Input Validation / Resource Injection

Web and API

Description

Resource Injection (CWE-99) is an input validation vulnerability that occurs when untrusted data is used to control a web or API resource in an unsafe manner. This vulnerability is defined in the Common Weakness Enumeration (CWE) directory as an input validation problem where the application does not properly validate or incorrectly validates input before using it to access a web or API resource. According to the OWASP Testing Guide, resource injection includes "injection of non-validated user input into files, the environment, or resources, such as LDAP queries, operating system commands, or registry keys."

Risk

Resource injection is a serious vulnerability that can lead to a wide range of security issues, including data loss, data leakage, and privilege escalation. These threats can lead to serious consequences in terms of financial and reputational damage, as well as legal and regulatory issues.

Solution

To prevent resource injection, developers should perform input validation using a whitelist approach and properly escape user input before using it to access web or API resources. Additionally, developers should ensure that web and API resources are not vulnerable to injection attacks by using secure coding techniques.

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.