Input Validation / Improper Control of Generation of Code
Description
Improper Control of Generation of Code (CWE-20) is a type of input validation vulnerability that occurs when an application generates code that is not sufficiently controlled. This type of vulnerability is often seen in web and API applications and is listed in the CWE Top 25 list of the most dangerous software errors in 2022. It occurs when user input is not properly filtered and validated before being used in the generation of code. This can lead to code being generated that contains malicious instructions, or when code is generated that can be used to bypass security measures. (CWE Directory)
Risk
Improper Control of Generation of Code poses a significant risk to applications and their users. The vulnerability can be exploited to gain access to confidential information, modify data, and even execute remote code on the system. An attacker can also use the vulnerability to bypass security measures such as authentication, authorization, and other access controls. (OWASP Testing Guide)
Solution
The best way to mitigate the risk of this vulnerability is to ensure that user input is properly controlled and validated before being used to generate code. This can include input validation techniques such as white-listing and black-listing, as well as using secure coding techniques such as input sanitization, output encoding, and using a secure coding framework. (OWASP Testing Guide).
Example
The following code is an example of a vulnerable application that is vulnerable to Improper Control of Generation of Code. The code takes user input and uses it to generate a SQL query without proper validation or sanitization.
String query = "SELECT * FROM users WHERE name = '" + userInput + "';";
This code is vulnerable because it does not filter or validate the userInput variable before using it in the query. An attacker can use this vulnerability to inject malicious SQL code into the query, which could lead to data being modified or confidential data being leaked. (CVE-2020-28476)