Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

Cobalt Vulnerability Wiki

V5 - Validation/Sanitization




The most common web application security weakness is the failure to properly validate input coming from the client or the environment before directly using it without any output encoding. This weakness leads to almost all of the significant vulnerabilities in web applications, such as Cross-Site Scripting (XSS), SQL injection, interpreter injection, locale/Unicode attacks, file system attacks, and buffer overflows. Ensure that a verified application satisfies the following high-level requirements: • Input validation and output encoding architecture have an agreed pipeline to prevent injection attacks. • Input data is strongly typed, validated, range or length checked, or at worst, sanitized or filtered. • Output data is encoded or escaped as per the context of the data as close to the interpreter as possible. With modern web application architecture, output encoding is more important than ever. It is difficult to provide robust input validation in certain scenarios, so the use of safer API such as parameterized queries, auto-escaping templating frameworks, or carefully chosen output encoding is critical to the security of the application.