1

During a security assesment I found that an application wrote JavaScript from input fields directly in the database. The application it self had good output sanitization so no XSS was possible in that application. A different application that used the same data didn't have good output sanitization and had a XSS vulnerability, which has been fixed since then.

So wat I have now is a finding that input data is not properly validated, which might pose problems for applications that do not sanitize output well but not in the current application. What CVSS score would I put on that? I cannot well make it a high vulnerability because it is impossible to exploit now. But in the future it could pose problems and I do want it fixed in the context of "defense in depth"

Question: What would the CVSS score be for a non-exploitable input validation vulnerability?

Wealot
  • 879
  • 2
  • 12
  • 25
  • 1
    In the majority of cases you should *only* sanitize the output. That is, it's absolutely fine to store a literal `<` in the database if you turn it into a `<` before output. If you escape and sanitize at multiple places you might even introduce new vulnerabilities. It's a bad idea to store sanitized data "just in case someone forgets filtering the output". – Arminius May 09 '17 at 09:03
  • Yes I do understand that, but I also think that the validity of the data is the explicit responsibility of the system that first receives the data from end-users. This is especially true when this data is then used in internal systems and the data has a clear purpose. In this instance it is about names and birthdates so data with clear text and numbers only restrictions. – Wealot May 09 '17 at 09:10
  • Yes, wrt. input validation of birthdates, etc. you're absolutely right. I was more concerned about, say, a comment box that has to prevent users from adding HTML tags. (Here it would be okay to store the literal comment text and sanitize when printing.) – Arminius May 09 '17 at 09:17

1 Answers1

2

The score would be 0.0. Since there is no immediate impact, the confidentiality, integrity and availability would be set to none, which would make the score 0.0.

Also, it is not necessarily a security issue that user input is saved as-is in the database. The important thing is that it is correctly encoded on output.

Sjoerd
  • 28,707
  • 12
  • 74
  • 102
  • So CVSS would only be calculated on immediate impact and not on possible impact? (and I do not agree with your last statement but I think we could have hours of discussion on that so we'll leave it :P) – Wealot May 09 '17 at 07:53