SI-10(6): Injection Prevention

Control Family:

System and Information Integrity

Parent Control:

SI-10: Information Input Validation

CSF v1.1 References:

PR.DS-6

Threats Addressed:

Tampering
Information Disclosure
Denial of Service
Elevation of Privilege

Baselines:

(Not part of any baseline)

Control is new to this version of the control set.

Control Statement

Prevent untrusted data injections.

Supplemental Guidance

Untrusted data injections may be prevented using a parameterized interface or output escaping (output encoding). Parameterized interfaces separate data from code so that injections of malicious or unintended data cannot change the semantics of commands being sent. Output escaping uses specified characters to inform the interpreter's parser whether data is trusted. Prevention of untrusted data injections are with respect to the information inputs defined by the organization in the base control (SI-10).

Control Statement

Supplemental Guidance

Related Controls

NIST Special Publication 800-53 Revision 5