...
The benefit of white listing is that a programmer can be certain that a string contains only characters that are considered safe by the programmer. White listing is recommended over black listing because, instead of having to trap all unacceptable characters, the programmer only needs to ensure that acceptable characters are identified. As a result, the programmer can be less concerned about which characters an attacker may try in an attempt to bypass security checks.
References
Priority: P18 Level: L1
Failure to sanatize data passed to a complex subsystem can lead to an injection attack, data integrity issues, and a loss of sensitive data.
Component | Value |
|---|---|
Severity | 2 (medium) |
Likelihood | 3 (likely) |
Remediation cost | 3 (low) |
References
- Viega 03 Viega, John and Messier, Matt. Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Networking, Input Validation & More. Sebastopol, CA: O'Reilly, 2003 (ISBN: 0-596-00394-3).
- ISO/IEC 9899-1999 Section 7.20.4.6 The system function