- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Input validation, also known as data validation, is the proper testing of any input supplied by a user or application. Input validation prevents improperly formed data from entering an information system. Because it is difficult to detect a malicious user who is trying to attack software, applications should check and validate all input entered into a system. Input validation should occur when data is received from an external party, especially if the data is from untrusted sources. Incorrect input validation can lead to injection attacks, memory leakage, and compromised systems. While input validation can be either whitelisted or blacklisted, it is preferable to whitelist data. Whitelisting only passes expected data. In contrast, blacklisting relies on programmers predicting all unexpected data. As a result, programs make mistakes more easily with blacklisting.
Want to know what happens when input validation goes wrong? Read about improper input handling.
An input validation attack occurs when an attacker deliberately enters malicious input with the intention of confusing an application and causing it to carry out some unplanned action. Malicious input can include code, scripts and commands, which if not validated correctly can be used to exploit vulnerabilities. The most common input validation attacks include Buffer Overflow, XSS attacks and SQL injection. The OWASP Top 10 mentions input validation as a mitigation strategy for both SQL injection and XSS but it should not be used as the primary method of preventing these attacks, though if properly implemented, it can considerably lower their impact.