Kingdom: Input Validation and Representation

Input validation and representation problems ares caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input. The issues include: "Buffer Overflows," "Cross-Site Scripting" attacks, "SQL Injection," and many others.

Setting Manipulation: User-Controlled Allow List

Abstract
The application allows a user to define an allow list, which may give them the ability to mark malicious input as safe.
Explanation
Frameworks often have allow lists for validation to protect against vulnerabilities.

Example 1: The following allows a malicious user to set the allow list that is used by AngularJS to determine what types of links images can retrieve.

myModule.config(function($compileProvider){
    $compileProvider.imgSrcSanitizationWhitelist(userInput);
});


This may seem fine, but if the user sets the regular expression to /^(http(s)?|javascript):.*/, the application will then allow the use of inline JavaScript within image source URLs, which may lead to cross-site scripting attacks.
Other instances of allow lists may be preventing all different types of attacks, especially injection attacks such as cross-site scripting, command injection, SQL injection, along with business logic flaws.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 15
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[8] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[9] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[10] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.javascript.setting_manipulation_user_controlled_allow_list