Input Validation / Improper Input Validation

Description

Improper input validation is a vulnerability in an application or system that allows unverified or unfiltered data to be input, which can result in malicious commands being executed or sensitive data being disclosed. This vulnerability is categorized under the CWE directory as CWE-20 and was added to the OWASP Top 10 in 2017. Improper input validation is most commonly found in web and API applications, where the user input is sent to the application without any validation or sanitization checks.

Risk

The risk associated with improper input validation is that unauthorized commands can be executed on the application or system, malicious code can be injected, sensitive data can be exposed, or other malicious activity can occur. This can lead to data loss, service interruption, or worse. It is important to note that the risk of this vulnerability is dependent on the type of data being input and the application or system processing it.

Solution

The best way to mitigate the risk of improper input validation is to validate and sanitize all user input. This means that the data should be checked to make sure it meets the required criteria and that any potentially malicious code should be removed or escaped. Additionally, an input validation policy should be in place to ensure that all user input is properly validated.

Example

The following code is a simple example of how improper input validation can be exploited.

<?php
  // Get the user input
  $input = $_GET['input'];
 
  // Output the input
  echo $input;
?>

In this example, the application is outputting the user input without any validation or sanitization checks. This means that if an attacker were to submit malicious code, it would be executed without any checks being done.