Input Validation / Input Returned in Response

Description

Input returned in response is a weakness in web and API applications that occurs when user input is returned in the response to a web or API request without first being validated or filtered. This weakness is classified under CWE-20, Improper Input Validation. It can be identified by testing for the presence of user-controlled data in the response of a web or API request.

Risk

The risk of this weakness is that user-controlled data can be returned in the response of an application, potentially allowing an attacker to inject malicious content. This can lead to cross-site scripting (XSS) attacks, SQL injection attacks, and other malicious activities, if the data is interpreted by other systems.

Solution

The most effective solution to this weakness is to validate all user input before it is accepted and used by the application. This validation should include checks for length, type, and format. Additionally, output encoding should be used to ensure that user-controlled data is properly encoded before it is returned in the response.