Detections
Analytics

800-53|SI-10

Title

INFORMATION INPUT VALIDATION

Description

The information system checks the validity of [Assignment: organization-defined information inputs].

Supplemental

Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks.

Reference Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

Family: SYSTEM AND INFORMATION INTEGRITY

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.8.1.2 Ensure 'Custom Markup Warning' is set to EnabledWindowsCIS Microsoft Office Word 2013 v1.1.0
1.8.1.2 Ensure 'Custom Markup Warning' is set to EnabledWindowsCIS Microsoft Office Word 2016 v1.1.0
1.10 VCUI-80-000065UnixCIS VMware vSphere 8.0 vCenter Appliance User Interface UI STIG v1.0.0 CAT II
1.11 VCEM-80-000065UnixCIS VMware vSphere 8.0 vCenter Appliance ESX Agent Manager EAM STIG v1.0.0 CAT II
1.11 VCLU-80-000065UnixCIS VMware vSphere 8.0 vCenter Appliance Lookup Service STIG v1.0.0 CAT II
1.11 VCPF-80-000065UnixCIS VMware vSphere 8.0 vCenter Appliance Perfcharts STIG v1.0.0 CAT II
1.11 VCST-80-000065UnixCIS VMware vSphere 8.0 vCenter Appliance Secure Token Service STS STIG v1.0.0 CAT II
1.13 VCLD-80-000061UnixCIS VMware vSphere 8.0 vCenter Appliance Management Interface VAMI STIG v1.0.0 CAT II
1.15 SQLD-22-002100MS_SQLDBCIS Microsoft SQL Server 2022 Database STIG v1.0.0 CAT II
1.18 VCEM-80-000127UnixCIS VMware vSphere 8.0 vCenter Appliance ESX Agent Manager EAM STIG v1.0.0 CAT II
1.18 VCLU-80-000127UnixCIS VMware vSphere 8.0 vCenter Appliance Lookup Service STIG v1.0.0 CAT II
1.18 VCPF-80-000127UnixCIS VMware vSphere 8.0 vCenter Appliance Perfcharts STIG v1.0.0 CAT II
1.18 VCUI-80-000127UnixCIS VMware vSphere 8.0 vCenter Appliance User Interface UI STIG v1.0.0 CAT II
1.19 VCST-80-000127UnixCIS VMware vSphere 8.0 vCenter Appliance Secure Token Service STS STIG v1.0.0 CAT II
1.40 SQLI-22-010010MS_SQLDBCIS Microsoft SQL Server 2022 Instance STIG v1.0.0 CAT II MS_SQLDB
1.41 SQLI-22-010020MS_SQLDBCIS Microsoft SQL Server 2022 Instance STIG v1.0.0 CAT II MS_SQLDB
1.54 SQLI-22-012600MS_SQLDBCIS Microsoft SQL Server 2022 Instance STIG v1.0.0 CAT II MS_SQLDB
1.86 O19C-00-017900OracleDBCIS Oracle Database 19c STIG v1.1.0 CAT II OracleDB
1.87 O19C-00-018000OracleDBCIS Oracle Database 19c STIG v1.1.0 CAT II OracleDB
1.88 O19C-00-018100OracleDBCIS Oracle Database 19c STIG v1.1.0 CAT II OracleDB
4.1 Ensure 'maxAllowedContentLength' is configuredWindowsCIS IIS 8.0 v1.5.1 Level 2
4.1 Ensure 'maxAllowedContentLength' is configured - ApplicationsWindowsCIS IIS 7 L2 v1.8.0
4.1 Ensure 'maxAllowedContentLength' is configured - DefaultWindowsCIS IIS 7 L2 v1.8.0
4.2 Ensure 'maxURL request filter' is configuredWindowsCIS IIS 8.0 v1.5.1 Level 2
4.2 Ensure 'maxURL request filter' is configured - ApplicationsWindowsCIS IIS 7 L2 v1.8.0
4.2 Ensure 'maxURL request filter' is configured - DefaultWindowsCIS IIS 7 L2 v1.8.0
4.3 Ensure 'MaxQueryString request filter' is configuredWindowsCIS IIS 8.0 v1.5.1 Level 2
4.3 Ensure 'MaxQueryString request filter' is configured - ApplicationsWindowsCIS IIS 7 L2 v1.8.0
4.3 Ensure 'MaxQueryString request filter' is configured - DefaultWindowsCIS IIS 7 L2 v1.8.0
4.4 Ensure non-ASCII characters in URLs are not allowedWindowsCIS IIS 8.0 v1.5.1 Level 2
4.4 Ensure non-ASCII characters in URLs are not allowed - ApplicationsWindowsCIS IIS 7 L2 v1.8.0
4.4 Ensure non-ASCII characters in URLs are not allowed - DefaultWindowsCIS IIS 7 L2 v1.8.0
6.6 Control the maximum size of a POST request that will be parsed for parameterUnixCIS Apache Tomcat 8 L1 v1.1.0 Middleware
10.8 Do not allow additional path delimiters (ALLOW_BACKSLASH)UnixCIS Apache Tomcat 7 L2 v1.1.0
10.8 Do not allow additional path delimiters (ALLOW_BACKSLASH)UnixCIS Apache Tomcat 7 L2 v1.1.0 Middleware
10.8 Do not allow additional path delimiters (ALLOW_ENCODED_SLASH)UnixCIS Apache Tomcat 7 L2 v1.1.0
10.8 Do not allow additional path delimiters (ALLOW_ENCODED_SLASH)UnixCIS Apache Tomcat 7 L2 v1.1.0 Middleware
10.19 Setting Security Lifecycle Listener (check for config component)UnixCIS Apache Tomcat 7 L1 v1.1.0
10.19 Setting Security Lifecycle Listener (check for config component)UnixCIS Apache Tomcat 7 L1 v1.1.0 Middleware
35 - Do not allow custom header status messagesUnixTNS Best Practice Jetty 9 Linux
Big Sur - Information Input ValidationUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Information Input ValidationUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Information Input ValidationUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Must behave in predictable and documented mannerUnixNIST macOS Big Sur v1.4.0 - All Profiles
Catalina - Information Input ValidationUnixNIST macOS Catalina v1.5.0 - All Profiles
Catalina - Information Input ValidationUnixNIST macOS Catalina v1.5.0 - 800-53r5 High
CD12-00-001800 - PostgreSQL must check the validity of all data inputs except those specifically identified by the organization.PostgreSQLDBDISA STIG Crunchy Data PostgreSQL DB v3r1
CD12-00-001900 - PostgreSQL and associated applications must reserve the use of dynamic code execution for situations that require it.PostgreSQLDBDISA STIG Crunchy Data PostgreSQL DB v3r1
CD12-00-002000 - PostgreSQL and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.PostgreSQLDBDISA STIG Crunchy Data PostgreSQL DB v3r1
CD12-00-003700 - When invalid inputs are received, PostgreSQL must behave in a predictable and documented manner that reflects organizational and system objectives.PostgreSQLDBDISA STIG Crunchy Data PostgreSQL DB v3r1