Encode system outputs
Summary
The system output must be encoded in the corresponding language (escaping).
Description
System components use structured messages to communicate with other components. When these messages include input from untrusted sources and this input is not properly escaped, they become prone to the insertion of malicious commands. For this reason, encoding or escaping must occur before sending the messages.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🔴 |
| Advanced | 🟢 |
References
- CAPECâ„¢-18. XSS targeting non-script elements
- CAPECâ„¢-19. Embedding scripts within scripts
- CAPECâ„¢-32. XSS through HTTP query strings
- CAPECâ„¢-48. Passing local filenames to functions that expect a URL
- CAPECâ„¢-130. Excessive allocation
- CAPECâ„¢-153. Input data manipulation
- CAPECâ„¢-240. Resource injection
- CAPECâ„¢-242. Code injection
- CAPECâ„¢-248. Command injection
- CWEâ„¢-116. Improper encoding or escaping of output
- CWEâ„¢-117. Improper output neutralization for logs
- CWEâ„¢-173. Improper handling of alternate encoding
- OWASP TOP 10-A3. Injection
- OWASP TOP 10-A9. Security logging and monitoring failures
- CERT-C-FIO30-C. Exclude user input from format strings
- MITRE ATT&CK®-M1013. Application developer guidance
- PA-DSS-1_1_1. Do not store full contents of any track from the magnetic stripe
- PA-DSS-1_1_2. Do not store the card verification value or code used to verify transactions
- PA-DSS-5_2_1. Injection flaws, particularly SQL injection
- SANS 25-2. Improper neutralization of input during web page generation (cross-site scripting)
- HITRUST CSF-09_v. Electronic messaging
- HITRUST CSF-10_e. Output data validation
- FedRAMP-PE-16. Delivery and removal
- ISA/IEC 62443-IAC-1_13. Access via untrusted networks
- WASC-W_22. Improper output handling
- PTES-6_2_1_1. Exploitation - Countermeasures (anti-virus encoding)
- MVSP-2_5. Application design controls - Security libraries
- OWASP SCP-2. Output encoding
- OWASP SCP-9. Communication security
- OWASP SCP-11. Database security
- OWASP SCP-13. Memory management
- BSAFSS-SC_3-2. Secure Coding (secure software against unsafe functions)
- BSAFSS-LO_2-4. Implement securely logging mechanisms
- OWASP ASVS-1_5_4. Input and output architecture
- OWASP ASVS-5_3_1. Output encoding and injection prevention
- OWASP API Security Top 10-API8. Security Misconfiguration
- CASA-1_5_4. Input and Output Architecture
- CASA-5_3_1. Output Encoding and Injection Prevention
- CWE TOP 25-79. Improper neutralization of input during web page generation (cross-site scripting)
Vulnerabilities
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.