Insufficient Input Validation
Description
Performing input validation to test the correctness and benignness of user input is crucial to maintaining user experience and application security.
Unfortunately, if developers cut corners or are simply unaware of pertinent best practices, they may end up deploying insufficient validation on the backend, which is a) shoddy programming and b) opens the door to potential compromise by placing trust outside of the server. Let’s say, for example, that the insufficient server-side validation means users can alter the data and code flow of client-size pages and scripts as they like… well, ‘how they like’ is not a phrase you want present in your risk management framework.
Impact
Despite there being readily available, well-articulated, and up-to-date guidelines on how to adequately implement backend validation controls, this vulnerability crops up everywhere, with impacts ranging from mere cosmetic alterations eliciting free articles to far more severe authentication bypasses, resulting in hundreds of millions of dollars worth of losses - $170 million, in this case, to be exact.
Prevention
Authoritative validation server-side validation checks must be enforced for all input.
In environments comprising client-side check functions, well, ‘client-side’ has no place in security.
In web applications, Javascript code can actually be used to enforce authoritative checks, but solely for the purpose of notifying the user without having to contact the server during a preliminary phase, e.g., form validation.
Testing
Verify that input validation is enforced on a trusted service layer.
- OWASP ASVS: 1.5.3
- OWASP Testing Guide: Input Validation Testing