184 – Lack of data validation

Description

The application does not control the the server side where you have permission to modify certain fields and allows the use of invalid data in some fields, for example, an ID composed of only letters.

Impact

Inject potentially malicious characters into application fields.

Recommendation

Validate on the server side the data types that are entered into different kind of fields in the application.

Threat

External attacker with access to the application.

Expected Remediation Time

30 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 173 - Discard unsafe inputs
• 320 - Avoid client-side control enforcement
• 342 - Validate request parameters

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Python
• Ruby
• Scala
• Swift
• Typescript

Last updated

2024/02/15