Security Test: Improper Input Validation Injection¶

Description¶

Default Severity:

Improper input validation injection happens when an application blindly accepts and processes user-supplied data without adequately checking it first. This oversight allows an attacker to insert harmful code—like malicious scripts—into the application, potentially tricking it into running that code. The risk here is that if such vulnerabilities are exploited, sensitive data could be stolen, sessions hijacked, or the app’s behavior manipulated. Developers often fall into pitfalls by not sanitizing inputs, assuming users won’t provide harmful data, or misusing trusted functions, leaving the door open for attackers to misuse.

Reference:

https://portswigger.net/web-security/cross-site-scripting

Configuration¶

Identifier: injection/improper_input

Examples¶

All configuration available:

checks:
  injection/improper_input:
    skip: false # default
    options:
      skip_objects: # cf. Options below

Options¶

Options can be set in the options key of the Security Test Configuration.

Property	Type	Default	Description
`skip_objects`	`List[string]`		List of object that are to be skipped by the security test.

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API10:2023
OWASP LLM Top 10	LLM01:2023
PCI DSS	`6.5.7`
GDPR	`Article-32`
SOC2	`CC1`
PSD2	`Article-95`
ISO 27001	`A.14.2`
NIST	`SP800-53`
FedRAMP	`AC-4`
CWE	`79`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C`
CVSS Score	`7.2`