Input Validation / Incubated Vulnerability

Description

Incubated Vulnerability is a type of input validation vulnerability that occurs when an attacker is able to introduce malicious code into a system, which remains dormant until a specific event triggers its execution. This type of vulnerability is classified under CWE-20 and falls under the "Improper Input Validation" category of the Common Weakness Enumeration (CWE) directory. According to the OWASP Testing Guide, "A web application is vulnerable to this type of attack if it accepts input from users, stores it, and then later executes it without proper validation or sanitization."

Risk

The risk of this vulnerability is that an attacker can execute malicious code on a vulnerable application, allowing them to gain access to sensitive data, or cause damage to the application itself. In addition, if the attacker can successfully inject a malicious payload, they can also use this vulnerability as a vector for further attacks.

Solution

To prevent an application from becoming vulnerable to an Incubated Vulnerability, proper input validation and sanitization must be enforced. Input should be validated on the server-side to ensure that malicious code is not introduced into the system, and all user-supplied data should be properly sanitized before being used.

Example

The following code snippet is an example of an Incubated Vulnerability, taken from CVE-2017-7706.

$filename = $_GET['file'];
$file_contents = file_get_contents($filename);
echo($file_contents);

In this example, the application is vulnerable to an Incubated Vulnerability because it is accepting user-supplied input without proper validation or sanitization. An attacker could use this vulnerability to inject malicious code into the system, which could be executed at a later time.