Skip to main content

Improper Input Validation Injection


Improper input validation can lead to XSS vulnerabilities and other security issues. XSS (Cross-site scripting) is an attack where malicious code (eg. JavaScript) is injected into the application and executed.


Preventing cross-site scripting is trivial in some cases but can be much harder depending on the complexity of the application and the ways it handles user-controllable data.

To effectively prevent XSS vulnerabilities, use a combination of the following measures:

  • Filter user input on arrival as strictly as possible, based on what you expect as legitimate input.
  • Encode user-controllable data as soons as it is outputted in HTTP reponses to prevent it from being interpreted as active content (ie. code). Depending on the output context, this might require applying combinations of HTML, URL, JavaScript, and CSS encoding.
  • Use the right headers to ensure that browsers interpret the responses the way you intended. For example, to prevent XSS in HTTP responses that are not supposed to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers.
  • Use Content Security Policy (CSP) to reduce the severity of any XSS vulnerability that still occurs.


Identifier: injection/improper_input


  • skip_objects : List of object that are to be skipped by the security test.


Ignore this check

"checks": {
"injection/improper_input": {
"skip": true


  • Escape Severity: HIGH
    • OWASP: API10:2023
    • PCI DSS: 6.5.7
    • CWE
      • 74
      • 79
    • WASC: WASC-08


  • CVSS_SCORE: 7.2