Reino: Input Validation and Representation
Los problemas de validación y representación de entradas están causados por metacaracteres, codificaciones alternativas y representaciones numéricas. Los problemas de seguridad surgen de entradas en las que se confía. Estos problemas incluyen: «desbordamientos de búfer», ataques de «scripts de sitios», "SQL injection" y muchas otras acciones.
LDAP Manipulation
Abstract
La ejecución de una instrucción LDAP que contenga un valor controlado por el usuario fuera de la cadena de filtro puede permitir a un atacante modificar el significado de la instrucción o ejecutar comandos LDAP arbitrarios.
Explanation
Los errores de manipulación LDAP se producen cuando:
1. Los datos entran en un programa desde un origen que no es de confianza.
2. Los datos se utilizan fuera de la cadena de filtro en una instrucción LDAP dinámica.
Ejemplo 1: el siguiente código lee una cadena
Dado que la cadena de conexión incluye entrada de usuario y se realiza conforme a un enlace anónimo, un atacante podría modificar los resultados de la consulta especificando un valor
1. Los datos entran en un programa desde un origen que no es de confianza.
2. Los datos se utilizan fuera de la cadena de filtro en una instrucción LDAP dinámica.
Ejemplo 1: el siguiente código lee una cadena
ou de un campo oculto enviado mediante una solicitud HTTP y la utiliza para crear una nueva DirectoryEntry.
...
de = new DirectoryEntry("LDAP://ad.example.com:389/ou="
+ hiddenOU.Text + ",dc=example,dc=com");
...
Dado que la cadena de conexión incluye entrada de usuario y se realiza conforme a un enlace anónimo, un atacante podría modificar los resultados de la consulta especificando un valor
ou inesperado. El problema es que el desarrollador no pudo aprovechar los mecanismos de control de acceso necesarios para restringir las consultas subsiguientes de modo que solo puedan acceder a los registros de empleados para los que el usuario actual tiene permisos de lectura.References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 90
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.7 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[12] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[13] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[14] Standards Mapping - OWASP Top 10 2021 A03 Injection
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[25] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)
desc.dataflow.dotnet.ldap_manipulation
Abstract
La ejecución de una instrucción LDAP que contenga un valor controlado por el usuario fuera de la cadena de filtro puede permitir a un atacante modificar el significado de la instrucción o ejecutar comandos LDAP arbitrarios.
Explanation
Los errores de manipulación LDAP se producen cuando:
1. Los datos entran en un programa desde un origen que no es de confianza.
2. Los datos se utilizan fuera de la cadena de filtro en una instrucción LDAP dinámica.
Ejemplo 1: el código siguiente lee una cadena
Como DN base se origina desde la entrada de usuario y la consulta se realiza bajo un enlace anónimo, un atacante podría modificar los resultados de la consulta especificando una cadena
1. Los datos entran en un programa desde un origen que no es de confianza.
2. Los datos se utilizan fuera de la cadena de filtro en una instrucción LDAP dinámica.
Ejemplo 1: el código siguiente lee una cadena
dn desde un socket y la usa para realizar una consulta LDAP.
...
rc = ldap_simple_bind_s( ld, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
...
}
...
fgets(dn, sizeof(dn), socket);
if ( ( rc = ldap_search_ext_s( ld, dn, LDAP_SCOPE_BASE,
filter, NULL, 0, NULL, NULL, LDAP_NO_LIMIT,
LDAP_NO_LIMIT, &result ) ) != LDAP_SUCCESS ) {
...
Como DN base se origina desde la entrada de usuario y la consulta se realiza bajo un enlace anónimo, un atacante podría modificar los resultados de la consulta especificando una cadena
dn inesperada. El problema es que el desarrollador no pudo aprovechar los mecanismos de control de acceso necesarios para restringir las consultas subsiguientes de modo que solo puedan acceder a los registros de empleados para los que el usuario actual tiene permisos de lectura.References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 90
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.7 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[12] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[13] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[14] Standards Mapping - OWASP Top 10 2021 A03 Injection
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[25] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)
desc.dataflow.cpp.ldap_manipulation
Abstract
La ejecución de una instrucción LDAP que contenga un valor controlado por el usuario fuera de la cadena de filtro puede permitir a un atacante modificar el significado de la instrucción o ejecutar comandos LDAP arbitrarios.
