R160. Encode system outputs

Requirement

The system output must be encoded in the corresponding language (escaping).

Description

System components use structured messages to communicate with other components. When this messages include input from untrusted sources and this input is not properly escaped, they become prone to the insertion of malicious commands. For this reason, enconding or escaping must occur before sending the messages.

References

  1. CWE-20: Improper Input Validation. The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  2. CWE-79: Cross-site Scripting. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

  3. CWE-116: Improper Encoding or Escaping of Output. The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  4. CWE-117: Improper Output Neutralization for Logs. The software does not neutralize or incorrectly neutralizes output that is written to logs.

  5. CWE-176: Improper Handling of Unicode Encoding. The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  6. BSIMM9 SE3.2 UThe software does not neutralize or incorrectly neutralizes output that is written to logs. se code protection.

  7. OWASP-ASVS v4.0.1 V1.5 Input and Output Architectural Requirements.(1.5.3) Verify that input validation is enforced on a trusted service layer.

  8. OWASP-ASVS v4.0.1 V1.5 Input and Output Architectural Requirements.(1.5.4) Verify that output encoding occurs close to or by the interpreter for which it is intended.

  9. OWASP-ASVS v4.0.1 V5.3 Output encoding and Injection Prevention Requirements.(5.3.1) Verify that output encoding is relevant for the interpreter and context required. For example, use encoders specifically for HTML values, HTML attributes, JavaScript, URL Parameters, HTTP headers, SMTP, and others as the context requires, especially from untrusted inputs (e.g. names with Unicode or apostrophes, such as ねこ or O’Hara).

  10. OWASP-ASVS v4.0.1 V5.3 Output encoding and Injection Prevention Requirements.(5.3.2) Verify that output encoding preserves the user’s chosen character set and locale, such that any Unicode character point is valid and safely handled.

  11. OWASP-ASVS v4.0.1 V5.3 Output encoding and Injection Prevention Requirements.(5.3.3) Verify that context-aware, preferably automated - or at worst, manual - output escaping protects against reflected, stored, and DOM based XSS.

  12. OWASP-ASVS v4.0.1 V5.3 Output encoding and Injection Prevention Requirements.(5.3.5) Verify that where parameterized or safer mechanisms are not present, context-specific output encoding is used to protect against injection attacks, such as the use of SQL escaping to protect against SQL injection.

  13. OWASP-ASVS v4.0.1 V5.3 Output encoding and Injection Prevention Requirements.(5.3.6) Verify that the application projects against JavaScript or JSON injection attacks, including for eval attacks, remote JavaScript includes, CSP bypasses, DOM XSS, and JavaScript expression evaluation.

  14. OWASP-ASVS v4.0.1 V5.3 Output encoding and Injection Prevention Requirements.(5.3.8) Verify that the application protects against OS command injection and that operating system calls use parameterized OS queries or use contextual command line output encoding.

  15. OWASP-ASVS v4.0.1 V7.3 Log Protection Requirements.(7.3.1) Verify that the application appropriately encodes user-supplied data to prevent log injection.

  16. OWASP-ASVS v4.0.1 V7.3 Log Protection Requirements.(7.3.2) Verify that all events are protected from injection when viewed in log viewing software.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy