Source to Sink

Source to Sink

Risk: potentially

Description

Source method or user-controlled parameter is used to call a sink method.

Source refers to untrusted data input, that may originate from an untrusted user. Sink refers to dangerous method, that if accessible by attacker, may leverage it to perform an attack.

Source and Sinks must be reviewed for vulnerabilities, like Injection, Indirect Object Reference or Unauthorized data access.

Recommendation

Recommendation varies on the class of vulnerability identified.

Links

Standards

• OWASP_MASVS_L1:
  • MSTG_CODE_8
• OWASP_MASVS_L2:
  • MSTG_CODE_8
• PCI_STANDARDS:
  • REQ_6_2
  • REQ_6_3
  • REQ_11_3