Input Validation / Resource Injection

Description

Resource Injection (CWE-99) is an input validation vulnerability that occurs when untrusted data is used to control a web or API resource in an unsafe manner. This vulnerability is defined in the Common Weakness Enumeration (CWE) directory as an input validation problem where the application does not properly validate or incorrectly validates input before using it to access a web or API resource. According to the OWASP Testing Guide, resource injection includes "injection of non-validated user input into files, the environment, or resources, such as LDAP queries, operating system commands, or registry keys."

Risk

Resource injection is a serious vulnerability that can lead to a wide range of security issues, including data loss, data leakage, and privilege escalation. These threats can lead to serious consequences in terms of financial and reputational damage, as well as legal and regulatory issues.

Solution

To prevent resource injection, developers should perform input validation using a whitelist approach and properly escape user input before using it to access web or API resources. Additionally, developers should ensure that web and API resources are not vulnerable to injection attacks by using secure coding techniques.

Example

The following example code shows how vulnerable code can lead to a resource injection attack. In this example, the user input is not validated and is used to access an operating system command.

String command = request.getParameter("command");
Process process = Runtime.getRuntime().exec(command);