Input validation and representation problems ares caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input. The issues include: "Buffer Overflows," "Cross-Site Scripting" attacks, "SQL Injection," and many others.
...
steps:
- run: echo "${{ github.event.pull_request.title }}"
...
github.event.pull_request.title
value represents. If the github.event.pull_request.title
contains malicious executable code, the action runs the malicious code, which results in command injection.<!--#echo%20var="GATEWAY_INTERFACE"-->
...
string password = Request.Form["db_pass"]; //gets POST parameter 'db_pass'
SqlConnection DBconn = new SqlConnection("Data Source = myDataSource; Initial Catalog = db; User ID = myUsername; Password = " + password + ";");
...
db_pass
parameter such as:
...
password := request.FormValue("db_pass")
db, err := sql.Open("mysql", "user:" + password + "@/dbname")
...
db_pass
parameter such as:
username = req.field('username')
password = req.field('password')
...
client = MongoClient('mongodb://%s:%s@aMongoDBInstance.com/?ssl=true' % (username, password))
...
password
parameter such as:
hostname = req.params['host'] #gets POST parameter 'host'
...
conn = PG::Connection.new("connect_timeout=20 dbname=app_development user=#{user} password=#{password} host=#{hostname}")
...
host
parameter such as:content://my.authority/messages
content://my.authority/messages/123
content://my.authority/messages/deleted
content://my.authority/messages/deleted
by providing a msgId code with value deleted
:
// "msgId" is submitted by users
Uri dataUri = Uri.parse(WeatherContentProvider.CONTENT_URI + "/" + msgId);
Cursor wCursor1 = getContentResolver().query(dataUri, null, null, null, null);
...
var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
var url:String = String(params["url"]);
var ldr:Loader = new Loader();
var urlReq:URLRequest = new URLRequest(url);
ldr.load(urlReq);
...
message
, and displays it to the user.
client = openai.OpenAI()
res = client.chat.completions.create(...)
message = res.choices[0].message.content
self.writeln(f"<p>{message}<\p>")
text/html
MIME type. Therefore, XSS is only possible if the response uses this MIME type or any other that also forces the browser to render the response as HTML or other document that may execute scripts such as SVG images (image/svg+xml
), XML documents (application/xml
), etc. application/octet-stream
. However, some browsers such as Internet Explorer perform what is known as Content Sniffing
. Content Sniffing involves ignoring the provided MIME type and attempting to infer the correct MIME type by the contents of the response.text/html
is only one such MIME type that may lead to XSS vulnerabilities. Other documents that may execute scripts such as SVG images (image/svg+xml
), XML documents (application/xml
), as well as others may lead to XSS vulnerabilities regardless of whether the browser performs Content Sniffing. <html><body><script>alert(1)</script></body></html>
, could be rendered as HTML even if its content-type
header is set to application/octet-stream
, multipart-mixed
, and so on.application/octet-stream
response.
@RestController
public class SomeResource {
@RequestMapping(value = "/test", produces = {MediaType.APPLICATION_OCTET_STREAM_VALUE})
public String response5(@RequestParam(value="name") String name){
return name;
}
}
name
parameter set to <html><body><script>alert(1)</script></body></html>
, the server will produce the following response:
HTTP/1.1 200 OK
Content-Length: 51
Content-Type: application/octet-stream
Connection: Closed
<html><body><script>alert(1)</script></body></html>
text/html
MIME type. Therefore, XSS is only possible if the response uses this MIME type or any other that also forces the browser to render the response as HTML or other document that may execute scripts such as SVG images (image/svg+xml
), XML documents (application/xml
), etc. application/json
. However, some browsers such as Internet Explorer perform what is known as Content Sniffing
. Content Sniffing involves ignoring the provided MIME type and attempting to infer the correct MIME type by the contents of the response.text/html
is only one such MIME type that may lead to XSS vulnerabilities. Other documents that may execute scripts such as SVG images (image/svg+xml
), XML documents (application/xml
), as well as others may lead to XSS vulnerabilities regardless of whether the browser performs Content Sniffing. <html><body><script>alert(1)</script></body></html>
, could be rendered as HTML even if its content-type
header is set to application/json
.application/json
response.
def mylambda_handler(event, context):
name = event['name']
response = {
"statusCode": 200,
"body": "{'name': name}",
"headers": {
'Content-Type': 'application/json',
}
}
return response
name
parameter set to <html><body><script>alert(1)</script></body></html>
, the server will produce the following response:
HTTP/1.1 200 OK
Content-Length: 88
Content-Type: application/json
Connection: Closed
{'name': '<html><body><script>alert(1)</script></body></html>'}