[Owasp-leaders] OWASP Top 10 missing server-side input validation

Sam Stepanyan sam.stepanyan at owasp.org
Sun Jul 3 23:11:57 UTC 2016


Dear Leaders,

I would like to bring to your attention the fact that the OWASP Top 10 
application security risk list (both 2007 and 2013 versions) is missing 
the statement that input validation must be done on the server side for 
both OWASP A3 XSS and OWASP A1 Injection vulnerabilities.

I discovered this after the review of vulnerability findings 
(referencing OWASP Top 10) with a developer who put all input validation 
in a client-side JavaScript portion of an application. Needless to 
mention that all the client-side JavaScript validation was bypassed when 
a manually crafted POST to a REST API backend saved all the malicious 
content in the database.

The developer argued that OWASP Top 10 does not state that input 
validation must happen on the server side, it just has a recommendation 
to implement a form of whitelist-based input validation.

And he was right: I have re-read the OWASP Top 10 and yep - input 
validation is recommended however the server side input validation is 
not mentioned in the Injection and XSS chapters (screenshot from OWASP 
Top 10 2013 PDF below).




Server-side validation is mentioned however in the A7 Authentication and 
Authorisation and the A10 Unvalidated Redirects and Forwards.

Server-side input validation is in the ASVS (requirements 5.3,  5.5, 
5.18) as well as in the OWASP Testing Guide.

I believe we should align the recommendations in the OWASP Top 10 and 
ASVS regarding the server side input validation.

In the upcoming OWASP Top 10 2016 this should be corrected.

Regards,
Sam

-- 

Sam Stepanyan
OWASP London Chapter Leader
@owasplondon
https://www.owasp.org/index.php/London
sam.stepanyan at owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160704/6b2fde9d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2016-07-04 at 00.02.49.png
Type: image/png
Size: 729930 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160704/6b2fde9d/attachment-0001.png>


More information about the OWASP-Leaders mailing list