Back to list

Improper Input Validation

Description

Improper input validation is a vulnerability where an application fails to properly validate user input, allowing attackers to inject malicious code or manipulate the system. This can lead to security breaches, such as SQL injection or cross-site scripting (XSS) attacks. Mitigation involves implementing robust input validation techniques, such as whitelisting acceptable inputs and using parameterized queries to prevent malicious input from compromising the system's integrity.

Remediation

Implement server-side input validation, including whitelisting expected input formats or using parameterized queries to handle user-supplied data. Avoid relying solely on client-side validation, and ensure that any data displayed back to the user is properly sanitized or encoded. Consider using frameworks and libraries that facilitate secure data handling and input validation. Regularly test or scan your code for injection vulnerabilities, and adopt secure coding practices, including peer code reviews and periodic security audits, to detect and remediate improper input handling.

References

https://owasp.org/Top10/A03_2021-Injection/https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html

Severity

MEDIUM

Owasp

Code: A03:2021

Category: Injection

Classification

CWE-20
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

5.4

CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

5.4