Details | |
---|---|
Alert ID | 90019-2 |
Alert Type | Active |
Status | release |
Risk | High |
CWE | 94 |
WASC | 20 |
Technologies Targeted |
Language / ASP Language / PHP |
Tags |
CWE-94 OWASP_2017_A01 OWASP_2021_A03 POLICY_API POLICY_DEV_FULL POLICY_QA_FULL POLICY_QA_STD POLICY_SEQUENCE WSTG-V42-INPV-11 |
More Info |
Scan Rule Help |
Summary
A code injection may be possible including custom code that will be evaluated by the scripting engine.
Solution
Do not trust client side input, even if there is client side validation in place. In general, type check all data on the server side and escape all data received from the client. Avoid the use of eval() functions combined with user input data.Other Info
References
- https://cwe.mitre.org/data/definitions/94.html
- https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection