173 – Discard unsafe inputs

Summary

The system must discard all potentially harmful information received via data inputs.

Description

Technological devices and, in particular, applications must be able to notice if the received information does not correspond to its operational purposes, in order to treat it properly (for example, rejecting and/or generating timely alerts) and ensure that it does not impact the operation negatively. Typical examples of this are: SQL queries, JavaScript code, OS commands or LDAP queries in fields and application parameters; text with undesired special characters and their possible combinations in fields and parameters; files manipulated in structure and extension to be loaded in an application or technology artifact; and in general any type of information that does not correspond to the requested format. A large amount of the incoming traffic (which does not correspond to operational purposes) of a technological artifact must also be considered, and controls and proper treatment must be applied.

Supported In

Essential: True

Advanced: True

References

• CAPEC-3. Using leading 'ghost' character sequences to bypass input filters
• CAPEC-4. Using alternative IP address encodings
• CAPEC-6. Argument injection
• CAPEC-7. Blind SQL injection
• CAPEC-15. Command delimiters
• CAPEC-18. XSS targeting non-script elements
• CAPEC-19. Embedding scripts within scripts
• CAPEC-22. Exploiting trust in client
• CAPEC-24. Filter failure through buffer overflow
• CAPEC-32. XSS through HTTP query strings
• CAPEC-34. HTTP response splitting
• CAPEC-41. Using meta-characters in e-mail headers to inject malicious payloads
• CAPEC-48. Passing local filenames to functions that expect a URL
• CAPEC-130. Excessive allocation
• CAPEC-137. Parameter injection
• CAPEC-153. Input data manipulation
• CAPEC-175. Code inclusion
• CAPEC-240. Resource injection
• CAPEC-242. Code injection
• CAPEC-248. Command injection
• CAPEC-676. NoSQL Injection
• CAPEC-690. Metadata Spoofing
• CAPEC-691. Spoof Open-Source Software Metadata
• CAPEC-692. Spoof Version Control System Commit Metadata
• CIS-16_10. Apply secure design principles in application architectures
• CWE-20. Improper input validation
• CWE-74. Improper neutralization of special elements in output used by a downstream component ("injection")
• CWE-78. Improper neutralization of special elements used in an OS command ("OS command injection")
• CWE-79. Improper neutralization of input during web page generation ("cross-site scripting")
• CWE-80. Improper neutralization of script-related HTML tags in a web page (basic XSS)
• CWE-89. Improper neutralization of special elements used in an SQL command ("SQL injection")
• CWE-94. Improper control of generation of code ("code injection")
• CWE-138. Improper neutralization of special elements
• CWE-147. Improper neutralization of input terminators
• CWE-643. Improper neutralization of data within XPath expressions ("XPath injection")
• CWE-22. Improper limitation of a pathname to a restricted directory ("path traversal")
• CWE-36. Absolute path traversal
• CWE-90. Improper neutralization of special elements used in an LDAP query ('LDAP Injection')
• CWE-91. XML injection
• CWE-95. Improper neutralization of directives in dynamically evaluated code ("eval injection")
• CWE-98. Improper control of filename for include/require statement in PHP program ("PHP remote file inclusion")
• CWE-112. Missing XML validation
• CWE-116. Improper encoding or escaping of output
• CWE-150. Improper neutralization of escape, meta, or control sequences
• CWE-290. Authentication bypass by spoofing
• CWE-400. Uncontrolled resource consumption
• CWE-444. Inconsistent interpretation of HTTP requests ("HTTP request smuggling")
• CWE-611. Improper restriction of XML External Entity reference
• CWE-918. Server-side request forgery (SSRF)
• CWE-1284. Improper validation of specified quantity in input
• CWE-1287. Improper validation of specified type of input
