CRITICAL
Rule Definition
The software receives input from API requests, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.
This may enable an attacker to access or modify otherwise protected system resources.
Remediation
Assume all input is malicious.
Avoid using inputs. If it is not possible, use an "accept known good" input validation strategy, i.e., use stringent white-lists that limit the character set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack.
Violation Code Sample
...
// value is the String given by an API request
int result = Integer.parseInt(value);
serverSocket = new ServerSocket(result);
...
Fixed Code Sample
...
int result = VALUE;
serverSocket = new ServerSocket(result);
...
Reference
CWE-99: Improper Control of Resource Identifiers ('Resource Injection')
https://cwe.mitre.org/data/definitions/99.html
Open Web Application Security Project (OWASP)
https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References
CISQ rule: ASCSM-CWE-99.
Related Technologies
Technical Criterion
CWE-99 - Improper Control of Resource Identifiers ('Resource Injection')
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.