Input Validation / No Plausibility Check
No plausibility check, also known as input validation, is a vulnerability that occurs in web and API applications. This type of vulnerability occurs when application inputs are not verified and validated before being used by the application. This can lead to attackers being able to input malicious code into the application and gain access to sensitive information or manipulate application data. According to the CWE directory, this vulnerability falls under CWE-20: Improper Input Validation. Additionally, the OWASP Testing Guide provides a detailed guide to testing for this type of vulnerability.
No plausibility check is a high risk vulnerability as it can allow malicious actors to gain access to sensitive information, manipulate application data, or hijack user accounts. Additionally, attackers can use this vulnerability to perform cross-site scripting attacks, SQL injection attacks, or launch other more advanced attacks against a system.
One way to mitigate this vulnerability is to ensure that all user input is validated and sanitized before being used by the application. Additionally, it is important to deploy a Web Application Firewall (WAF) to further protect against malicious inputs.
The following code is an example of a vulnerable web application that does not perform input validation, taken from the CVE directory.
<?php // vulnerable code $name = $_POST['name']; echo $name; ?>