Overview
Not properly validating or sanitizing user inputs can allow attackers to inject malicious code, manipulate the app’s behavior, or access unauthorized data. Unvalidated inputs occur when an application fails to properly validate or sanitize the data entered by users. This can lead to a variety of attacks, such as SQL injection, cross-site scripting (XSS), or buffer overflow exploits. Unvalidated inputs can also lead to other types of attacks, such as command injection, path traversal, and XML external entity (XXE) injection. Mobile apps often process input from forms, API calls, or external sources. Any unvalidated input poses a significant risk, as attackers can use it to inject malicious code or manipulate the app’s behavior.
Risk factors
Unvalidated inputs can arise from:
- Failing to enforce rules about what kinds of inputs are allowed (e.g., expecting numbers but accepting letters or special characters).
- Not removing or encoding potentially dangerous characters, such as HTML or SQL special characters.
- Allowing unvalidated data to be passed directly to backend servers or APIs. Implementing weak or overly permissive filters that can be bypassed with crafted inputs.
- Trusting client-side validation without implementing server-side checks.
Consequences
If unvalidated inputs are exploited, the following can happen:
- SQL injection: Attackers can exploit unvalidated inputs to inject malicious SQL queries, potentially leading to data theft or manipulation.
- Cross-site scripting (XSS): Attackers can inject malicious scripts that execute in the context of a user’s session.
- Buffer overflow: Improperly validated inputs may lead to buffer overflow vulnerabilities, allowing attackers to execute arbitrary code.
- Application crashes: Invalid or malicious input can cause the app to behave unpredictably or crash, affecting service availability.
- Data integrity issues: Unvalidated inputs can lead to corrupt or invalid data being stored in the system, affecting data integrity.
Solutions and best practices
To mitigate the risks associated with invalidated inputs, organizations should implement the following security measures:
- Error handling: Implement proper error handling that doesn’t reveal sensitive information about the system or data structures.
- Strict input validation: Enforce strict rules on what types of input are allowed, using whitelisting where possible.
- Input sanitization: Sanitize and encode input to remove or escape potentially dangerous characters before processing.
- Parameterized queries: Use parameterized queries to ensure that user input cannot be interpreted as part of SQL or other code execution.
- API security: Ensure that all user-supplied data in API calls is validated before processing.
- App shielding: App shielding can add extra layers of defense by protecting against tampering with input validation mechanisms and making it harder for attackers to exploit input flaws.