• CWE-1325. Improperly controlled sequential memory allocation
• OWASP10-A3. Injection
• OWASPM10-M2. Insecure data storage
• AGILE-9. Continuous attention to technical excellence and good design
• BIZEC-APP-01. ABAP command injection
• BIZEC-APP-02. OS command injection
• BIZEC-APP-03. Native SQL injection
• BIZEC-APP-06. Direct database modifications
• BIZEC-APP-08. Open SQL injection
• CERTC-FIO30-C. Exclude user input from format strings
• CERTJ-IDS00-J. Prevent SQL injection
• CERTJ-IDS16-J. Prevent XML injection
• MITRE-M1013. Application developer guidance
• MITRE-M1037. Filter network traffic
• PADSS-5_2_1. Injection flaws, particularly SQL injection
• PADSS-5_2_2. Buffer Overflow
• PADSS-5_2_7. Cross-site scripting (XSS)
• SANS25-2. Improper neutralization of input during web page generation (cross-site scripting)
• SANS25-3. Improper neutralization of special elements used in an SQL command (SQL injection)
• SANS25-5. Improper neutralization of special elements used in an OS command (OS command injection)
• SANS25-6. Improper input validation
• SANS25-8. Improper limitation of a pathname to a restricted directory (path traversal)
• SANS25-16. Improper neutralization of special elements used in a command (command injection)
• SANS25-19. Server-side request forgery (SSRF)
• SANS25-23. Improper Control of Generation of Code ('Code Injection')
• HITRUST-10_b. Input data validation
• HITRUST-13_k. Use and disclosure
• FEDRAMP-PE-16. Delivery and removal
• FEDRAMP-SI-5. Security alerts, advisories, and directives
• ISO27002-8_20. Network controls
• ISO27002-8_26. Application security requirements
• IEC62443-SI-3_5. Input validation
• WASSEC-6_2_3_2. Client-side attacks - Cross-site scripting
• WASSEC-6_2_3_4. Client-side attacks - HTML injection
• WASSEC-6_2_4_2. Command execution - LDAP injection
• WASSEC-6_2_4_3. Command execution - OS command injection
• WASSEC-6_2_4_4. Command execution - SQL injection
• WASSEC-6_2_4_6. Command execution - Xpath injection
• WASSEC-6_2_4_8. Command execution - Remote file includes
• WASSEC-6_2_4_9. Command execution - Local file includes
• WASSEC-6_2_5_3. Information disclosure - Path traversal
• WASC-A_07. Buffer overflow
• WASC-A_12. Content spoofing
• WASC-A_18. Credential and session prediction
• WASC-A_08. Cross-site scripting
• WASC-A_26. HTTP request smuggling
• WASC-A_29. LDAP injection
• WASC-A_31. OS commanding
• WASC-A_33. Path traversal
• WASC-A_05. Remote file inclusion (RFI)
• WASC-A_19. SQL injection
• WASC-A_39. XPath injection
• WASC-A_46. XML injection
• WASC-W_20. Improper input handling
• ISSAF-F_5_9. Network security - Router security assessment (configure ingress filtering)
• ISSAF-G_12. Network security - Firewalls (port redirection)
• ISSAF-P_6_1. Host security - Linux security (remote attacks)
• ISSAF-P_6_3. Host security - Linux security (buffer overflows)
• ISSAF-P_6_15. Host security - Linux security (local attacks)
• ISSAF-Q_16_20. Host security - Windows security (local attacks)
• ISSAF-T_13_2. Web application assessment - Test invalidated parameters (Cross Site Scripting)
• ISSAF-T_14_2. Web application assessment - Hidden form fields manipulation
• ISSAF-T_16_1. Web application assessment - Input validation (validate data)
• ISSAF-T_17. Web application assessment - Test SQL injection
• ISSAF-T_19_1. Web application assessment - Global Countermeasures (client-side)
• ISSAF-U_8. Web application SQL injections - Check SQL injection vulnerability
• ISSAF-U_11. Web application SQL injections - Get control on host
• ISSAF-U_15. Web application SQL injections – Countermeasures
• ISSAF-V_9. Application security - Source code auditing (data and input validation)
• ISSAF-V_10. Application security - Source code auditing (Cross Site Scripting XSS)
• ISSAF-V_13. Application security - Source code auditing (command injection)
• PTES-5_2_3_1. Vulnerability analysis - Web application scanners (application flaw scanners)
• PTES-6_2_3. Exploitation - Countermeasures (data execution prevention)
• PTES-7_4_2_3. Post exploitation - Pillaging (database servers)
