Skip to content

Stored Improper Input Validation Injection

Description

Improper input validation can lead to XSS vulnerabilities and other security issues. Stored code injections are attacks where malicious code (such as JavaScript) is injected into the application and stored in the database to be later executed. Stored XSS is one of those attacks. Stored XSS is when an XSS vulnerability originates from the database because of malicious code previously inserted in it.

Remediation

Preventing cross-site scripting is trivial in some cases but can be much harder depending on the complexity of the application and the ways it handles user-controllable data.

To effectively prevent XSS vulnerabilities, use a combination of the following measures:

  • Filter user input on arrival as strictly as possible, based on what you expect as legitimate input.
  • Encode user-controllable data as soons as it is outputted in HTTP reponses to prevent it from being interpreted as active content (ie. code). Depending on the output context, this might require applying combinations of HTML, URL, JavaScript, and CSS encoding.
  • Use the right headers to ensure that browsers interpret the responses the way you intended. For example, to prevent XSS in HTTP responses that are not supposed to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers.
  • Use Content Security Policy (CSP) to reduce the severity of any XSS vulnerability that still occurs.

GraphQL Specific

Apollo To mitigate the risk of injection vulnerabilities in the Apollo framework engine, ensure that all user-supplied input is properly validated and sanitized before processing. Utilize built-in security features such as input validation functions or libraries, and avoid directly incorporating user input into queries or commands. Additionally, implement parameterized queries or prepared statements to safely handle data input, and consistently apply these practices across the entire codebase to maintain a strong defense against injection attacks.
Yoga To mitigate the risk of improper input validation and injection vulnerabilities in the Yoga framework engine, ensure that all user-supplied input is validated, sanitized, and encoded appropriately before processing. Utilize built-in security features of the framework for input handling, and consider implementing additional layers of validation according to the context of the data usage. Avoid dynamic queries; instead, use parameterized statements or prepared statements to interact with the database. Regularly update the framework and its dependencies to incorporate security fixes and improvements.
Awsappsync To mitigate the risk of injection vulnerabilities in AWS AppSync, ensure that all user inputs are properly validated and sanitized before they are processed. Utilize AWS AppSync's built-in input validation mechanisms to define strict schemas and resolvers that enforce the correct data types and formats. Additionally, implement custom validation logic within resolver mapping templates where necessary. Always avoid directly passing user-controlled data into resolver functions without validation. By adhering to these practices, you can help prevent malicious actors from injecting unauthorized commands or queries into your GraphQL API.
Graphqlgo In the GraphQL Go framework, ensure proper input validation by using middleware or directives to sanitize and validate all user-supplied data. Implement strict type checking and utilize prepared statements or parameterized queries to prevent injection attacks. Regularly update dependencies to incorporate security fixes.
Graphqlruby In the GraphQL Ruby framework, ensure proper input validation by using the built-in argument validation mechanisms. Define custom validators or use the provided ones to check the types and values of the arguments before they are processed. Additionally, avoid directly interpolating user input into query strings or resolvers. Instead, leverage the framework's parameterization features to safely handle user input and protect against injection attacks.
Hasura To prevent improper input validation and injection vulnerabilities in Hasura, ensure that all user inputs are properly validated before being processed. Use Hasura's built-in input validation features to define strict types and validation rules for the input fields in your GraphQL schema. Additionally, leverage prepared statements and parameterized queries when executing SQL statements to avoid injection attacks. Regularly review and update your security policies to keep up with the latest best practices.
Agoo Implement strict input validation and sanitization for all user inputs in the Agoo framework to prevent stored XSS and other injection attacks.
Ariadne Implement input validation and sanitization in the Ariadne framework engine to prevent stored XSS by ensuring all user inputs are properly validated and sanitized before being stored in the database.
Caliban Implement strict input validation and sanitization for all user inputs to prevent stored XSS vulnerabilities in the Caliban framework engine.
