T 4.84 Inadequate validation of input and output data in web applications
In general, web applications are used by generic clients (web browsers) so that users can transmit any input data to the server. If malicious input by an attacker is processed by the web application, it may become possible to bypass protection mechanisms of the web applications.
Examples for attacks to web applications based on inadequate validation of input data are SQL injection (see T 5.131 SQL injection), Path Traversal (see T 5.172 Bypassing the authorisation in web applications) and Remote File Inclusion. These attacks can enable unauthorised persons to access the operating system or background systems. In case of a successful attack, data requiring protection can be read or manipulated without authorisation.
Usually, the successful processing of the input data by the web application is followed by an output of data. The output data can either be transmitted to the user's browser (e.g. status messages or a new entry in the guest book) or passed on to downstream systems. If the data is not adequately validated before output, the output data may contain malicious codes which are interpreted or executed on the target systems.
The following examples describe possible consequences of inadequate validation of input and output data:
- The search function of the web application uses the unfiltered user input to generate database queries. This can be exploited by an attacker to formulate a search query containing additional commands for the data base in addition to the search term. Since the search query is embedded in the database query without first being filtered the commands are executed in the database. This enables the attacker to gain direct access to the database.
- A web application offers a function for file upload and restricts it to specific file types. In order to determine the file type the web application only checks the file extension and does not consider the content of the file. If a permitted file extension is used for the upload, then files with any content can be transmitted to the server.
- If input data is automatically modified and adjusted by the filter component (Sanitizing), targeted input by an attacker can convert the data from the filter component to an attack vector.
- Input and output data may have various encodings (e.g. UTF-8, ISO 8859-1) and notations (e.g. for UTF-8 "." = "2E" = "C0 AE"). Depending on the encoding scheme applied, one value can have different interpretations. If the filter component interprets the data differently than the processing components of the web application, an attacker will be able to encode malicious data (e.g. SQL instructions) so that it is not detected by the filter component. The malicious data from the attacker are thus passed on to the processing components and executed due to the different interpretation.
- The comment function of a web application allows for the texts to be formatted using HTML. For example, the input is not restricted to specific HTML tags so that an attacker can use this function to place any HTML code on the web application. An attacker can exploit this to manipulate or to overlay elements of the website and to intercept user input (see T 5.175 Clickjacking).