|
|
|
|
CWE-554 Individual Dictionary Definition (Draft 9)
Weakness ID
| Status: Draft 554 (Weakness Class) | | Description | Summary The ASP.NET application does not use an input validation framework. Extended Description Unchecked input is the leading cause of vulnerabilities in ASP.NET applications.
Unchecked input leads to cross-site scripting, process control, and SQL injection vulnerabilities,
among others. | | Potential Mitigations | Use the ASP.NET validation framework to check all program input before it is processed
by the application. Example uses of the validation framework include checking to ensure that:
- Phone number fields contain only valid characters in phone numbers - Boolean values are only
"T" or "F" - Free-form strings are of a reasonable length and composition | | Context Notes | In certain versions of ASP.Net, there is an input validation error that allows a
malicious user to input some ASCII characters in a special Unicode encoding in the range ff00 to
ff60. When the response encoding is not Unicode, these characters are decoded to their ASCII
values, and this way can be used to launch cross site scripting attacks. The relevant Unicode
strings are %uff1c, which is decoded to <, and %uff1e, which is decoded to >. | | Relationships | | | Source Taxonomies | Anonymous Tool Vendor (under NDA) - | | Applicable Platforms | .NET |
|