...
But this code will happily parse image tags, HTML markup, JavaScript, or any other commands an attacker may wish to send. The following picture demonstrates a remote image being loaded into the page on the request of the attacker:
In this case. the trust boundary exists between the untrusted data and the CGI script, whereas the trusted domain is the web browser—or rather the HTML parsing and rendering engine within the web browser.
...
Tool | Diagnostic | Notes |
|---|---|---|
Taint mode | Insecure dependency in parameter \d* of DBI::db=.* method call | Catches SQL injection. |
Related Guidelines
SEI CERT C Secure Coding Standard | |
SEI CERT C++ Secure Coding Standard | |
| CERT Oracle Secure Coding Standard for Java | IDS00-J. Sanitize untrusted data passed across a trust boundaryPrevent SQL injection |
Bibliography
| [Birznieks 1998] | Birznieks, Gunther, CGI/Perl Taint Mode FAQ, Version 1.0, June 3, 1998 |
|---|---|
| [CGI 2005] | CGI.pm: A Perl5 CGI Library, Function-Oriented vs Object-Oriented Use |
| [CPAN] | Bunce, Tim, DBI |
| [CPAN] | Stosberg, Mark, CGI |
| [Lester 2006] | Lester, Andy, "Perl's taint mode to the rescue," O'Reilly OULamp.com, November 17, 2006 |
| [VU#246409] | Input validation error in quikstore.cgi allows attackers to execute commands |
| [VU#282403] | AdCycle does not adequately validate user input thereby allowing for SQL injection |
| [Wall 2011] | perlsec |
...