Skip to content

Source to Sink

Source to Sink


Source method or user-controlled parameter is used to call a sink method.

Source refers to untrusted data input, that may originate from an untrusted user. Sink refers to dangerous method, that if accessible by attacker, may leverage it to perform an attack.

Source and Sinks must be reviewed for vulnerabilities, like Injection, Indirect Object Reference or Unauthorized data access.


Recommendation varies on the class of vulnerability identified.