Java : Unsafe encoding

Classification

OWASP Top 10 2013

A6-Sensitive Data Exposure

OWASP Top 10 2017

A6-Security Misconfiguration

OWASP Top 10 2021

A5-Security Misconfiguration

OWASP MASVS

V6: 6.2.(L1/L2/L1+R/L2+R)

OWASP ASVS

Validation, Sanitization and Encoding Validation, Sanitization and Encoding

PCI DSS 4.0

6.2.4

CWE

CWE-176 CWE-1032

Overview

The used encoding algorithm does not provide complete protection against code injection. The encoding algorithms such as HTML-encode, JS-encode, URL-encode are not a sufficient protection.

References

CWE-176: Improper Handling of Unicode Encoding
OWASP: ESAPI Secure Coding Guideline
OWASP Top 10 2017-A6-Security Misconfiguration
CWE-180: Incorrect Behavior Order: Validate Before Canonicalize
CWE-174: Double Decoding of the Same Data
CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration

MEDIUM

Java : Unsafe encoding

Classification

Overview

References

DerScanner Severity Score

Do you want to fix Java : Unsafe encoding in your application?

See also

Java : Race condition

Java : Text4Shell Vulnerability

Java : JNI usage