Read Time:4 Minute, 52 Second
Description
The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly.
Modes of Introduction:
– Architecture and Design
Likelihood of Exploit: High
Related Weaknesses
CWE-707
CWE-345
CWE-22
CWE-41
CWE-74
CWE-119
CWE-770
Consequences
Availability: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
An attacker could provide unexpected values and cause a program crash or excessive consumption of resources, such as memory and CPU.
Confidentiality: Read Memory, Read Files or Directories
An attacker could read confidential data if they are able to control resource references.
Integrity, Confidentiality, Availability: Modify Memory, Execute Unauthorized Code or Commands
An attacker could use malicious input to modify data or possibly alter control flow in unexpected ways, including arbitrary command execution.
Potential Mitigations
Phase: Architecture and Design
Description:
Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build “recognizers” for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]
Phase: Architecture and Design
Description:
Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).
Phase: Architecture and Design, Implementation
Description:
Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
Phase: Implementation
Effectiveness: High
Description:
Phase: Architecture and Design
Description:
Phase: Implementation
Description:
When your application combines data from multiple sources, perform the validation after the sources have been combined. The individual data elements may pass the validation step but violate the intended restrictions after they have been combined.
Phase: Implementation
Description:
Be especially careful to validate all input when invoking code that crosses language boundaries, such as from an interpreted language to native code. This could create an unexpected interaction between the language boundaries. Ensure that you are not violating any of the expectations of the language with which you are interfacing. For example, even though Java may not be susceptible to buffer overflows, providing a large argument in a call to native code might trigger an overflow.
Phase: Implementation
Description:
Directly convert your input type into the expected data type, such as using a conversion function that translates a string into a number. After converting to the expected data type, ensure that the input’s values fall within the expected range of allowable values and that multi-field consistencies are maintained.
Phase: Implementation
Description:
Phase: Implementation
Description:
When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.
CVE References
- CVE-2008-5305
- Eval injection in Perl program using an ID that should only contain hyphens and numbers.
- CVE-2008-2223
- SQL injection through an ID that was supposed to be numeric.
- CVE-2008-3477
- lack of input validation in spreadsheet program leads to buffer overflows, integer overflows, array index errors, and memory corruption.
- CVE-2008-3174
- driver in security product allows code execution due to insufficient validation
- CVE-2007-3409
- infinite loop from DNS packet with a label that points to itself
- CVE-2006-6870
- infinite loop from DNS packet with a label that points to itself
- CVE-2007-5893
- HTTP request with missing protocol version number leads to crash
- CVE-2006-6658
- request with missing parameters leads to information exposure
- CVE-2008-4114
- system crash with offset value that is inconsistent with packet size
- CVE-2006-3790
- size field that is inconsistent with packet size leads to buffer over-read
- CVE-2008-2309
- product uses a denylist to identify potentially dangerous content, allowing attacker to bypass a warning
- CVE-2008-1284
- NUL byte in theme name causes directory traversal impact to be worse
- CVE-2008-0600
- kernel does not validate an incoming pointer before dereferencing it
- CVE-2008-1738
- anti-virus product has insufficient input validation of hooked SSDT functions, allowing code execution
- CVE-2008-1737
- anti-virus product allows DoS via zero-length field
- CVE-2008-3464
- driver does not validate input from userland to the kernel
- CVE-2008-2252
- kernel does not validate parameters sent in from userland, allowing code execution
- CVE-2008-2374
- lack of validation of string length fields allows memory consumption or buffer over-read
- CVE-2008-1440
- lack of validation of length field leads to infinite loop
- CVE-2008-1625
- lack of validation of input to an IOCTL allows code execution
- CVE-2007-2442
- zero-length input causes free of uninitialized pointer
- CVE-2008-3680
- packet with invalid version number leads to NULL pointer dereference
- CVE-2008-3660
- crash via multiple “.” characters in file extension