Closed TmmmmmR closed 7 years ago
Hi Abdessamed,
if you look into the MASVS (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md#security-verification-requirements) you can see that these requirements address different things.
OMTG-CODE-005 is addressing 7.5 in the MASVS: 7.5 The app catches and handles possible exceptions.
OMTG-CODE-007 is addressing 7.7 in the MASVS: 7.7 No untrusted external input is concatenated into database queries or dynamically executed code.
We need both, as 7.5 is addressing proper error handling and 7.7 is addressing proper input validation in case the input is used within the App (SQL Injection in local SQLite database for example).
Makes sense to you?
Hello Sven,
I get your point, but my concern is "Exceptions Handling" can be used to Resolve "Input Validation" Issues.
Maybe we should talk about "Improper Exceptions Handling" ?
@TmmmmmR they are different things. Exception Handling does not guarantee that you don't have issues with Input Validation. You can have a vulnerability via user input that does not trigger an Exception. Doesn't make sense to join both.
@clviper : Yes that's it ! If a "user input that does not trigger an Exception" then the problem is in the "Exception" handling mechanism itself.
I think there is also an overlap between "OMTG-CODE-006: Verify that the App Fails Securely" and "OMTG-CODE-005: Test Exception Handling". Because improper exception handling may lead to a crash.
I think you are right, OMTG-CODE-006 and 005 address the same issue. The error/exception handling need to be done properly, if this is done the the App will also fail securely. Any objection to merge these two?
@TmmmmmR 007 is a test case on it's own. As @clviper already explained, even if you have proper exception handling, that does not mean that the input validation is according to best practices. If you look into the MASVS, test case 007 is also addressing the following:
"No untrusted external input is concatenated into database queries or dynamically executed code."
Therefore I would suggest to keep 007.
@sushi2k : yes we can merge OMTG-CODE-006 and 005 And about OMTG-CODE-007, My concern was that sometimes developer use Exception for input validation. But, since it's a bad practise to use exception to validate input (see : http://stackoverflow.com/questions/7304067/using-exceptions-to-validate-inputs) I agree to keep 007.
Thanks for your quick response. Then please merge it also in the MASVS, so MSTG and MASVS are still consistent.
This was already addressed by Bernhard in the MASVS, so will close it.
Hello,
I think there is an overlap between the following testcases :
OMTG-CODE-007: Test Input Validation OMTG-CODE-005: Test Exception Handling
I suggest that we keep only OMTG-CODE-005 because OMTG-CODE-007 may lead to other test cases (XSS or SQLi for example).
What do you think ?