Input Validation / HTTP Incoming Requests

Description

HTTP Incoming Requests is a vulnerability that occurs in web and API applications when input is not validated, allowing malicious requests to be sent and executed by the server. This vulnerability is officially listed in the Common Weakness Enumeration (CWE) directory under CWE-20 and is also referenced in the OWASP Testing Guide. This vulnerability can be exploited to gain access to an application, allowing an attacker to inject malicious code, extract data, or even delete the application contents.

Risk

The risk of an HTTP Incoming Requests vulnerability is high. If not properly mitigated, an attacker can gain access to the application and its data, causing disruption, data manipulation, or even destruction.

Solution

The best way to mitigate an HTTP Incoming Requests vulnerability is to validate all incoming requests. Validation should include standard checks such as validating the data type, range, and length of the input values. Additionally, it is important to validate the data with a whitelist of accepted values and to properly encode any output to prevent malicious code injection.

Example

Below is an example of how validation can be used to mitigate the risk of an HTTP Incoming Request vulnerability.

String inputFieldValue = request.getParameter("inputField");
if(!inputFieldValue.matches("[A-Za-z0-9]*"))
  throw new InvalidInputException();