- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Glossary
Improper Input Handling is the term used to describe functions such as validation, sanitization, filtering, or encoding and/or decoding of input data. Improper Input Handling is a leading cause of critical vulnerabilities that exist in today’s systems and applications.
The root cause of Improper Input Handling is the application trusting rather than validating data inputs. One of the critical aspects of input handling is validating that the information satisfies specific criteria. All inputs should be considered untrusted as they can come from various mechanisms and be transferred in multiple formats.
For proper validation, it is essential to identify the form and type of data acceptable and expected by the application. This is required to define restrictions and avoid Improper Input Handling attacks accurately.
A common mistake most developers make is to include validation routines in the client-side of an application using JavaScript functions as a sole means to perform bounds checking. It is important to note that while client-side validation is excellent for UI and functional validation, it isn't a substitute for server-side validation. Performing validation on the server-side ensures the integrity of your validation controls. The server-side validation routine will always be effective irrespective of the state of JavaScript execution on the browser. A best practice would be to implement both Client-side and Server-side validation.