This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Category:WASS Validate Inputs

Jump to: navigation, search

Validate user inputs

User inputs are the life-blood of any applications, but are also the vector for most attacks. Care must be taken therefore in validating any inputs and restricting their usage.

  1. The application must take steps to validate data by restricting inputs to expected characters only. Specifically…
    1. Any inputs that can be controlled by the user shall have no effect on the intended meaning of SQL or XML queries which utilize their values.
    2. The application will not pass off to external systems any user-controlled inputs that have not been validated to have unintentional side-effects
    3. Where the application is “unmanaged” (i.e. not Java, .NET), inputs should be truncated at a necessary length so as not to cause buffer overflow vulnerabilities
    4. Where users are able to upload files into the application, they should be limited to necessary types (e.g. gif, jpeg, etc), checked for malicious content (i.e. Trojans, viruses, etc), and be non-executable (e.g. ASP, EXE, etc)
    5. Users should not be able to modify input values to see other user’s information, or request resources that they would otherwise not have permissions to access
    6. Content-Type HTTP Header should be set to a single content type

This category currently contains no pages or media.