Explanation
Los errores de manipulación LDAP se producen cuando:
1. Los datos entran en un programa desde un origen que no es de confianza.
2. Los datos se utilizan fuera de la cadena de filtro en una instrucción LDAP dinámica.
Ejemplo 1: el código siguiente lee un nombre de usuario y una contraseña desde una solicitud HTTP y usa esta información para realizar una búsqueda LDAP.
Como la consulta incluye entrada de usuario y se realiza bajo un enlace anónimo, la consulta devolverá los detalles para cualquier nombre especificado, independientemente de si coincide o no con la contraseña especificada. Un atacante puede usar de forma eficaz el código siguiente para buscar los detalles de cualquier empleado del sistema, lo que representa una grave intromisión en la privacidad. El problema es que el desarrollador no pudo sacar provecho de los mecanismos de control de acceso necesarios para restringir la consulta de forma que solo pueda acceder a los registros de empleados para los que el usuario actual tiene permisos de lectura.
1. Los datos entran en un programa desde un origen que no es de confianza.
2. Los datos se utilizan fuera de la cadena de filtro en una instrucción LDAP dinámica.
Ejemplo 1: el código siguiente lee un nombre de usuario y una contraseña desde una solicitud HTTP y usa esta información para realizar una búsqueda LDAP.
env.put(Context.SECURITY_AUTHENTICATION, "none");
DirContext ctx = new InitialDirContext(env);
String empID = request.getParameter("empID");
try
{
BasicAttribute attr = new BasicAttribute("empID", empID);
NamingEnumeration employee =
ctx.search("ou=People,dc=example,dc=com",attr);
...
Como la consulta incluye entrada de usuario y se realiza bajo un enlace anónimo, la consulta devolverá los detalles para cualquier nombre especificado, independientemente de si coincide o no con la contraseña especificada. Un atacante puede usar de forma eficaz el código siguiente para buscar los detalles de cualquier empleado del sistema, lo que representa una grave intromisión en la privacidad. El problema es que el desarrollador no pudo sacar provecho de los mecanismos de control de acceso necesarios para restringir la consulta de forma que solo pueda acceder a los registros de empleados para los que el usuario actual tiene permisos de lectura.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 90
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.7 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[12] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[13] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[14] Standards Mapping - OWASP Top 10 2021 A03 Injection
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[25] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)
desc.dataflow.java.ldap_manipulation
Abstract
La ejecución de una instrucción LDAP que contenga un valor controlado por el usuario fuera de la cadena de filtro puede permitir a un atacante modificar el significado de la instrucción o ejecutar comandos LDAP arbitrarios.
Explanation
Los errores de manipulación LDAP se producen cuando:
1. Los datos entran en un programa desde un origen que no es de confianza.
2. Los datos se utilizan fuera de la cadena de filtro en una instrucción LDAP dinámica.
Ejemplo 1: El código siguiente lee una cadena
Como
1. Los datos entran en un programa desde un origen que no es de confianza.
2. Los datos se utilizan fuera de la cadena de filtro en una instrucción LDAP dinámica.
Ejemplo 1: El código siguiente lee una cadena
dn desde el usuario y la utiliza para realizar una consulta LDAP.
$dn = $_POST['dn'];
if (ldap_bind($ds)) {
...
try {
$rs = ldap_search($ds, $dn, "ou=People,dc=example,dc=com", $attr);
...
Como
dn base se origina desde la entrada de usuario y la consulta se realiza bajo un enlace anónimo, el atacante podría modificar los resultados de la consulta especificando una cadena dn inesperada. El problema es que el desarrollador no pudo aprovechar los mecanismos de control de acceso necesarios para restringir las consultas subsiguientes de modo que solo puedan acceder a los registros de empleados para los que el usuario actual tiene permisos de lectura.References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 90
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.7 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[12] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[13] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[14] Standards Mapping - OWASP Top 10 2021 A03 Injection
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[25] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)
desc.dataflow.php.ldap_manipulation