Summary

The system should not use dynamic code execution features such as eval().

Description

Dynamic code execution features, despite the flexibility they provide, should be used carefully and generally avoided. These features often open the door for remote code execution (RCE) and cross-site scripting (XSS) attacks. Therefore, if it is not possible to avoid dynamic code execution, any untrusted input being included (e.g., the one provided by the users) should be properly sanitized.

References

• CAPEC-19. Embedding scripts within scripts
• CAPEC-242. Code injection
• CAPEC-248. Command injection
• CWE-95. Improper neutralization of directives in dynamically evaluated code ("eval injection")
• CWE-915. Improperly controlled modification of dynamically-determined object attributes
• OWASP10-A3. Injection
• AGILE-9. Continuous attention to technical excellence and good design
• MITRE-M1013. Application developer guidance
• MITRE-M1038. Execution prevention
• PADSS-5_2_7. Cross-site scripting (XSS)
• FEDRAMP-CM-7_5. Least functionality - Authorized software, whitelisting
• ISO27002-8_28. Secure coding
• NISTSSDF-PW_6_1. Configure the compilation, interpreter, and build processes to improve executable security
• OWASPSCP-7. Error handling and logging
• OWASPSCP-14. General coding practices
• CWE25-77. Improper neutralization of special elements used in a command (command injection)
• OSAMM-ST. Security Testing
• ASVS-5_2_4. Sanitization and sandboxing
• C2M2-9_3_m. Implement IT and OT asset security for cybersecurity architecture
• SIGLITE-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
• SIG-I_2_1. Application security
• ASVS-5_5_4. Deserialization prevention
• ISO27001-8_28. Secure coding
• CASA-5_2_4. Sanitization and Sandboxing
• OWASPMASVS-CODE-4. The app validates and sanitizes all untrusted inputs
• SANS25-16. Improper neutralization of special elements used in a command (command injection)