Note: Requirements 6.5.1 through 6.5.6, below, apply to all applications (internal or external).
6.5.1 Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.
6.5.1 Examine software-development policies and procedures and interview responsible personnel to verify that injection flaws are addressed by coding techniques that include:
• Validating input to verify user data cannot modify meaning of commands and queries.
• Utilizing parameterized queries.
Injection flaws, particularly SQL injection, are a commonly used method for compromising applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker’s hostile data tricks the interpreter into executing unintended commands or changing data, and allows the attacker to attack components inside the network through the application, to initiate attacks such as buffer overflows, or to reveal both confidential information and server application functionality.
Information should be validated before being sent to the application—for example, by checking for all alpha characters, mix of alpha and numeric characters, etc.