Back to overview

Data validation & encoding j

Validation and encoding are sometimes undertaken in client applications or external sources that interact with the system. This is a bad practice, as external sources are usually more vulnerable to attacks, can be spoofed and are generally less accountable for malicious behaviour. An attacker can try to bypass these routines using non-controlled unexpected behaviour:

Modifying/deleting code. Generating unexpected handcrafted requests. Use an automated exploring tool (web crawler) to get information about the file structure and then try to access well known resource locations. Abusing an ill-defined zone of trust. Modifying data between the client application and the server (e.g. Trojan, modification in transit) XSS. In general, all validation and encoding routines should be on the server-side using robust, tested and protected routines.

NB: Unlike other cards in this suit, this VE J relates to an attacker being able to change the executing code. This may be due to inadequate source code control, deployment controls or server protection, but is more often a standard feature of client-side code.

How to play?

Dennis has control over input validation, output validation or output encoding code or routines so they can be bypassed


Owasp ASVS (4.0): 1.5.3

Capec: 87 ,207 ,554

Owasp SCP: 1,17

Owasp Appsensor: RE3,RE4

Safecode: 2,17

ASVS (4.0) Cheatsheetseries Index

ASVS V1.5 - Input and Output Architectural Requirements


SQL Injection

Cross-Site Scripting (XSS)

Command Injection

(Session) Data tampering

File Upload Vulnerabilities

Loading comments 0%

Github logo View source on GitHub

Provided by dotNET lab

This website is created, hosted and provided by dotNET lab. dotNET lab provides training and guidance on secure software development. Contact us to get in touch!

OWASP Cornucopia

OWASP Cornucopia is originally created by Colin Watson. It is open source and can be downloaded free of charge from the OWASP website. It is is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. OWASP does not endorse or recommend commercial products or services. OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation.