DATA VALIDATION & ENCODING (VEQ)
Xavier can inject data into a client or device side interpreter because a parameterised interface is not being used, or has not been implemented correctly, or the data has not been encoded correctly for the context, or there is no restrictive policy on code or data includes
Xavier can inject data into a client or device side interpreter because a parameterised interface is not being used, or has not been implemented correctly, or the data has not been encoded correctly for the context, or there is no restrictive policy on code or data includes
OWASP SCP
10,15,16,19,20
OWASP ASVS
5.2.1,5.2.5,5.3.3,5.5.4
OWASP AppSensor
IE1,RP3
CAPEC
-
SAFECODE
2,17
Due a failure of client-side input or output validation, encoding or sanitization, malicious code can be injected and treated as code rather than data, leading to code execution in the client application.
NB: This relates to actual exploitation of an injection vulnerability on the client-side. See VE K for the same attack server-side, and other cards in this suit for individual data validation and encoding issues (e.g. missing/by-passable/badly-implemented input/output validation, encoding or sanitization).
Mappings
OWASP ASVS (4.0): 5.2.1 ,5.2.5 ,5.3.3 ,5.5.4
OWASP SCP: 10,15,16,19,20
OWASP Appsensor: IE1,RP3
Safecode: 2,17
ASVS (4.0) Cheatsheetseries Index
ASVS V5.2 - Sanitization and Sandboxing Requirements
ASVS V5.3 - Output encoding and Injection Prevention Requirements
ASVS V5.5 - Deserialization Prevention Requirements
No suitable mappings were found.
