Back to overview

Data validation & encoding 7

Without knowing the character encoding accurately, data validation routines could be inadequate. A web application firewall, a web server, an application server, a database server, and other interpreters could each be susceptible, and susceptible in different ways, to malicious character encoding issues.

Common protection techniques include:

Specify proper character sets, such as UTF-8, for all sources of input. Encode data to a common character set before validating (Canonicalize). Use system components that support UTF-8 extended character sets and validate data after UTF-8 decoding is completed. NB: The key concept for this card is encoding.

How to play?

Jan can craft special payloads to foil input validation because the character set is not specified/enforced, or the data is encoded multiple times, or the data is not fully converted into the same format the application uses (e.g. canonicalization) before being validated, or variables are not strongly typed


Owasp ASVS (4.0): 1.5.3 ,13.2.2 ,13.2.5

Capec: 28 ,153 ,165

Owasp SCP: 4,5,7,150

Owasp Appsensor: IE2-3,EE1-2

Safecode: 3,16,24

ASVS (4.0) Cheatsheetseries Index

ASVS V1.5 - Input and Output Architectural Requirements

ASVS V13.2 - RESTful Web Service Verification Requirements


SQL Injection

Cross-Site Scripting (XSS)

Command Injection

Buffer Overflow

Loading comments 0%

Github logo View source on GitHub

Provided by dotNET lab

This website is created, hosted and provided by dotNET lab. dotNET lab provides training and guidance on secure software development. Contact us to get in touch!

OWASP Cornucopia

OWASP Cornucopia is originally created by Colin Watson. It is open source and can be downloaded free of charge from the OWASP website. It is is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. OWASP does not endorse or recommend commercial products or services. OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation.