Proper input validation can ensure that malicious data is not inserted into the system. However, it fails to provide the assurance that validated data will remain consistent throughout its lifetime. For instance, if an insider is allowed to insert data into a database without validation, it is possible to glean unauthorized information or execute arbitrary code on the client side by means of attacks such as Cross Site Scripting (XSS). Consequently, output filtering is as important as input validation. As with input validation, data must be normalized before it is filtered for malicious characters. To ensure that any data that bypasses the validation does not cause vulnerabilities, it is highly recommended that output characters be encoded, except those that are known to be safe.
Noncompliant Code Example
This noncompliant code example displays input obtained from a database directly to the user without performing any output validation or encoding.
public class BadOutput { public static void display() { // description and input are String variables containing values obtained from a database // description = "description" and input = "<script> XSS </script>" // display to the user or pass description and input to another system } }
Compliant Solution
This compliant solution defines a ValidateOutput
class that normalizes the output to a known character set, performs output validation using a whitelist and encodes any non-specified data to enforce a double checking mechanism. Different fields may require different whitelisting patterns. [[OWASP 08]]
public class ValidateOutput { // allows only alphanumeric characters and spaces private Pattern pattern = Pattern.compile("^[a-zA-Z0-9\\s]{0,20}$"); // validates and encodes the input field based on a whitelist private String validate(String name, String input) throws ValidationException { String canonical = normalize(input); if(!pattern.matcher(canonical).matches()) { throw new ValidationException( "Improper format in " + name + " field"); } // performs output encoding for non valid characters canonical = HTMLEntityEncode(canonical); return canonical; } // normalizes to known instances private String normalize(String input) { String canonical = java.text.Normalizer.normalize(input, Normalizer.Form.NFKC); return canonical; } // Encodes non valid data public static String HTMLEntityEncode(String input) { StringBuffer sb = new StringBuffer(); for (int i = 0;i < input.length();++i) { char ch = input.charAt(i); if (Character.isLetterOrDigit(ch) || Character.isWhitespace(ch)) { sb.append(ch); } else { sb.append("&#" + (int)ch + ";"); } } return sb.toString(); } public static void display() throws ValidationException { // description and input are String variables containing values obtained from a database // description = "description" and input = "2 items available" ValidateOutput vo = new ValidateOutput(); vo.validate(description, input); // pass to another system or display to the user } }
Risk Assessment
Failure to encode or escape output before it is displayed or passed to another system can result in the execution of arbitrary code on the client's side.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
IDS13- J |
high |
probable |
medium |
P12 |
L1 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[OWASP 08]] How to add validation logic to HttpServletRequest and How to perform HTML entity encoding in Java
[[MITRE 09]] CWE ID 116 "Improper Encoding or Escaping of Output"
FIO36-J. Do not create multiple buffered wrappers on an InputStream 09. Input Output (FIO) 09. Input Output (FIO)