Source to Sink
Source to Sink
Description
Source method or user-controlled parameter is used to call a sink method.
Source refers to untrusted data input, that may originate from an untrusted user. Sink refers to dangerous method, that if accessible by attacker, may leverage it to perform an attack.
Source and Sinks must be reviewed for vulnerabilities, like Injection, Indirect Object Reference or Unauthorized data access.
Recommendation
Recommendation varies on the class of vulnerability identified.
Links
Standards
- OWASP_MASVS_L1:
- MSTG_PLATFORM_2
- OWASP_MASVS_L2:
- MSTG_PLATFORM_2
- PCI_STANDARDS:
- REQ_6_2
- REQ_6_3
- REQ_11_3
- OWASP_MASVS_v2_1:
- MASVS_CODE_4