Input validation problems represent a contributing factor in about half of the non-design security flaws. The basic problem is that an attacker provides input that the programmer did not check. The result is that the attacker is able to make the software do something unexpected (and useful for the attacker). The following OWASP Top 10 problems have input validation as at least a part of the problem: A1: Injection, A3: Cross-Site Scripting (XSS), A4: Insecure Direct Object References, and A10: Unvalidated Redirects and Forwards. On the Top 25 list, items 1–4, 10, and 13 all have input validation as at least a part of the problem. In particular, 10 is CWE-807, Reliance on Untrusted Inputs in a Security Decision and 13 is CWE-22, Improper Limitation of a Pathname to a Restricted Directory (’Path Traversal’). CWE-20 is improper input validation. CWE-602 is Client-Side Enforcement of Server-Side Security,
Consequences of poor input validation can be substantial. Examples of problems that can arise include:
-
Crashing the program, denial of service (CVE-2008-1737, CVE-2007-5893).
-
Command injection (CWE-77). Input validation is not sufficient to stop injection attacks, but it should be your first line of defense.
-
SQL injection (CWE-89) (CVE-2008-2223, CVE-2006-5525). Again, input validation is not sufficient to stop injection attacks, but it should be your first line of defense.
-
Cross-site scripting (CWE-79) (CVE-2008-0971). Similarly, input validation is not sufficient to stop cross-site scripting attacks, but it should be your first line of defense.
-
Privilege escalation (CVE-2008-3494, CVE-2008-3174)
-
Buffer overflow attacks (CWE-120) (thousands of examples)
The CVE references are only examples and are far from a complete list. What this really means is that most any bad outcome you can imagine can result from poor input validation.
