the use of SQL escaping to protect against SQL injection.

  24. OWASP-ASVS v4.0.1 V5.3 Output encoding and Injection Prevention Requirements.(5.3.6) Verify that the application projects against JavaScript or JSON injection attacks, including for eval attacks, remote JavaScript includes, CSP bypasses, DOM XSS, and JavaScript expression evaluation.

  25. OWASP-ASVS v4.0.1 V5.3 Output encoding and Injection Prevention Requirements.(5.3.8) Verify that the application protects against OS command injection and that operating system calls use parameterized OS queries or use contextual command line output encoding.

  26. OWASP-ASVS v4.0.1 V7.3 Log Protection Requirements.(7.3.1) Verify that the application appropriately encodes user-supplied data to prevent log injection.

  27. OWASP-ASVS v4.0.1 V7.3 Log Protection Requirements.(7.3.2) Verify that all events are protected from injection when viewed in log viewing software.

  28. PCI DSS v3.2.1 - Requirement 6.5.1 Address common coding vulnerabilities in software-development processes such as injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.

  29. PCI DSS v3.2.1 - Requirement 6.5.7 Address common coding vulnerabilities in software-development processes such as cross-site scripting (XSS).

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy