Skip to content

Improper Input Validation Injection

Description

Improper input validation can lead to XSS vulnerabilities and other security issues. XSS (Cross-site scripting) is an attack where malicious code (eg. JavaScript) is injected into the application and executed.

Remediation

Preventing cross-site scripting is trivial in some cases but can be much harder depending on the complexity of the application and the ways it handles user-controllable data.

To effectively prevent XSS vulnerabilities, use a combination of the following measures:

  • Filter user input on arrival as strictly as possible, based on what you expect as legitimate input.
  • Encode user-controllable data as soons as it is outputted in HTTP reponses to prevent it from being interpreted as active content (ie. code). Depending on the output context, this might require applying combinations of HTML, URL, JavaScript, and CSS encoding.
  • Use the right headers to ensure that browsers interpret the responses the way you intended. For example, to prevent XSS in HTTP responses that are not supposed to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers.
  • Use Content Security Policy (CSP) to reduce the severity of any XSS vulnerability that still occurs.

GraphQL Specific

Apollo To mitigate the risk of injection vulnerabilities in the Apollo framework engine, ensure that all user-supplied input is properly validated and sanitized before processing. Utilize built-in security features such as parameterized queries or prepared statements to handle user input. Additionally, implement input validation checks to reject any suspicious or malformed data. Regularly update the Apollo framework to incorporate the latest security patches and follow best practices for secure coding.
Yoga To prevent improper input validation injection in the Yoga framework engine, ensure that all user-supplied input is validated, sanitized, and encoded before processing. Utilize built-in functions for input validation, employ whitelisting techniques to allow only permitted values, and leverage context-specific output encoding to mitigate injection risks. Additionally, consider implementing a Content Security Policy (CSP) to reduce the impact of any successful injection attacks.
Awsappsync To mitigate the risk of injection vulnerabilities in AWS AppSync, ensure that all user-supplied input is properly validated and sanitized. Use AWS AppSync's built-in VTL (Velocity Template Language) resolvers to parameterize inputs and avoid direct execution of raw input strings. Additionally, implement strict type checking and input validation within your GraphQL schema to further restrict the format and type of data accepted by your API endpoints.
Graphqlgo To mitigate the risk of injection attacks in a GraphQL Go framework, ensure that all user-supplied input is properly validated and sanitized. Use prepared statements with variable binding for all database queries to prevent injection. Additionally, employ a robust input validation library to enforce strong input types and patterns, and consider using GraphQL-specific validation tools to analyze and sanitize query structures. Regularly review and update your validation logic to cover new and evolving injection techniques.
Graphqlruby To mitigate the risk of injection attacks in a GraphQL Ruby framework, ensure that all user-supplied input is properly validated. Use the built-in mechanisms for parameterized queries and input object types to define what data is acceptable. Additionally, implement a strong type system and avoid directly interpolating variables into queries or resolvers. Regularly review and update your validation logic to cover new and emerging threats.
Hasura To prevent improper input validation and injection vulnerabilities in Hasura, ensure that all user inputs are strictly validated against a defined schema. Use Hasura's built-in input validation features to define types and constraints for all inputs. Additionally, leverage prepared statements and parameterized queries when writing custom GraphQL queries or SQL statements. Avoid using raw SQL or string concatenation with user inputs to construct queries. Regularly review and update security rules and permissions to restrict unauthorized access and operations.
Agoo Implement strict input validation and sanitization to prevent injection attacks in the Agoo framework engine.
Ariadne Implement strict input validation and sanitization in the Ariadne framework engine to prevent injection attacks, ensuring that all user inputs are properly validated and encoded before processing.
