This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Cornucopia - Ecommerce Website - VE 3

Revision as of 14:08, 21 January 2016 by Dariodf (talk | contribs) (Created page with "{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#929292;">Cornucopia - Ecommerce Website - VE 3</span>}} File:Cornucopia_-_Ecommerce_Website_VE_3....")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Cornucopia - Ecommerce Website VE 3.png

Suit: Data Validation and Encoding

Card/Value: 3


Robert can input malicious data because the allowed protocol format is not being checked, or duplicates are accepted, or the structure is not being verified, or the individual data elements are not being validated for format, type, range, length and a whitelist of allowed characters or formats.

Technical Note:

A lack of input validation is often the root cause of many security issues. Since the validation needs to be context specific, generic sanitisation routines will not suffice and the developer needs to understand how data are formatted/composed, why the data is being sent, what it is used for and the meaning of the values. This input validation should ensure that

  • Only the permitted inputs (field/parameter names) are supplied.
  • All the mandatory inputs are supplied.
  • The values associated with the field/parameter name are of the expected format, type, range, length, etc.

NB: This card relates to generic input validation. See VE 4 for the similar additional context-specific checks.


8 5.4 RE7 28 3
9 5.18 RE8 48 16
11 11.2 AE4 126 24
12 11.3 AE7 165 35
13 11.6 IE2 213
14 IE3 220
16 CIE1 221
159 CIE3 257
190 CIE4 261
191 HT1 271
HT2 272

« Previous Card | Data Validation and Encoding | Next Card »