CWE-1173 验证框架使用不当

admin 2022年1月2日04:09:45CWE(弱点枚举)评论19 views1980字阅读6分36秒阅读模式

CWE-1173 验证框架使用不当

Improper Use of Validation Framework

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: unkown

基本描述

The application does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library.

扩展描述

Many modern coding languages provide developers with input validation frameworks to make the task of input validation easier and less error-prone. These frameworks will automatically check all input against specified criteria and direct execution to error handlers when invalid input is received. The improper use (i.e., an incorrect implementation or missing altogether) of these frameworks is not directly exploitable, but can lead to an exploitable condition if proper input validation is not performed later in the application. Not using provided input validation frameworks can also hurt the maintainability of code as future developers may not recognize the downstream input validation being used in the place of the validation framework.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 20 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 20 cwe_View_ID: 1000 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Integrity Unexpected State Unchecked input leads to cross-site scripting, process control, and SQL injection vulnerabilities, among others.

检测方法

DM-3 Automated Static Analysis

Some instances of improper input validation can be detected using automated static analysis.

A static analysis tool might allow the user to specify which application-specific methods or functions perform input validation; the tool might also have built-in knowledge of validation frameworks such as Struts. The tool may then suppress or de-prioritize any associated warnings. This allows the analyst to focus on areas of the software in which input validation does not appear to be present.

Except in the cases described in the previous paragraph, automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.

可能的缓解方案

Implementation

策略:

Properly use provided input validation frameworks.

文章来源于互联网:scap中文网

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月2日04:09:45
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  CWE-1173 验证框架使用不当 http://cn-sec.com/archives/612891.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: