DATA VALIDATION & ENCODING (VEK)
Gabe can inject data into an server-side interpreter (e.g. SQL, OS commands, Xpath, Server JavaScript, SMTP) because a strongly typed parameterised interface is not being used or has not been implemented correctly
Gabe can inject data into an server-side interpreter (e.g. SQL, OS commands, Xpath, Server JavaScript, SMTP) because a strongly typed parameterised interface is not being used or has not been implemented correctly
OWASP SCP
15,19,20,21,22,167,180,204,211,212
OWASP ASVS
5.2.1,5.2.2,5.3.4,5.3.7,5.3.8,5.3.9,5.3.10
OWASP AppSensor
CIE1,CIE2
CAPEC
-
SAFECODE
2,19,20
Due a failure of server-side input or output validation, encoding or sanitization, malicious code can be injected and treated as code rather than data, leading to code execution in the server application.
NB: This relates to actual exploitation of an injection vulnerability on the server-side. See VE Q for the same attack client-side, and other cards in this suit for individual data validation and encoding issues (e.g. missing/by-passable/badly-implemented input/output validation, encoding or sanitization).
Mappings
OWASP ASVS (4.0): 5.2.1 ,5.2.2 ,5.3.4 ,5.3.7 ,5.3.8 ,5.3.9 ,5.3.10
Capec: 23 ,28 ,76 ,152 ,160 ,261
OWASP SCP: 15,19,20,21,22,167,180,204,211,212
OWASP Appsensor: CIE1,CIE2
Safecode: 2,19,20
ASVS (4.0) Cheatsheetseries Index
ASVS V5.2 - Sanitization and Sandboxing Requirements
ASVS V5.3 - Output encoding and Injection Prevention Requirements
No suitable mappings were found.
