DATA VALIDATION & ENCODING (VE7)
Jan can craft special payloads to foil input validation because the character set is not specified/enforced, or the data is encoded multiple times, or the data is not fully converted into the same format the application uses (e.g. canonicalization) before being validated, or variables are not strongly typed
Jan can craft special payloads to foil input validation because the character set is not specified/enforced, or the data is encoded multiple times, or the data is not fully converted into the same format the application uses (e.g. canonicalization) before being validated, or variables are not strongly typed
OWASP SCP
4,5,7,150
OWASP ASVS
1.5.3,13.2.2,13.2.5
OWASP AppSensor
IE2,IE3,EE1,EE2
CAPEC
-
SAFECODE
3,16,24
Without knowing the character encoding accurately, data validation routines could be inadequate. A web application firewall, a web server, an application server, a database server, and other interpreters could each be susceptible, and susceptible in different ways, to malicious character encoding issues.
Common protection techniques include:
Specify proper character sets, such as UTF-8, for all sources of input. Encode data to a common character set before validating (Canonicalize). Use system components that support UTF-8 extended character sets and validate data after UTF-8 decoding is completed. NB: The key concept for this card is encoding.
Mappings
OWASP ASVS (4.0): 1.5.3 ,13.2.2 ,13.2.5
OWASP SCP: 4,5,7,150
OWASP Appsensor: IE2,IE3,EE1,EE2
Safecode: 3,16,24
ASVS (4.0) Cheatsheetseries Index
ASVS V1.5 - Input and Output Architectural Requirements
ASVS V13.2 - RESTful Web Service Verification Requirements
No suitable mappings were found.