• OWASPRISKS-P7. Insufficient data quality
• MVSP-1_8. Business controls - Data handling
• MVSP-2_5. Application design controls - Security libraries
• MVSP-3_3. Application implementation controls - Vulnerability prevention
• OWASPSCP-1. Input validation
• OWASPSCP-11. Database security
• OWASPSCP-12. File management
• OWASPSCP-13. Memory management
• BSAFSS-SC_3-2. Secure Coding (secure software against unsafe functions)
• BSAFSS-SC_3-3. Secure Coding (secure software against unsafe functions)
• BSAFSS-LO_2-4. Implement securely logging mechanisms
• CWE25-20. Improper input validation
• CWE25-22. Improper limitation of a pathname to a restricted directory (path traversal)
• CWE25-78. Improper neutralization of special elements used in an OS command (OS command injection)
• CWE25-79. Improper neutralization of input during web page generation (cross-site scripting)
• CWE25-89. Improper neutralization of special elements used in an SQL command (SQL injection)
• CWE25-77. Improper neutralization of special elements used in a command (command injection)
• CWE25-94. Improper Control of Generation of Code ('Code Injection')
• CWE25-918. Server-side request forgery (SSRF)
• ASVS-1_5_3. Input and output architecture
• ASVS-5_2_5. Sanitization and sandboxing
• ASVS-5_2_6. Sanitization and sandboxing
• ASVS-5_3_7. Output encoding and injection prevention
• ASVS-5_3_8. Output encoding and injection prevention
• ASVS-5_3_10. Output encoding and injection prevention
• ASVS-5_4_1. Memory, string, and unmanaged code
• ASVS-8_1_3. General data protection
• ASVS-12_3_1. File execution
• C2M2-9_4_d. Implement software security for cybersecurity architecture
• PCI-1_4_3. Implement anti-spoofing measures
• PCI-6_2_4. Software engineering techniques to prevent or mitigate common software attacks
• SIGLITE-SL_18. Are there regular privacy risk assessments conducted?
• SIGLITE-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
• SIG-D_6_7. Asset and information management
• SIG-I_1_14. Application security
• SIG-I_2_1. Application security
• SIG-I_2_7_1. Application security
• ASVS-5_1_4. Input validation
• ASVS-5_2_1. Sanitization and sandboxing
• ASVS-5_2_2. Sanitization and sandboxing
• ASVS-5_2_3. Sanitization and sandboxing
• ASVS-5_2_7. Sanitization and sandboxing
• ASVS-5_3_3. Output encoding and injection prevention
• ASVS-5_3_5. Output encoding and injection prevention
• ASVS-5_3_6. Output encoding and injection prevention
• ASVS-5_4_2. Memory, string, and unmanaged code
• ASVS-5_5_3. Deserialization prevention
• ASVS-5_5_4. Deserialization prevention
• ASVS-7_3_1. Log protection
• ASVS-12_3_2. File execution
• ASVS-12_3_5. File execution
• ASVS-12_6_1. SSRF protection
• ASVS-13_3_1. SOAP web service
• ASVS-14_5_1. HTTP request header validation
• OWASPAPI-API4. Lack of Resources & Rate Limiting
• OWASPAPI-API7. Server Side Request Forgery
• OWASPAPI-API10. Unsafe Consumption of APIs
• ISO27001-8_20. Network controls
• ISO27001-8_26. Application security requirements
• CASA-1_5_3. Input and Output Architecture
• CASA-3_5_1. Token-based Session Management
• CASA-5_1_4. Input Validation
• CASA-5_2_3. Sanitization and Sandboxing
• CASA-5_2_5. Sanitization and Sandboxing
• CASA-5_2_6. Sanitization and Sandboxing
• CASA-5_2_7. Sanitization and Sandboxing
• CASA-5_3_3. Output Encoding and Injection Prevention
• CASA-5_3_6. Output Encoding and Injection Prevention
• CASA-5_3_7. Output Encoding and Injection Prevention
• CASA-5_3_8. Output Encoding and Injection Prevention
• CASA-5_3_10. Output Encoding and Injection Prevention
• CASA-7_3_1. Log Protection
• CASA-8_1_3. General Data Protection
• OWASPMASVS-CODE-4. The app validates and sanitizes all untrusted inputs
• OWASPLLM-LLM01:2025. Prompt Injection
• OWASPLLM-LLM02:2025. Sensitive Information Disclosure
• OWASPLLM-LLM04:2025. Data and Model Poisoning
• OWASPLLM-LLM05:2025. Improper Output Handling
• OWASPLLM-LLM07:2025. System Prompt Leakage
• OWASPLLM-LLM08:2025. Vector and Embedding Weaknesses

