[Owasp-leaders] OWASP Top 10 missing server-side input validation

Ralph Durkee rd at rd1.net
Mon Jul 4 15:02:57 UTC 2016


I agree!   For starters why not edit the wiki and add "server side" in 
front of the two texts you’ve highlighted.

https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29

There's also the top level Top 10 descriptions  [ 
https://www.owasp.org/index.php/Top_10_2013-Top_10 ] but  I don't think 
having the extra wording is critical for the description.

-- Ralph Durkee


On 07/03/2016 07:11 PM, Sam Stepanyan wrote:
> Dear Leaders,
>
> I would like to bring to your attention the fact that the OWASP Top 10 
> application security risk list (both 2007 and 2013 versions) is 
> missing the statement that input validation must be done on the server 
> side for both OWASP A3 XSS and OWASP A1 Injection vulnerabilities.
>
> I discovered this after the review of vulnerability findings 
> (referencing OWASP Top 10) with a developer who put all input 
> validation in a client-side JavaScript portion of an application. 
> Needless to mention that all the client-side JavaScript validation was 
> bypassed when a manually crafted POST to a REST API backend saved all 
> the malicious content in the database.
>
> The developer argued that OWASP Top 10 does not state that input 
> validation must happen on the server side, it just has a 
> recommendation to implement a form of whitelist-based input validation.
>
> And he was right: I have re-read the OWASP Top 10 and yep - input 
> validation is recommended however the server side input validation is 
> not mentioned in the Injection and XSS chapters (screenshot from OWASP 
> Top 10 2013 PDF below).
>
>
>
>
> Server-side validation is mentioned however in the A7 Authentication 
> and Authorisation and the A10 Unvalidated Redirects and Forwards.
>
> Server-side input validation is in the ASVS (requirements 5.3, 5.5, 
> 5.18) as well as in the OWASP Testing Guide.
>
> I believe we should align the recommendations in the OWASP Top 10 and 
> ASVS regarding the server side input validation.
>
> In the upcoming OWASP Top 10 2016 this should be corrected.
>
> Regards,
> Sam
> -- 
>
> Sam Stepanyan
> OWASP London Chapter Leader
> @owasplondon
> https://www.owasp.org/index.php/London
> sam.stepanyan at owasp.org
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160704/c5361f5a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 729930 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160704/c5361f5a/attachment-0001.png>


More information about the OWASP-Leaders mailing list