INSECURE METHOD PARAMETER

Feature Value
Type Protection
Risk OWASP A1
Covered by Agent

This type of risk is a business-specific injection type. In this case, a custom injection may be performed if an untrusted input is accepted in a particular method. This particular method will then carry out an operation that is vulnerable to injection. There are several kinds of situations in which it could be used, i.e. custom-type storage system that has its own query language, access to a different backend that assumes trusted inputs, etc. Using this analyzer, a method can be marked as vulnerable in order to detect and protect against any untrusted data that reaches the method. The developer uses a custom mark to identify the methods to be monitored.

How to solve it

Prevent the use of user-specified values directly as method parameters.