This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Cornucopia - Ecommerce Website - VE 7

Revision as of 15:56, 21 January 2016 by Dariodf (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Cornucopia - Ecommerce Website VE 7.png

Suit: Data Validation and Encoding

Card/Value: 7


Jan can craft special payloads to foil input validation because the character set is not specified/enforced, or the data is encoded multiple times, or the data is not fully converted into the same format the application uses (e.g. canonicalization) before being validated, or variables are not strongly typed.

Technical Note:

Without knowing the character encoding accurately, data validation routines could be inadequate. A web application firewall, a web server, an application server, a database server, and other interpreters could each be susceptible, and susceptible in different ways, to malicious character encoding issues.

Common protection techniques include:

  • Specify proper character sets, such as UTF-8, for all sources of input.
  • Encode data to a common character set before validating (Canonicalize).
  • Use system components that support UTF-8 extended character sets and validate data after UTF-8 decoding is completed.

NB: The key concept for this card is encoding.


4 5.4 IE2 28 3
5 5.8 IE3 153 16
7 10.9 EE1 165 24
150 EE2

« Previous Card | Data Validation and Encoding | Next Card »