A common vulnerability of applications is unpredictable behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where information system responses to the invalid input may be disruptive or cause the system to fail into an unsafe state.
The behavior will be derived from the organizational and system requirements and includes, but is not limited to, notification of the appropriate personnel, creating an audit record, and rejecting invalid input.
Check
Review the API's source code or backend database interaction layer.
Identify all database queries constructed using user-supplied input.
Verify that parameterized queries (also known as prepared statements) are used instead of dynamically constructed SQL strings with input concatenation.
Confirm that query parameters are bound using the appropriate method for the language or database framework (e.g., ?, named parameters, or bind variables).
If any queries use string concatenation or interpolation of user input without parameterization, this is a finding.
Fix
Follow best practice when accepting user input and verify all input is validated before the API processes the input.
Remediate identified vulnerabilities and obtain documented risk acceptance for those issues that cannot be remediated immediately.