AppSec Blog

Top 25 Series - Rank 14 - Improper Validation of Array Index

Improper Validation of Array Index (CWE-129) is a flaw related to improper use of user input. Most programming languages has support for array structure. Objects within the array can be indexed by numeric value such as [0] which points to the first object in the array or [5] which points to the 6th object in the array.

When a program allows user input directly or even indirectly to control the array index, there is a chance of array index going out of bound. For example

value = array[UserInput]    //UserInput is a value put in by user

If UserInput value in the example isn't checked first, it can easily be out of bound. What if the value isn't a number at all? What if the number is a negative number? What if the number is bigger than the size of array?

The value of array index must be validated before use, not really different than any other user input. This really is a part of input validation that's effective. The risk of using improper array value can lead to data integrity issues, program crashing, unexpected access to data and in some cases, even buffer overflow.

Server side validation is the solution in this vulnerability but it's easier said than done. Developer must be trained to be aware of these problems. Validation should also be planned carefully.

Post a Comment


* Indicates a required field.