Improper Input Validation Injection

Description

Improper input validation can lead to XSS vulnerabilities and other security issues. XSS (Cross-site scripting) is an attack where malicious code (eg. JavaScript) is injected into the application and executed.

Remediation

Preventing cross-site scripting is trivial in some cases but can be much harder depending on the complexity of the application and the ways it handles user-controllable data.

To effectively prevent XSS vulnerabilities, use a combination of the following measures:

• Filter user input on arrival as strictly as possible, based on what you expect as legitimate input.
• Encode user-controllable data as soons as it is outputted in HTTP reponses to prevent it from being interpreted as active content (ie. code). Depending on the output context, this might require applying combinations of HTML, URL, JavaScript, and CSS encoding.
• Use the right headers to ensure that browsers interpret the responses the way you intended. For example, to prevent XSS in HTTP responses that are not supposed to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers.
• Use Content Security Policy (CSP) to reduce the severity of any XSS vulnerability that still occurs.

GraphQL Specific

Apollo

To mitigate the risk of injection vulnerabilities in the Apollo framework engine, ensure that all user-supplied input is properly validated and sanitized before processing. Utilize built-in security features such as parameterized queries or prepared statements to handle user input. Additionally, implement input validation checks to reject any suspicious or malformed data. Regularly update the Apollo framework to incorporate the latest security patches and follow best practices for secure coding.

Yoga

To prevent improper input validation injection in the Yoga framework engine, ensure that all user-supplied input is validated, sanitized, and encoded before processing. Utilize built-in functions for input validation, employ whitelisting techniques to allow only permitted values, and leverage context-specific output encoding to mitigate injection risks. Additionally, consider implementing a Content Security Policy (CSP) to reduce the impact of any successful injection attacks.

Awsappsync

To mitigate the risk of injection vulnerabilities in AWS AppSync, ensure that all user-supplied input is properly validated and sanitized. Use AWS AppSync's built-in VTL (Velocity Template Language) resolvers to parameterize inputs and avoid direct execution of raw input strings. Additionally, implement strict type checking and input validation within your GraphQL schema to further restrict the format and type of data accepted by your API endpoints.

Graphqlgo

To mitigate the risk of injection attacks in a GraphQL Go framework, ensure that all user-supplied input is properly validated and sanitized. Use prepared statements with variable binding for all database queries to prevent injection. Additionally, employ a robust input validation library to enforce strong input types and patterns, and consider using GraphQL-specific validation tools to analyze and sanitize query structures. Regularly review and update your validation logic to cover new and evolving injection techniques.

Graphqlruby

To mitigate the risk of injection attacks in a GraphQL Ruby framework, ensure that all user-supplied input is properly validated. Use the built-in mechanisms for parameterized queries and input object types to define what data is acceptable. Additionally, implement a strong type system and avoid directly interpolating variables into queries or resolvers. Regularly review and update your validation logic to cover new and emerging threats.

Hasura

To prevent improper input validation and injection vulnerabilities in Hasura, ensure that all user inputs are strictly validated against a defined schema. Use Hasura's built-in input validation features to define types and constraints for all inputs. Additionally, leverage prepared statements and parameterized queries when writing custom GraphQL queries or SQL statements. Avoid using raw SQL or string concatenation with user inputs to construct queries. Regularly review and update security rules and permissions to restrict unauthorized access and operations.

REST Specific

Asp_net

In ASP.NET, prevent improper input validation and protect against XSS by encoding output using AntiXSS Library or built-in encoding methods, implementing Content Security Policy (CSP), and using HttpRequest.Unvalidated to access raw input when necessary. Additionally, utilize built-in ASP.NET features like ValidateRequest and model binding with validation annotations to automatically check for potentially dangerous inputs. Always sanitize user input before processing it.

Ruby_on_rails

In Ruby on Rails, ensure proper input validation by using built-in mechanisms such as Active Record validations for models, and sanitize user input by employing the 'sanitize' helper method for views. Additionally, use the 'strong parameters' feature to whitelist allowed parameters in controllers. Always encode output when rendering to prevent XSS and avoid directly inserting user content into the DOM. For any direct SQL queries, use parameterized queries with '?' placeholders to separate SQL code from user input, thus preventing SQL injection.

Next_js

In Next.js, ensure to sanitize user input by using libraries like DOMPurify to prevent XSS. For server-side rendering, escape dynamic content with built-in functions like encodeURIComponent for URLs or React.createElement to safely create DOM elements. Always validate and sanitize API input and output, and use Next.js' built-in API routes to handle server-side logic securely.

Laravel

In Laravel, use the built-in validation features to ensure proper input validation. Define validation rules in your request classes or controllers using the 'validate' method. Additionally, leverage Eloquent's parameterized queries and the 'htmlspecialchars' function to prevent XSS by escaping output when rendering views.

Express_js

In Express.js, ensure all user-supplied input is validated and sanitized using middleware like 'express-validator'. Employ context-specific output encoding when rendering responses to prevent XSS. For dynamic content, use templating engines that automatically encode output, and set appropriate response headers like 'Content-Security-Policy' to mitigate the risk of content injection attacks.

Django

In Django, ensure proper input validation by using Django's form and model field validation. Utilize Django templates to automatically escape variables, and avoid using 'mark_safe' unless absolutely necessary. Employ Django's built-in decorators such as '@require_http_methods' to restrict access to views based on the request method. Regularly update Django to the latest version to benefit from security patches.

Symfony

In Symfony, use the built-in form validation and escaping mechanisms to prevent XSS. Apply 'htmlspecialchars' or 'twig_escape' filters in Twig templates to encode output, and always validate and sanitize user inputs using Symfony's Form component and Validator constraints.

Spring_boot

In Spring Boot, ensure that all user-supplied input is sanitized and validated. Use built-in security features such as @RequestParam, @PathVariable, and @Valid annotations to enforce input validation. Additionally, enable Spring Security's XSS protection and configure Content Security Policy headers to mitigate the risk of XSS attacks.

Flask

In Flask, ensure that all user inputs are sanitized before processing. Utilize Flask-WTF or similar libraries to validate form inputs and escape all dynamic content rendered in templates with Jinja2's autoescape feature. Additionally, employ the 'flask-talisman' extension to set content security policies that prevent the execution of unauthorized scripts.

Nuxt

In Nuxt.js, prevent XSS by escaping user input, using the built-in 'v-html' directive cautiously, and leveraging Content Security Policy (CSP). Always validate and sanitize user input on both client and server sides. For dynamic content, consider using libraries like 'dompurify' to sanitize HTML and avoid inline scripting.

Fastapi

In FastAPI, ensure that all user-provided data is sanitized and validated using Pydantic models for request bodies, Query, Path, and Header parameters. Utilize FastAPI's built-in security utilities, such as the Depends function with OAuth2PasswordBearer or APIKeyHeader for authentication, to further protect against injection attacks. Additionally, employ auto-escaping templates when rendering HTML responses to prevent XSS.

Configuration

Identifier: injection/improper_input

Options

• skip_objects : List of object that are to be skipped by the security test.

Examples

Ignore this check

checks:
  injection/improper_input:
    skip: true

Score

• Escape Severity: HIGH

Compliance

• OWASP: API10:2023
• pci: 6.5.7
• gdpr: Article-32
• soc2: CC1
• psd2: Article-95
• iso27001: A.14.2
• nist: SP800-53
• fedramp: AC-4

Classification

Score

• CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
• CVSS_SCORE: 7.2

References

• https://portswigger.net/web-security/cross-site-scripting