DATA VALIDATION & ENCODING (VE3)

Robert can input malicious data because the allowed protocol format is not being checked, or duplicates are accepted, or the structure is not being verified, or the individual data elements are not being validated for format, type, range, length and a whitelist of allowed characters or formats

<
DATA VALIDATION & ENCODING
3

Robert can input malicious data because the allowed protocol format is not being checked, or duplicates are accepted, or the structure is not being verified, or the individual data elements are not being validated for format, type, range, length and a whitelist of allowed characters or formats

OWASP SCP

OWASP ASVS

1.5.3,5.1.1,5.1.2,5.1.3,13.2.1,14.1.2,14.4.1

OWASP AppSensor

RE7,RE8,AE4,AE5,AE6,AE7,IE2,IE3,CIE1,CIE3,CIE4,HT1,HT2,HT3

CAPEC

-

SAFECODE

3,16,24,35

>
How to play?

A lack of input validation is often the root cause of many security issues. Since the validation needs to be context specific, generic sanitisation routines will not suffice and the developer needs to understand how data are formatted/composed, why the data is being sent, what it is used for and the meaning of the values. This input validation should ensure that

Only the permitted inputs (field/parameter names) are supplied. All the mandatory inputs are supplied. The values associated with the field/parameter name are of the expected format, type, range, length, etc. NB: This card relates to generic input validation. See VE 4 for the similar additional context-specific checks.

Mappings

OWASP ASVS (4.0): 1.5.3 ,5.1.1 ,5.1.2 ,5.1.3 ,13.2.1 ,14.1.2 ,14.4.1

Capec: 28 ,48 ,126 ,165 ,213 ,220 ,221 ,261 ,262 ,271 ,272

OWASP SCP:

OWASP Appsensor: RE7,RE8,AE4,AE5,AE6,AE7,IE2,IE3,CIE1,CIE3,CIE4,HT1,HT2,HT3

Safecode: 3,16,24,35

ASVS (4.0) Cheatsheetseries Index

ASVS V1.5 - Input and Output Architectural Requirements

ASVS V5.1 - Input Validation Requirements

ASVS V13.2 - RESTful Web Service Verification Requirements

ASVS V14.1 - Build

ASVS V14.4 - HTTP Security Headers Requirements

No suitable mappings were found.

Attacks

SQL Injection

Command Injection

(Session) Data tampering

OWASP Cornucopia

  • OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology-agnostic, and is free to use.
  • OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar licence to this one.
  • © 2012-2025 OWASP Foundation. The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software.

OWASP and the OWASP logo are trademarks of the OWASP Foundation

Last update was Fri, 31 Jan 2025 15:30:05 GMT, or 1631 hours ago

Licensing information | Acknowledgements | Q & A | Roadmap

© OWASP Foundation 2025 rss | Sitemap