Input Validation / Suspicious Input Transformation

Description

Suspicious Input Transformation is an input validation weakness that occurs in web and API applications when an attacker is able to alter an application's expected behaviour by submitting dangerous inputs. This type of attack is particularly dangerous as it allows an attacker to potentially bypass validations.

Risk

An attacker could potentially bypass security checks, gain access to sensitive data, or even execute arbitrary code on the server.

Solution

The solution to this vulnerability is to implement proper input validation. Input validation allows an application to determine if a user-supplied input is valid, and if not, to reject it. This can be done by validating inputs against a whitelist of acceptable inputs, or by using a library that provides input validation functionality.

Example

The following code is an example of a vulnerable application, taken from CVE-2020-7488. The code is vulnerable to a suspicious input transformation attack because it does not validate the user-provided input.

<textarea name="comment" value="<?php echo $_POST['comment']; ?>"></textarea>