Dgraph Implement strict input validation and sanitization on all user inputs before storing them in the Dgraph database to prevent stored XSS and other injection attacks.
Dianajl Implement input validation and sanitization mechanisms in the Dianajl framework engine to prevent the storage of malicious code in the database, ensuring that all user inputs are properly validated and sanitized before being processed or stored.
Directus Implement input validation and sanitization on all user inputs in the Directus framework to prevent stored XSS attacks. Ensure that data is properly escaped before being stored in the database and use security libraries to filter out malicious scripts.
Flutter Implement input validation and sanitization for all user inputs in the Flutter application to prevent stored XSS and other injection attacks. Use libraries and tools that provide secure input handling and ensure that any data stored in the database is properly escaped and validated before rendering in the UI.
Graphene Implement input validation and sanitization in the Graphene framework to prevent stored XSS by ensuring that all user inputs are properly validated and sanitized before being stored in the database.
Graphqlapiforwp Implement strict input validation and sanitization for all user inputs in the GraphQL API for WP framework to prevent stored XSS and other injection attacks.
Graphqlgophergo Implement strict input validation and sanitization for all user inputs in the GraphQLGopherGo framework to prevent stored XSS and other injection attacks.
Graphqljava Implement input validation and sanitization for all user inputs in the GraphQL Java framework to prevent stored XSS and other injection attacks.
Graphqlphp Implement strict input validation and sanitization for all user inputs in the GraphQL schema to prevent stored XSS and other injection attacks.
Graphqlyoga Implement input validation and sanitization for all user inputs in the GraphQL Yoga framework to prevent stored XSS and other injection attacks.
Hypergraphql Implement strict input validation and sanitization for all user inputs to prevent stored XSS vulnerabilities in the HyperGraphQL framework engine.
Jaal Implement input validation and sanitization in the Jaal framework engine to prevent stored XSS by ensuring all user inputs are properly validated and encoded before being stored in the database.
Juniper Implement input validation and sanitization in the Juniper framework engine to prevent stored XSS by ensuring all user inputs are properly validated and encoded before being stored in the database.
Lacinia Implement strict input validation and sanitization in the Lacinia framework engine to prevent stored XSS by ensuring that all user inputs are properly validated and encoded before being stored in the database.
Lighthouse Implement strict input validation and sanitization to prevent stored XSS vulnerabilities in the Lighthouse framework engine.
Mercurius Implement input sanitization and output encoding in the Mercurius framework to prevent stored XSS by ensuring all user inputs are properly validated and encoded before being stored or rendered.
Morpheusgraphql Implement strict input validation and sanitization for all user inputs in the MorpheusGraphQL engine to prevent stored XSS and other injection attacks.
Qglgen Implement input validation and sanitization in the gqlgen framework to prevent stored XSS by ensuring that all user inputs are properly validated and sanitized before being stored in the database.
Sangria Implement input validation and sanitization for all user inputs in the Sangria framework to prevent stored XSS vulnerabilities.
Shopify Implement input sanitization and output encoding to prevent stored XSS vulnerabilities in the Shopify framework.
Stepzen Implement strict input validation and sanitization in the StepZen framework to prevent stored XSS by ensuring that all user inputs are properly validated and encoded before being stored in the database.
Strawberry Implement input validation and sanitization in the Strawberry Framework engine to prevent stored XSS by ensuring all user inputs are properly validated and sanitized before being stored in the database.
Tartiflette Implement strict input validation and sanitization for all user inputs in the Tartiflette framework to prevent stored XSS and other injection attacks.
Wpgraphql Implement strict input validation and sanitization for all user inputs in the wpgraphql framework to prevent stored XSS and other injection attacks.

Configuration

Identifier: injection/improper_input_stored

Options

  • skip_objects : List of object that are to be skipped by the security test.

Examples

Ignore this check

checks:
  injection/improper_input_stored:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API10:2023
  • OWASP LLM: LLM02:2023
  • pci: 6.5.7
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-4

Classification

  • CWE: 116

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 7.2

References