Stored Improper Input Validation Injection
Description
Improper input validation can lead to XSS vulnerabilities and other security issues. Stored code injections are attacks where malicious code (such as JavaScript) is injected into the application and stored in the database to be later executed. Stored XSS is one of those attacks. Stored XSS is when an XSS vulnerability originates from the database because of malicious code previously inserted in it.
Remediation
Preventing cross-site scripting is trivial in some cases but can be much harder depending on the complexity of the application and the ways it handles user-controllable data.
To effectively prevent XSS vulnerabilities, use a combination of the following measures:
- Filter user input on arrival as strictly as possible, based on what you expect as legitimate input.
- Encode user-controllable data as soons as it is outputted in HTTP reponses to prevent it from being interpreted as active content (ie. code). Depending on the output context, this might require applying combinations of HTML, URL, JavaScript, and CSS encoding.
- Use the right headers to ensure that browsers interpret the responses the way you intended. For example, to prevent XSS in HTTP responses that are not supposed to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers.
- Use Content Security Policy (CSP) to reduce the severity of any XSS vulnerability that still occurs.
GraphQL Specific
Apollo
To mitigate the risk of injection vulnerabilities in the Apollo framework engine, ensure that all user-supplied input is properly validated and sanitized before processing. Utilize built-in security features such as input validation functions or libraries, and avoid directly incorporating user input into queries or commands. Additionally, implement parameterized queries or prepared statements to safely handle data input, and consistently apply these practices across the entire codebase to maintain a strong defense against injection attacks.
Yoga
To mitigate the risk of improper input validation and injection vulnerabilities in the Yoga framework engine, ensure that all user-supplied input is validated, sanitized, and encoded appropriately before processing. Utilize built-in security features of the framework for input handling, and consider implementing additional layers of validation according to the context of the data usage. Avoid dynamic queries; instead, use parameterized statements or prepared statements to interact with the database. Regularly update the framework and its dependencies to incorporate security fixes and improvements.
Awsappsync
To mitigate the risk of injection vulnerabilities in AWS AppSync, ensure that all user inputs are properly validated and sanitized before they are processed. Utilize AWS AppSync's built-in input validation mechanisms to define strict schemas and resolvers that enforce the correct data types and formats. Additionally, implement custom validation logic within resolver mapping templates where necessary. Always avoid directly passing user-controlled data into resolver functions without validation. By adhering to these practices, you can help prevent malicious actors from injecting unauthorized commands or queries into your GraphQL API.
Graphqlgo
In the GraphQL Go framework, ensure proper input validation by using middleware or directives to sanitize and validate all user-supplied data. Implement strict type checking and utilize prepared statements or parameterized queries to prevent injection attacks. Regularly update dependencies to incorporate security fixes.
Graphqlruby
In the GraphQL Ruby framework, ensure proper input validation by using the built-in argument validation mechanisms. Define custom validators or use the provided ones to check the types and values of the arguments before they are processed. Additionally, avoid directly interpolating user input into query strings or resolvers. Instead, leverage the framework's parameterization features to safely handle user input and protect against injection attacks.
Hasura
To prevent improper input validation and injection vulnerabilities in Hasura, ensure that all user inputs are properly validated before being processed. Use Hasura's built-in input validation features to define strict types and validation rules for the input fields in your GraphQL schema. Additionally, leverage prepared statements and parameterized queries when executing SQL statements to avoid injection attacks. Regularly review and update your security policies to keep up with the latest best practices.
Configuration
Identifier:
injection/improper_input_stored
Options
- skip_objects : List of object that are to be skipped by the security test.
Examples
Ignore this check
checks:
injection/improper_input_stored:
skip: true
Score
- Escape Severity: HIGH
Compliance
- OWASP: API10:2023
- pci: 6.5.7
- gdpr: Article-32
- soc2: CC1
- psd2: Article-95
- iso27001: A.14.2
- nist: SP800-53
- fedramp: AC-4
Classification
Score
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
- CVSS_SCORE: 7.2