Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-6164 | APP3510 | SV-6164r1_rule | DCSQ-1 | High |
Description |
---|
Absence of input validation opens an application to improper manipulation of data. The lack of input validation can lead immediate access of application, denial of service, and corruption of data. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2014-12-22 |
Check Text ( C-3729r1_chk ) |
---|
Ask the application representative for the test plans for the application. Examine the test plan to determine if testing was performed for invalid input. Invalid input includes presence of scripting tags within text fields, query string manipulation, and invalid data types and sizes. If the test plans indicate these types of tests were performed, only a small sampling of testing is required. If the test plans do not exist or do not indicate that these types of tests were performed, more detailed testing is required. Testing should include logging on to the application and entering invalid data. If there are various user types defined within the system, this test should be repeated for all user types. Test the application for invalid sizes and types. Test input fields on all pages/screens of the application. Try to exceed buffer limits on the input fields. Try to put wrong types of data in the input fields. For example, put character data in a numeric field. 1) If an unauthenticated user can enter invalid input to bypass access control mechanisms, this is a CAT I finding. 2) If an authenticated user can enter invalid input to gain elevated access, this is a CAT I finding. 3) If the application requires the entry of IP addresses is not capable of handling IPv6 formats that are 128 bits long, this is a CAT II finding. 4) If the application is not capable of handling IPv6 formats and accepts characters that are of hexadecimal notation including colons, this is a CAT II finding. |
Fix Text (F-4472r1_fix) |
---|
Modify the application to validate all input. |