Input Validation / Input Returned in Response

Description

Input returned in response is a vulnerability in web and API applications that occurs when user input is returned in the response to a web or API request without first being validated. This vulnerability is classified under CWE-20, Improper Input Validation, and is part of the OWASP Top 10 most critical web application security risks. It can be identified by testing for the presence of user-controlled data in the response of a web or API request.

Risk

The risk of this vulnerability is that user-controlled data can be returned in the response of an application, potentially allowing an attacker to inject malicious code or gain access to sensitive data. This can lead to cross-site scripting (XSS) attacks, SQL injection attacks, and other malicious activities.

Solution

The most effective solution to this vulnerability is to validate all user input before it is accepted and used by the application. This validation should include checks for length, type, and format. Additionally, output encoding should be used to ensure that user-controlled data is properly encoded before it is returned in the response.

Example

The following example shows a web application vulnerable to this type of attack.

// vulnerable code 
$name = $_GET['name'];
echo "Hello $name!";

In this example, the application is directly echoing user input without first validating it. This could allow an attacker to inject malicious code into the response.