E-Arogya

9- Improper Input Validation
CWE : CWE-20
Description :
The product receives input or data, but it does not validate or incorrectly validates that
the input has the properties that are required to process the data safely and correctly.
Affected Path(s) :
https://earogya.satragroup.in/configuration/all_master *-Applicable to entire
application
Impact :
When software does not validate input properly, an attacker is able to craft the input in
a form that is not expected by the rest of the application. This will lead to parts of the
system receiving unintended input, which may result in altered control flow, arbitrary
control of a resource, or arbitrary code execution.
Recommendation :
Assume all inputs are malicious.
Use an "accept known good" input validation strategy, i.e., use a list of acceptable
inputs that strictly conform to specifications. Reject any input that does not
strictly conform to specifications, or transform it into something that does.When
performing input validation, consider all potentially relevant properties, including
length, type of input, the full range of acceptable values, missing or extra inputs,
syntax, consistency across related fields, and conformance to business rules.
Evidence/Proof Of Concept :
Step 1: Inject malicious scripts in the input fields and click on Submit button .It is Observed
that details updated successfully.