ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2608/rule.adoc
jtingsanchali 96d9ddb930
RULEAPI-755 Update CWE URLs by removing .html suffix and update with https protocol (#926) 
* Change affects only see.adoc and rule.adoc files, not comments-and-links.adoc files
2022-04-07 08:53:59 -05:00

25 lines
1.0 KiB
Plaintext
Raw Blame History

Cookie values and the contents of form fields - both visible _and_ hidden - can easily be manipulated by attackers. Therefore, security decisions should not be made based on these inputs.
This rule logs an issue whenever form fields and cookie values are accessed.
== Noncompliant Code Example
[source,text]
----
public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
Cookie [] cookies = request.getCookies(); // Noncompliant
String hiddenValue = request.getParameter("hiddenField"); // Noncompliant
Map<String,String[]> params = request.getParameterMap(); // Noncompliant
String [] hiddenFieldValues = reqeust.getParameterValues("hiddenArray"); // Noncompliant
----
== See
* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design
* https://cwe.mitre.org/data/definitions/807[MITRE, CWE-807] - Reliance on Untrusted Inputs in a Security Decision
* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses
Reference in New Issue View Git Blame Copy Permalink