Kingdom: Input Validation and Representation

Input validation and representation problems ares caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input. The issues include: "Buffer Overflows," "Cross-Site Scripting" attacks, "SQL Injection," and many others.

Denial of Service: StringBuilder

Java/JSP
Kotlin

Abstract

Appending untrusted data to a StringBuilder or StringBuffer instance initialized with the default backing array size can cause the JVM to overconsume heap memory space.

Explanation

Appending user-controlled data to a StringBuilder or StringBuffer instance initialized with the default backing character array size (16) can cause the application to consume large amounts of heap memory while resizing the underlying array to fit user's data. When data is appended to a StringBuilder or StringBuffer instance, the instance will determine if the backing character array has enough free space to store the data. If the data does not fit, the StringBuilder or StringBuffer instance will create a new array with a capacity of at least double the previous array size, and the old array will remain in the heap until it is garbage collected. Attackers can use this implementation detail to execute a Denial of Service (DoS) attack.

Example 1: User-controlled data is appended to a StringBuilder instance initialized with the default constructor.


    ...
    StringBuilder sb = new StringBuilder();
    final String lineSeparator = System.lineSeparator();
    String[] labels = request.getParameterValues("label");
    for (String label : labels) {
        sb.append(label).append(lineSeparator);
    }
    ...

References

[1] DOS-1: Beware of activities that may use disproportionate resources Oracle

[2] MSC05-J. Do not exhaust heap space CERT

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310

[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)

[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation

[6] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption

[7] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[8] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4

[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[20] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 754

[21] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I

[22] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I

[23] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I

[24] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I

[25] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I

[26] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II

[43] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

desc.dataflow.java.denial_of_service_stringbuilder

Abstract

Appending untrusted data to a StringBuilder or StringBuffer instance initialized with the default backing array size can cause the JVM to overconsume heap memory space.

Explanation

Appending user-controlled data to a StringBuilder or StringBuffer instance initialized with the default backing character array size (16) can cause the application to consume large amounts of heap memory while resizing the underlying array to fit the user's data. When data is appended to a StringBuilder or StringBuffer instance, the instance will determine if the backing character array has enough free space to store the data. If the data does not fit, the StringBuilder or StringBuffer instance will create a new array with a capacity of at least double the previous array size, and the old array will remain in the heap until it is garbage collected. Attackers can use this implementation detail to execute a Denial of Service (DoS) attack.

Example 1: User-controlled data is appended to a StringBuilder instance initialized with the default constructor.


    ...
    val sb = StringBuilder()
    val labels = request.getParameterValues("label")
    for (label in labels) {
        sb.appendln(label)
    }
    ...