Many applications that accept untrusted input strings employ input filtering and validation mechanisms based on the strings' character data. For example, an application's strategy for avoiding cross-site scripting (XSS) vulnerabilities may include forbidding <script> tags in inputs. Such blacklisting mechanisms are a useful part of a security strategy, even though they are insufficient for complete input validation and sanitization. When implemented, this form of validation must be performed only after normalizing the input.
...
| Code Block | ||
|---|---|---|
| ||
String s = "\uFE64" + "script" + "\uFE65";
// Normalize
s = Normalizer.normalize(s, Form.NFKC);
// Validate
Pattern pattern = Pattern.compile("[<>]");
Matcher matcher = pattern.matcher(s);
if (matcher.find()) {
// Found blackblacklisted listed tag
throw new IllegalStateException();
} else {
// ...
}
|
...
Validating input before normalization affords attackers the opportunity to bypass filters and other security mechanisms. This It can result in the execution of arbitrary code.
...
| Tool | Version | Checker | Description |
|---|---|---|---|
| Fortify | 1.0 | Process_Control | Implemented |
Related Guidelines
Cross-site scripting Scripting [XYT] | |
CWE-289. , Authentication bypass by alternate name |
...