Input Validation / Reliance on Untrusted Inputs in a Security Decision

Web and API


Reliance on Untrusted Inputs in a Security Decision is a vulnerability in the Common Weakness Enumeration (CWE) directory with the ID CWE-327. This vulnerability is a type of input validation vulnerability that occurs when an application uses externally-supplied input to make a security decision. It occurs when a security decision is based on user input that has not been validated, leading to an incorrect decision. According to the Open Web Application Security Project (OWASP) Testing Guide, an application can be vulnerable to relying on untrusted inputs if it is not properly validating user input and using that input to make a security decision.


The risk of the vulnerability is that it can lead to incorrect security decisions, which can open up an application to attack. In some cases, an attacker can execute code on the application, leading to a possible breach. If the application is used to store or transmit sensitive data, it can lead to a data breach.


The solution to this vulnerability is to ensure that user input is properly validated before being used to make a security decision. Input validation should be performed on any input that is passed to a security decision-making process, such as authentication or authorization. Input validation should ensure that the input is from an expected source, is within the correct data type, and is within the expected length.


In the following Java code example, the application is vulnerable to relying on untrusted inputs. The application is accepting user input for authentication, but not validating it before making a security decision.

String userName = request.getParameter("username");
String password = request.getParameter("password");
if (userName.equals("admin") && password.equals("admin")) {
  // Grant access

In this example, the application is trusting that the user supplied values are valid. If the user supplies invalid input, such as an empty string or incorrect username, the application will likely grant access.

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.