[Owasp-leaders] OWASP Top 10 missing server-side input validation

Eoin Keary eoin.keary at owasp.org
Mon Jul 4 02:53:25 UTC 2016

Good catch Sam, output encoding is recommended and given more weight, but
Input validation should be there as a layer of defence.

Eoin Keary
OWASP Volunteer

> On 3 Jul 2016, at 18:11, Sam Stepanyan <sam.stepanyan at owasp.org> wrote:
> Dear Leaders,
> I would like to bring to your attention the fact that the OWASP Top 10 application security risk list (both 2007 and 2013 versions) is missing the statement that input validation must be done on the server side for both OWASP A3 XSS and OWASP A1 Injection vulnerabilities.
> I discovered this after the review of vulnerability findings (referencing OWASP Top 10) with a developer who put all input validation in a client-side JavaScript portion of an application.  Needless to mention that all the client-side JavaScript validation was bypassed when a manually crafted POST to a REST API backend saved all the malicious content in the database.
> The developer argued that OWASP Top 10 does not state that input validation must happen on the server side, it just has a recommendation to implement a form of whitelist-based input validation.
> And he was right: I have re-read the OWASP Top 10 and yep - input validation is recommended however the server side input validation is not mentioned in the Injection and XSS chapters (screenshot from OWASP Top 10 2013 PDF below). 
> <Screen Shot 2016-07-04 at 00.02.49.png>
> Server-side validation is mentioned however in the A7 Authentication and Authorisation and the A10 Unvalidated Redirects and Forwards.
> Server-side input validation is in the ASVS (requirements 5.3,  5.5, 5.18) as well as in the OWASP Testing Guide.
> I believe we should align the recommendations in the OWASP Top 10 and ASVS regarding the server side input validation. 
> In the upcoming OWASP Top 10 2016 this should be corrected.
> Regards,
> Sam
> -- 
> Sam Stepanyan
> OWASP London Chapter Leader
> @owasplondon
> https://www.owasp.org/index.php/London
> sam.stepanyan at owasp.org
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160703/29c524e8/attachment.html>

More information about the OWASP-Leaders mailing list