Caliban Implement strict input validation and sanitization in Caliban framework to prevent injection attacks by ensuring all user inputs are properly validated and encoded before processing.
Dgraph Implement strict input validation and sanitization to prevent injection attacks in the Dgraph framework.
Dianajl Implement strict input validation and sanitization routines in the Dianajl framework engine to prevent injection attacks, ensuring that all user inputs are properly validated and encoded before processing.
Directus Implement strict input validation and sanitization for all user inputs in the Directus framework to prevent XSS and other injection attacks.
Flutter Implement input validation and sanitization using Flutter's built-in validation methods to prevent injection attacks.
Graphene Implement strict input validation and sanitization in the Graphene framework to prevent injection attacks, ensuring that all user inputs are properly validated and encoded before processing.
Graphqlapiforwp Implement strict input validation and sanitization for all user inputs in the GraphQL API for WP framework to prevent injection attacks, ensuring that only expected data types and formats are accepted.
Graphqlgophergo Implement strict input validation and sanitization for all user inputs in the GraphQL queries to prevent injection attacks.
Graphqljava Implement strict input validation and sanitization for all user inputs in the GraphQL queries to prevent injection attacks.
Graphqlphp Implement strict input validation and sanitization for all user inputs in the graphqlphp framework to prevent injection attacks, ensuring that only expected data types and formats are processed.
Graphqlyoga Implement strict input validation and sanitization in the GraphQL Yoga framework to prevent injection attacks, ensuring that all user inputs are properly validated and sanitized before processing.
Hypergraphql Implement strict input validation and sanitization to prevent injection attacks in the HyperGraphQL framework engine.
Jaal Implement strict input validation and sanitization in the Jaal framework engine to prevent injection attacks, ensuring that all user inputs are properly validated and encoded before processing.
Juniper Implement strict input validation and sanitization to prevent injection attacks in the Juniper framework engine.
Lacinia Implement strict input validation and sanitization in the Lacinia framework engine to prevent injection attacks, ensuring that all user inputs are properly validated and encoded before processing.
Lighthouse Implement strict input validation and sanitization to prevent injection attacks in the Lighthouse framework engine.
Mercurius Implement strict input validation and sanitization in Mercurius to prevent injection attacks, ensuring all user inputs are properly validated and encoded before processing.
Morpheusgraphql Implement strict input validation and sanitization in MorpheusGraphQL to prevent injection attacks, ensuring that all user inputs are properly validated and encoded before processing.
Qglgen Implement strict input validation and sanitization in gqlgen to prevent injection attacks by ensuring all user inputs are properly validated and encoded before processing.
Sangria Implement strict input validation and sanitization for all user inputs in the Sangria framework to prevent injection attacks, ensuring that only expected data types and formats are processed.
Shopify Implement Shopify's Liquid filters to sanitize user inputs and escape any potentially harmful characters to prevent XSS vulnerabilities.
Stepzen Implement strict input validation and sanitization in the StepZen framework to prevent injection attacks, ensuring that all user inputs are properly validated and encoded before processing.
Strawberry Implement strict input validation and sanitization in the Strawberry Framework engine to prevent injection attacks, ensuring that all user inputs are properly validated and encoded before processing.
Tartiflette Implement strict input validation and sanitization for all user inputs in the Tartiflette framework to prevent injection attacks, ensuring that only expected data types and formats are accepted.
Wpgraphql Implement strict input validation and sanitization for all user inputs in the WPGraphQL framework to prevent injection attacks, ensuring that only expected data types and formats are processed.

