Description

The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-707
CWE-345
CWE-22
CWE-41
CWE-74
CWE-119
CWE-770

 

Consequences

Availability: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)

An attacker could provide unexpected values and cause a program crash or excessive consumption of resources, such as memory and CPU.

Confidentiality: Read Memory, Read Files or Directories

An attacker could read confidential data if they are able to control resource references.

Integrity, Confidentiality, Availability: Modify Memory, Execute Unauthorized Code or Commands

An attacker could use malicious input to modify data or possibly alter control flow in unexpected ways, including arbitrary command execution.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build “recognizers” for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]

Phase: Architecture and Design

Description: 

Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).

Phase: Architecture and Design, Implementation

Description: 

Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.

Phase: Implementation

Effectiveness: High

Description: 

Phase: Architecture and Design

Description: 

Phase: Implementation

Description: 

When your application combines data from multiple sources, perform the validation after the sources have been combined. The individual data elements may pass the validation step but violate the intended restrictions after they have been combined.

Phase: Implementation

Description: 

Be especially careful to validate all input when invoking code that crosses language boundaries, such as from an interpreted language to native code. This could create an unexpected interaction between the language boundaries. Ensure that you are not violating any of the expectations of the language with which you are interfacing. For example, even though Java may not be susceptible to buffer overflows, providing a large argument in a call to native code might trigger an overflow.

Phase: Implementation

Description: 

Directly convert your input type into the expected data type, such as using a conversion function that translates a string into a number. After converting to the expected data type, ensure that the input’s values fall within the expected range of allowable values and that multi-field consistencies are maintained.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.

CVE References

• CVE-2008-5305
  • Eval injection in Perl program using an ID that should only contain hyphens and numbers.

• CVE-2008-2223
  • SQL injection through an ID that was supposed to be numeric.

• CVE-2008-3477
  • lack of input validation in spreadsheet program leads to buffer overflows, integer overflows, array index errors, and memory corruption.

• CVE-2008-3843
  • insufficient validation enables XSS

• CVE-2008-3174
  • driver in security product allows code execution due to insufficient validation

• CVE-2007-3409
  • infinite loop from DNS packet with a label that points to itself

• CVE-2006-6870
  • infinite loop from DNS packet with a label that points to itself

• CVE-2008-1303
  • missing parameter leads to crash

• CVE-2007-5893
  • HTTP request with missing protocol version number leads to crash

• CVE-2006-6658
  • request with missing parameters leads to information exposure

• CVE-2008-4114
  • system crash with offset value that is inconsistent with packet size

• CVE-2006-3790
  • size field that is inconsistent with packet size leads to buffer over-read

• CVE-2008-2309
  • product uses a denylist to identify potentially dangerous content, allowing attacker to bypass a warning

• CVE-2008-3494
  • security bypass via an extra header

• CVE-2008-3571
  • empty packet triggers reboot

• CVE-2006-5525
  • incomplete denylist allows SQL injection

• CVE-2008-1284
  • NUL byte in theme name causes directory traversal impact to be worse

• CVE-2008-0600
  • kernel does not validate an incoming pointer before dereferencing it

• CVE-2008-1738
  • anti-virus product has insufficient input validation of hooked SSDT functions, allowing code execution

• CVE-2008-1737
  • anti-virus product allows DoS via zero-length field

• CVE-2008-3464
  • driver does not validate input from userland to the kernel

• CVE-2008-2252
  • kernel does not validate parameters sent in from userland, allowing code execution

• CVE-2008-2374
  • lack of validation of string length fields allows memory consumption or buffer over-read

• CVE-2008-1440
  • lack of validation of length field leads to infinite loop

• CVE-2008-1625
  • lack of validation of input to an IOCTL allows code execution

• CVE-2008-3177
  • zero-length attachment causes crash

• CVE-2007-2442
  • zero-length input causes free of uninitialized pointer

• CVE-2008-5563
  • crash via a malformed frame structure

• CVE-2008-5285
  • infinite loop from a long SMTP request

• CVE-2008-3812
  • router crashes with a malformed packet

• CVE-2008-3680
  • packet with invalid version number leads to NULL pointer dereference

• CVE-2008-3660
  • crash via multiple “.” characters in file extension