Back to overview

Data validation & encoding 3

A lack of input validation is often the root cause of many security issues. Since the validation needs to be context specific, generic sanitisation routines will not suffice and the developer needs to understand how data are formatted/composed, why the data is being sent, what it is used for and the meaning of the values. This input validation should ensure that

Only the permitted inputs (field/parameter names) are supplied. All the mandatory inputs are supplied. The values associated with the field/parameter name are of the expected format, type, range, length, etc. NB: This card relates to generic input validation. See VE 4 for the similar additional context-specific checks.

How to play?

Robert can input malicious data because the allowed protocol format is not being checked, or duplicates are accepted, or the structure is not being verified, or the individual data elements are not being validated for format, type, range, length and a whitelist of allowed characters or formats


Owasp ASVS (4.0): 1.5.3 ,5.1.1-5.1.4 ,13.2.1 ,14.1.2 ,14.4.1

Capec: 28 ,48 ,126 ,165 ,213 ,220 ,221 ,261 ,262 ,271 ,272

Owasp SCP:

Owasp Appsensor: RE7-8,AE4-7,IE2-3,CIE1,CIE3-4,HT1-3

Safecode: 3,16,24,35

ASVS (4.0) Cheatsheetseries Index

ASVS V1.5 - Input and Output Architectural Requirements

ASVS V5.1 - Input Validation Requirements

ASVS V13.2 - RESTful Web Service Verification Requirements

ASVS V14.1 - Build

ASVS V14.4 - HTTP Security Headers Requirements


SQL Injection

Command Injection

(Session) Data tampering

Loading comments 0%

Github logo View source on GitHub

Provided by dotNET lab

This website is created, hosted and provided by dotNET lab. dotNET lab provides training and guidance on secure software development. Contact us to get in touch!

OWASP Cornucopia

OWASP Cornucopia is originally created by Colin Watson. It is open source and can be downloaded free of charge from the OWASP website. It is is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. OWASP does not endorse or recommend commercial products or services. OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation.