342 – Validate request parameters

Summary

The system must validate the content and length of all request parameters (GET, POST, cookies, headers, etc.), as well as their amount.

Description

Proper data validation prevents a vast majority of injection attacks. Its implementation includes validations of request parameters content, length and amount. This increases the defenses against HTTP parameter pollution attacks and mass parameter assignment attacks, and provides countermeasures to protect against unsafe parameter assignment.

Supported In

Essential: True

Advanced: True

References

• CAPEC-6. Argument injection
• CAPEC-31. Accessing/Intercepting/Modifying HTTP cookies
• CAPEC-32. XSS through HTTP query strings
• CAPEC-137. Parameter injection
• CAPEC-153. Input data manipulation
• CWE-130. Buffer copy without checking size of input ("classic buffer overflow")
• CWE-233. Improper handling of parameters
• CWE-235. Improper handling of extra parameters
• CWE-290. Authentication bypass by spoofing
• CWE-539. Use of persistent cookies containing sensitive information
• CWE-598. Use of GET request method with sensitive query strings
• CWE-915. Improperly controlled modification of dynamically-determined object attributes
• OWASP10-A3. Injection
• OWASP10-A8. Software and data integrity failures
• CERTJ-IDS16-J. Prevent XML injection
• SANS25-5. Improper neutralization of special elements used in an OS command (OS command injection)
• SANS25-6. Improper input validation
• SANS25-8. Improper limitation of a pathname to a restricted directory (path traversal)
• HITRUST-10_b. Input data validation
• ISO27002-8_28. Secure coding
• WASSEC-6_2_5_3. Information disclosure - Path traversal
• OSSTMM3-11_6_2. Data networks security (trust verification) - Pishing
• WASC-A_12. Content spoofing
• WASC-A_33. Path traversal
• NISTSSDF-PW_5_1. Archive and protect each software release
• ISSAF-F_5_9. Network security - Router security assessment (configure ingress filtering)
• ISSAF-T_16_1. Web application assessment - Input validation (validate data)
• ISSAF-U_15. Web application SQL injections – Countermeasures
• ISSAF-V_7. Application security - Source code auditing (session management)
• ISSAF-V_9. Application security - Source code auditing (data and input validation)
• OWASPSCP-1. Input validation
• CWE25-20. Improper input validation
• CWE25-22. Improper limitation of a pathname to a restricted directory (path traversal)
• CWE25-78. Improper neutralization of special elements used in an OS command (OS command injection)
• ASVS-5_1_1. Input validation
• ASVS-5_1_3. Input validation
• ASVS-12_3_1. File execution
• SIG-I_3_4_6. Application security
• CWE-22. Improper limitation of a pathname to a restricted directory ("path traversal")
• ASVS-5_1_4. Input validation
• ASVS-5_2_1. Sanitization and sandboxing
• ASVS-5_3_3. Output encoding and injection prevention
• ASVS-5_3_5. Output encoding and injection prevention
• ASVS-5_3_6. Output encoding and injection prevention
• ASVS-13_2_2. RESTful web service
• OWASPAPI-API4. Lack of Resources & Rate Limiting
• ISO27001-8_28. Secure coding
• CASA-5_1_1. Input Validation
• CASA-5_1_3. Input Validation
• CASA-5_1_4. Input Validation
• CASA-5_3_3. Output Encoding and Injection Prevention
• CASA-5_3_6. Output Encoding and Injection Prevention
• CASA-13_2_1. RESTful Web Service
• OWASPMASVS-CODE-4. The app validates and sanitizes all untrusted inputs
• OWASPLLM-LLM01:2025. Prompt Injection
• OWASPLLM-LLM02:2025. Sensitive Information Disclosure
• OWASPLLM-LLM05:2025. Improper Output Handling
• OWASPLLM-LLM07:2025. System Prompt Leakage
• OWASPLLM-LLM08:2025. Vector and Embedding Weaknesses

Weaknesses

• 121 – HTTP parameter pollution
• 127 – Lack of data validation - Type confusion
• 138 – Inappropriate coding practices
• 184 – Lack of data validation
• 185 – Lack of data validation - Header x-amzn-RequestId
• 186 – Lack of data validation - Web Service
• 187 – Lack of data validation - Source Code
• 188 – Lack of data validation - Modify DOM Elements
• 189 – Lack of data validation - Content Spoofing
• 190 – Lack of data validation - Session Cookie
• 191 – Lack of data validation - Responses
• 192 – Lack of data validation - Reflected Parameters
• 193 – Lack of data validation - Host Header Injection
• 194 – Lack of data validation - Input Length
• 195 – Lack of data validation - Headers
• 196 – Lack of data validation - Dates
• 197 – Lack of data validation - Numbers
• 198 – Lack of data validation - Out of range
• 199 – Lack of data validation - Emails
• 432 – Inappropriate coding practices - relative path command
• 452 – Prompt injection
• 454 – Improper output handling
• 063 – Lack of data validation - Path Traversal
• 089 – Lack of data validation - Trust boundary violation

Last updated

2025/06/17