185 – Lack of data validation - Header x-amzn-RequestId

Description

The application does not control server side permission to modify certain fields and allows potentially dangerous character strings to be entered in the x-amzn-RequestId Header.

Impact

- Reflect dangerous character strings to try to achieve an injection. - Use very long character strings to try to deny the service.

Recommendation

Validate on the server side the types of data that are entered into different kind of fields in the application.

Threat

Internet attacker with access to the service.

Expected Remediation Time

30 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 173 - Discard unsafe inputs
• 320 - Avoid client-side control enforcement
• 342 - Validate request parameters

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/09/14