[Owasp-leaders] OWASP Top 10 missing server-side input validation

Dave Wichers dave.wichers at owasp.org
Tue Jul 5 16:19:22 UTC 2016

Thanks Sam for pointing this out. I have added "server-side" in front of
both of these items on this page on the wiki. And we'll endeavor to make
this clear in the next Top 10 release as well.

If anyone else has any similar improvement suggestions, they can just email
me directly, or email the Top 10 mailing list, rather than hitting the
entire leaders list.

Thanks, Dave

On Sun, Jul 3, 2016 at 7:11 PM, Sam Stepanyan <sam.stepanyan at owasp.org>

> Dear Leaders,
> I would like to bring to your attention the fact that the OWASP Top 10
> application security risk list (both 2007 and 2013 versions) is missing the
> statement that input validation must be done on the server side for both
> OWASP A3 XSS and OWASP A1 Injection vulnerabilities.
> I discovered this after the review of vulnerability findings (referencing
> OWASP Top 10) with a developer who put all input validation in a
> client-side JavaScript portion of an application.  Needless to mention that
> all the client-side JavaScript validation was bypassed when a manually
> crafted POST to a REST API backend saved all the malicious content in the
> database.
> The developer argued that OWASP Top 10 does not state that input
> validation must happen on the server side, it just has a recommendation to
> implement a form of whitelist-based input validation.
> And he was right: I have re-read the OWASP Top 10 and yep - input
> validation is recommended however the server side input validation is not
> mentioned in the Injection and XSS chapters (screenshot from OWASP Top 10
> 2013 PDF below).
> Server-side validation is mentioned however in the A7 Authentication and
> Authorisation and the A10 Unvalidated Redirects and Forwards.
> Server-side input validation is in the ASVS (requirements 5.3,  5.5, 5.18)
> as well as in the OWASP Testing Guide.
> I believe we should align the recommendations in the OWASP Top 10 and ASVS
> regarding the server side input validation.
> In the upcoming OWASP Top 10 2016 this should be corrected.
> Regards,
> Sam
> --
> Sam Stepanyan
> OWASP London Chapter Leader
> @owasplondonhttps://www.owasp.org/index.php/[email protected]
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160705/5bbff51b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2016-07-04 at 00.02.49.png
Type: image/png
Size: 729930 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160705/5bbff51b/attachment-0001.png>

More information about the OWASP-Leaders mailing list