Check: SRG-APP-000251-MAPP-00053
Mobile Application SRG:
SRG-APP-000251-MAPP-00053
(in version v1 r1)
Title
The mobile application must define a character set for data inputs. (Cat III impact)
Discussion
Characters entered in an application's input fields that are undefined can lead to unpredictable results and leave the application's stored data vulnerable. By setting the character set for the application, the possibility of receiving unexpected input that uses other character set encodings could cause the application to operate unpredictably and allow an intruder access to the application through manipulation of certain characters that would allow access and privileges of authorized users. In defining character sets for input, users are assured of a greater security posture through use of a defined set of characters that are filtered for use with the application. Please refer to CWEs: 74, 78, and 88 for further information. Additional information on CWEs is found in the MAPP SRG Overview.
Check Content
For mobile applications that accept character data, perform a static program analysis on the application by checking for the declaration of the character set. Next, perform a dynamic program analysis and test the application for invalid sizes and types. Test input and try to exceed buffer limits on the input fields. Try to put wrong types of data in the input fields. For example, put character data in a numeric field. If the static analysis reveals no character set was declared, this is a finding. If the dynamic analysis reveals invalid input is not rejected, such as numbers being accepted where only alpha characters are required, this is a finding. As a further example, If the application requires the entry of IP addresses is not capable of handling IPv6 formats that are 128 bits long, this is a finding. If the application is not capable of handling IPv6 formats and accepts characters that are of hexadecimal notation including colons, this is a finding.
Fix Text
Modify the code to fix the character set for the application.
Additional Identifiers
Rule ID: SV-46947r1_rule
Vulnerability ID: V-35660
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001310 |
The information system checks the validity of organization-defined inputs. |
Controls
Number | Title |
---|---|
SI-10 |
Information Input Validation |