Weaknesses

• 100 – Server-side request forgery (SSRF)
• 103 – Insufficient data authenticity validation - APK signing
• 105 – Apache lucene query injection
• 106 – NoSQL injection
• 107 – LDAP injection
• 110 – HTTP request smuggling
• 112 – SQL injection - Java SQL API
• 121 – HTTP parameter pollution
• 123 – Local file inclusion
• 127 – Lack of data validation - Type confusion
• 141 – Lack of data validation - URL
• 146 – SQL injection
• 154 – Time-based SQL Injection
• 155 – SQL Injection - Headers
• 156 – Uncontrolled external site redirect
• 184 – Lack of data validation
• 185 – Lack of data validation - Header x-amzn-RequestId
• 186 – Lack of data validation - Web Service
• 187 – Lack of data validation - Source Code
• 188 – Lack of data validation - Modify DOM Elements
• 189 – Lack of data validation - Content Spoofing
• 190 – Lack of data validation - Session Cookie
• 191 – Lack of data validation - Responses
• 192 – Lack of data validation - Reflected Parameters
• 193 – Lack of data validation - Host Header Injection
• 194 – Lack of data validation - Input Length
• 195 – Lack of data validation - Headers
• 196 – Lack of data validation - Dates
• 197 – Lack of data validation - Numbers
• 198 – Lack of data validation - Out of range
• 199 – Lack of data validation - Emails
• 274 – Restricted fields manipulation
• 297 – SQL injection - Code
• 316 – Improper resource allocation - Buffer overflow
• 317 – Improper resource allocation - Memory leak
• 321 – Lack of data validation - HTML code
• 323 – XML injection (XXE) - Unmarshaller
• 327 – Insufficient data authenticity validation - Images
• 340 – Lack of data validation - Special Characters
• 341 – Lack of data validation - OTP
• 344 – Lack of data validation - Non Sanitized Variables
• 353 – Lack of data validation - Token
• 355 – Insufficient data authenticity validation - Checksum verification
• 371 – DOM-Based cross-site scripting (XSS)
• 377 – Insufficient data authenticity validation - Device Binding
• 382 – Insufficient data authenticity validation - Front bypass
• 389 – Insufficient data authenticity validation - JAR signing
• 390 – Prototype Pollution
• 398 – Fragment Injection
• 404 – OS Command Injection
• 416 – XAML injection
• 420 – Password reset poisoning
• 422 – Server side template injection
• 425 – Server side cross-site scripting
• 429 – Universal cross-site scripting (UXSS)
• 434 – Client-side template injection
• 438 – Error-based SQL Injection
• 450 – Blind-based SQL injection
• 451 – OData injection
• 452 – Prompt injection
• 453 – Data and model poisoning
• 454 – Improper output handling
• 001 – SQL injection - C Sharp SQL API
• 004 – Remote command execution
• 008 – Reflected cross-site scripting (XSS)
• 010 – Stored cross-site scripting (XSS)
• 012 – SQL injection - Java Persistence API
• 021 – XPath injection
• 023 – Uncontrolled external site redirect - Host Header Injection
• 032 – Spoofing
• 045 – HTML code injection
• 061 – Remote File Inclusion
• 063 – Lack of data validation - Path Traversal
• 067 – Improper resource allocation
• 083 – XML injection (XXE)
• 089 – Lack of data validation - Trust boundary violation
• 090 – CSV injection
• 091 – Log injection
• 093 – Hidden fields manipulation
• 096 – Insecure deserialization
• 097 – Reverse tabnabbing

Last updated

2025/06/17