-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
1.3.1.Final
-
None
We have an issue reported by security penetration testing:
Improper input handling is one of the most common weaknesses identified across applications today. Poorly handled input is a leading cause behind critical vulnerabilities that exist in systems and applications. Generally, the term input handing is used to describe functions like validation, sanitization, filtering, encoding and/or decoding of input data. Applications receive input from various sources including human users, software agents (browsers), and network/peripheral devices to name a few
This may allow an adversary to carry out sophisticated attacks such as Code Injection, defacement, etc. if user input is not properly sanitized before accepting into the application.
During analysis, it is observed that application does not enforce user input validation throughout the application. The application does not enforce client-side validation and allows a user to enter potentially malicious characters.
It is strongly recommended to restrict user input so that, potentially danger characters such as /,!,@,#,$,%,^,&,*,(,) are not allowed to enter through the application. In case special characters are allowed to be entered, it is recommended to use character encoding/escaping before any such characters are accepted for processing.