The mobile application must validate the correctness of data inputs.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35658	SRG-APP-000251-MAPP-00052	SV-46945r1_rule		Medium

Description
Inputs may come from users or other processes. Absence of input validation opens an application to improper application functioning, the risk of manipulation of data by an adversary and the security risks associated with SQL script and integer overflow attacks. The lack of input validation can lead to immediate access to an application, denial of service, and malicious action on the stored data. In applying this control, the user is provided greater protection against malicious intruders, attempting to access the application or its remote server with data input that may allow access to the application or may cause unpredictable operation and corruption of data. Please refer to CWEs: 15, 20, 22, 73, 77, 78, 79, 80, 82, 83, 87, 88, 89, 90, 94, 95, 98, 99, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 117, 119, 120, 125, 126, 129, 131, 134, 170, 190, 193, 195, 197, 398 , 434, 466, 470, 501, 564, 566, 601, 639, 643, 692, 787, and 805 for further information. Additional information on CWEs is found in the MAPP SRG Overview.

Description

Inputs may come from users or other processes. Absence of input validation opens an application to improper application functioning, the risk of manipulation of data by an adversary and the security risks associated with SQL script and integer overflow attacks. The lack of input validation can lead to immediate access to an application, denial of service, and malicious action on the stored data. In applying this control, the user is provided greater protection against malicious intruders, attempting to access the application or its remote server with data input that may allow access to the application or may cause unpredictable operation and corruption of data. Please refer to CWEs: 15, 20, 22, 73, 77, 78, 79, 80, 82, 83, 87, 88, 89, 90, 94, 95, 98, 99, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 117, 119, 120, 125, 126, 129, 131, 134, 170, 190, 193, 195, 197, 398 , 434, 466, 470, 501, 564, 566, 601, 639, 643, 692, 787, and 805 for further information. Additional information on CWEs is found in the MAPP SRG Overview.

STIG	Date
Mobile Application Security Requirements Guide	2013-01-04

Details

Check Text ( C-44000r1_chk )
Review the application documentation for the test plans, and determine if testing was performed for invalid input. Invalid input includes presence of scripting tags within text fields, query string manipulation, and invalid data types and sizes. If the test plans indicate these types of tests were performed, only a small sampling of testing is required. If the test plans do not exist or do not indicate that these types of tests were performed, more detailed testing is required. Perform a dynamic program analysis by fuzzing all user inputs of the application by providing invalid, unexpected, or random data to the inputs. Test the application for invalid sizes and types. Test input and try to exceed buffer limits on the input fields. Try to put wrong types of data in the input fields. For example, put character data in a numeric field. If the application requires the entry of IP addresses as an example, and is not capable of handling IPv6 Formats that are 128 bits long, this is finding. If the application is not capable of handling IPv6 formats and accepts characters that are of hexadecimal notation including colons, this is a finding. Perform a static analysis to assess if code is present that when executed, checks input data for validation against defined constraints. If no input validation code is present, this is a finding.

Check Text ( C-44000r1_chk )

Review the application documentation for the test plans, and determine if testing was performed for invalid input. Invalid input includes presence of scripting tags within text fields, query string manipulation, and invalid data types and sizes. If the test plans indicate these types of tests were performed, only a small sampling of testing is required. If the test plans do not exist or do not indicate that these types of tests were performed, more detailed testing is required. Perform a dynamic program analysis by fuzzing all user inputs of the application by providing invalid, unexpected, or random data to the inputs. Test the application for invalid sizes and types. Test input and try to exceed buffer limits on the input fields. Try to put wrong types of data in the input fields. For example, put character data in a numeric field. If the application requires the entry of IP addresses as an example, and is not capable of handling IPv6 Formats that are 128 bits long, this is finding. If the application is not capable of handling IPv6 formats and accepts characters that are of hexadecimal notation including colons, this is a finding. Perform a static analysis to assess if code is present that when executed, checks input data for validation against defined constraints. If no input validation code is present, this is a finding.

Fix Text (F-40200r1_fix)
Modify code so that the application validates all input.