Title

The API must encode outputs. (Cat II impact)

Discussion

Output encoding ensures data sent from an API is properly formatted and does not cause unintended effects on the receiving end. Requiring an API to encode its outputs is a security measure to prevent Cross-Site Scripting (XSS), HTTP Response Splitting, and Log Injection vulnerabilities. Without proper encoding, an attacker could inject malicious scripts into API responses, which could be executed when displayed in a web application, leading to XSS attacks. Improperly encoded responses could allow attackers to manipulate HTTP headers, causing response splitting that may facilitate cache poisoning or session fixation. Unencoded user input in logs could introduce log injection issues, obscuring attack traces or triggering unintended system behavior. Encoding output ensures special characters are safely represented, preventing unintended execution or injection attacks.

Check Content

Verify the API encodes outputs. If the API does not encode outputs, this is a finding.

Fix Text

Build or configure the API to encode outputs.

Additional Identifiers

Rule ID: SV-274767r1143805_rule

Vulnerability ID: V-274767

Group Title: SRG-APP-000516

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.