R342. Validate request parameters

Requirement

The system must validate the content and length of all request parameters (GET, POST, cookies, headers, etc.) and the amount of them.

Description

Proper data validation prevents a vast majority of injection attacks. Its implementation includes validations of request parameters' content, length and amount. This increases the defenses against HTTP parameter pollution attacks and mass parameter assignment attacks, and provides countermeasures to protect against unsafe parameter assignment.

References

  1. CAPEC-6: Argument Injection. An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.

  2. CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies. This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server.

  3. CAPEC-32: XSS Through HTTP Query Strings. An adversary embeds malicious script code in the parameters of an HTTP query string and convinces a victim to submit the HTTP request that contains the query string to a vulnerable web application. The web application then procedes to use the values parameters without properly validation them first and generates the HTML code that will be executed by the victim’s browser.

  4. CAPEC-137: Parameter Injection. An adversary manipulates the content of request parameters for the purpose of undermining the security of the target.

  5. CAPEC-153: Input Data Manipulation. An attacker exploits a weakness in input validation by controlling the format, structure, and composition of data to an input-processing interface. By supplying input of a non-standard or unexpected form an attacker can adversely impact the security of the target.

  6. CWE-20: Improper Input Validation. The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  7. CWE-233: Improper Handling of Parameters. The software stores sensitive information without properly limiting read or write access by unauthorized actors.

  8. CWE-235: Improper Handling of Extra Parameters. The software does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount.

  9. CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes. The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

  10. OWASP Top 10 A1:2017-Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

  11. OWASP-ASVS v4.0.1 V5.1 Input Validation Requirements.(5.1.1) Verify that the application has defenses against HTTP parameter pollution attacks, particularly if the application framework makes no distinction about the source of request parameters (GET, POST, cookies, headers, or environment variables).

  12. OWASP-ASVS v4.0.1 V5.1 Input Validation Requirements.(5.1.2) Verify that frameworks protect against mass parameter assignment attacks, or that the application has countermeasures to protect against unsafe parameter assignment, such as marking fields private or similar.

  13. OWASP-ASVS v4.0.1 V5.1 Input Validation Requirements.(5.1.3) Verify that all input (HTML form fields, REST requests, URL parameters, HTTP headers, cookies, batch files, RSS feeds, etc) is validated using positive validation (whitelisting).

  14. OWASP-ASVS v4.0.1 V8.1 General Data Protection.(8.1.3) Verify the application minimizes the number of parameters in a request, such as hidden fields, Ajax variables, cookies and header values.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy