Input Validation / Suspicious Input Transformation

Description

Suspicious Input Transformation (CWE-93) is an input validation vulnerability that occurs in web and API applications when an attacker is able to alter an application's expected behaviour by submitting dangerous inputs. This type of attack is particularly dangerous as it allows an attacker to bypass authentication, authorization, and other security checks. According to the OWASP Testing Guide, suspicious input transformation can be detected by performing a manual review of the application code to look for any suspicious transformations such as HTML or SQL injection.

Risk

The risk of this vulnerability is high. An attacker could potentially bypass security checks, gain access to sensitive data, or even execute arbitrary code on the server.

Solution

The solution to this vulnerability is to implement proper input validation. Input validation allows an application to determine if a user-supplied input is valid, and if not, to reject it. This can be done by validating inputs against a whitelist of acceptable inputs, or by using a library that provides input validation functionality.

Example

The following code is an example of a vulnerable application, taken from CVE-2020-7488. The code is vulnerable to a suspicious input transformation attack because it does not validate the user-provided input.

<textarea name="comment" value="<?php echo $_POST['comment']; ?>"></textarea>