Include example and recommendation for proper schema validation in A8:2019 Injection

[flascelles]

Injection could cover case where validation is done but does not go far enough as well as an associated recommendation using this example below.

Scenario #
“An e-commerce API validates that a quantity input parameter in a shopping cart represented in JSON is an integer but stops short at validating that the value is not a negative value. Attacker uses this vulnerability to get zero-sum totals in a transaction:
POST /ecommerce/cart
{
items:[
{
id: 123456,
quantity: 1,
price: 200
},
{
id: 789123,
quantity: -2,
price: 100
}
]
}”

How to Prevent
“Validate incoming structured data using schemas (e.g. JSON schema) that include sufficient filters to only allow valid values for each input parameter.”

[PauloASilva]

Hi @apiguyatpingid,
Thanks for contributing.

I do not consider this an Injection scenario since data is not passed in an interpreter. I would classify this either as an Improper Input Validation or Business Logic Bypass.

There's no "Improper Input Validation" category in this API Security Top 10 version since it was not that frequent on collected publicly disclosed security reports or in most cases it leads to more severe weaknesses already address in the Top 10 (e.g. Injection).

We already have an open issue to add a NoSQL Injection attack scenario to A8:2019 Injection category (see #6). Maybe you can contribute there.

I think your recommendation makes sense to be added to the "How to Prevent" section nevertheless, we should make it generic since not all APIs use structured data exchange formats. What do you think about adding the following recommendation?

"Validate incoming data using sufficient filters to only allow valid values for each input parameter"

Would you like to open the PR?

Cheers,
Paulo A. Silva

[flascelles]

that makes sense, thanks. i will open the PR