REST Specific

Asp_net In ASP.NET, prevent improper input validation and protect against XSS by encoding output using AntiXSS Library or built-in encoding methods, implementing Content Security Policy (CSP), and using HttpRequest.Unvalidated to access raw input when necessary. Additionally, utilize built-in ASP.NET features like ValidateRequest and model binding with validation annotations to automatically check for potentially dangerous inputs. Always sanitize user input before processing it.
Ruby_on_rails In Ruby on Rails, ensure proper input validation by using built-in mechanisms such as Active Record validations for models, and sanitize user input by employing the 'sanitize' helper method for views. Additionally, use the 'strong parameters' feature to whitelist allowed parameters in controllers. Always encode output when rendering to prevent XSS and avoid directly inserting user content into the DOM. For any direct SQL queries, use parameterized queries with '?' placeholders to separate SQL code from user input, thus preventing SQL injection.
Next_js In Next.js, ensure to sanitize user input by using libraries like DOMPurify to prevent XSS. For server-side rendering, escape dynamic content with built-in functions like `encodeURIComponent` for URLs or `React.createElement` to safely create DOM elements. Always validate and sanitize API input and output, and use Next.js' built-in API routes to handle server-side logic securely.
Laravel In Laravel, use the built-in validation features to ensure proper input validation. Define validation rules in your request classes or controllers using the 'validate' method. Additionally, leverage Eloquent's parameterized queries and the 'htmlspecialchars' function to prevent XSS by escaping output when rendering views.
Express_js In Express.js, ensure all user-supplied input is validated and sanitized using middleware like 'express-validator'. Employ context-specific output encoding when rendering responses to prevent XSS. For dynamic content, use templating engines that automatically encode output, and set appropriate response headers like 'Content-Security-Policy' to mitigate the risk of content injection attacks.
Django In Django, ensure proper input validation by using Django's form and model field validation. Utilize Django templates to automatically escape variables, and avoid using 'mark_safe' unless absolutely necessary. Employ Django's built-in decorators such as '@require_http_methods' to restrict access to views based on the request method. Regularly update Django to the latest version to benefit from security patches.
Symfony In Symfony, use the built-in form validation and escaping mechanisms to prevent XSS. Apply 'htmlspecialchars' or 'twig_escape' filters in Twig templates to encode output, and always validate and sanitize user inputs using Symfony's Form component and Validator constraints.
Spring_boot In Spring Boot, ensure that all user-supplied input is sanitized and validated. Use built-in security features such as @RequestParam, @PathVariable, and @Valid annotations to enforce input validation. Additionally, enable Spring Security's XSS protection and configure Content Security Policy headers to mitigate the risk of XSS attacks.
Flask In Flask, ensure that all user inputs are sanitized before processing. Utilize Flask-WTF or similar libraries to validate form inputs and escape all dynamic content rendered in templates with Jinja2's autoescape feature. Additionally, employ the 'flask-talisman' extension to set content security policies that prevent the execution of unauthorized scripts.
Nuxt In Nuxt.js, prevent XSS by escaping user input, using the built-in 'v-html' directive cautiously, and leveraging Content Security Policy (CSP). Always validate and sanitize user input on both client and server sides. For dynamic content, consider using libraries like 'dompurify' to sanitize HTML and avoid inline scripting.
Fastapi In FastAPI, ensure that all user-provided data is sanitized and validated using Pydantic models for request bodies, Query, Path, and Header parameters. Utilize FastAPI's built-in security utilities, such as the `Depends` function with OAuth2PasswordBearer or APIKeyHeader for authentication, to further protect against injection attacks. Additionally, employ auto-escaping templates when rendering HTML responses to prevent XSS.
Frappe Implement server-side input validation and sanitization to prevent injection attacks in the Frappe framework.
Genzio Implement strict input validation and sanitization in the Genzio framework engine to prevent injection attacks, ensuring that all user inputs are properly validated and encoded before processing.
Gin Implement input validation and sanitization using the Gin framework's binding and validation features to prevent injection attacks such as XSS.
Gorilla Implement strict input validation and sanitization to prevent injection attacks in the Gorilla framework engine.
Hapi Utilize Joi for input validation in Hapi to ensure all user inputs are properly sanitized and validated before processing.
Hono Implement strict input validation and sanitization to prevent injection attacks in the Hono framework engine.
Jersey Ensure all user inputs are properly validated and sanitized before processing in the Jersey framework to prevent injection attacks such as XSS.
Koa Implement input validation and sanitization middleware in the Koa framework to prevent injection attacks, ensuring all user inputs are properly validated and sanitized before processing.
Ktor Implement input validation and sanitization in Ktor by using the 'kotlinx.html' library to safely construct HTML content and ensure that all user inputs are properly validated and sanitized before processing.
Leptos Implement strict input validation and sanitization to prevent injection attacks in the Leptos framework.
Macaron Implement input validation and sanitization using the Macaron framework's built-in middleware to prevent injection attacks.
Phoenix Ensure all user inputs are properly validated and sanitized using Phoenix's built-in functions like `Phoenix.HTML.safe_to_string/1` to prevent XSS and other injection attacks.
Redwoodjs Implement input validation and sanitization using RedwoodJS's built-in validation utilities to prevent XSS and other injection attacks.
Rocket Implement strict input validation and sanitization in Rocket framework by using the built-in request guards and form validation features to prevent injection attacks such as XSS.
Sveltekit Implement input sanitization and validation using SvelteKit's built-in form handling and validation utilities to prevent XSS and other injection attacks.

Configuration

Identifier: injection/improper_input

Options

  • skip_objects : List of object that are to be skipped by the security test.

Examples

Ignore this check

checks:
  injection/improper_input:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API10:2023
  • OWASP LLM: LLM01:2023
  • pci: 6.5.7
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-4

Classification

  • CWE: 79

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 7.2

References