Data Validation and Output Encoding Threats

Input validation failures enable many web application attacks, from injection to buffer overflows. However, validation complexities in web applications go beyond simple range checking. Unicode normalization attacks bypass filters. Double encoding evades detection. Context-switching between HTML, JavaScript, CSS, and SQL requires different validation rules. Threat modeling must map all input points and their journey through the application.

Mass assignment vulnerabilities arise when web frameworks automatically bind request parameters to object properties. Attackers might modify unintended fields like role assignments or account balances. While frameworks provide protection mechanisms, they require proper configuration. API endpoints are particularly vulnerable as they often accept complex JSON objects. Threat modeling should identify all automatic binding points and ensure appropriate restrictions.

Output encoding failures enable injection attacks when data is displayed. Different contexts require different encoding—HTML entities for HTML content, JavaScript escaping for script contexts, URL encoding for links, and CSS escaping for stylesheets. Modern template engines provide automatic encoding, but developers can inadvertently bypass protections. Rich text editors and markdown processors introduce additional complexity. Each output point requires threat analysis for proper encoding.

File upload functionality introduces severe threats if not properly controlled. Malicious files might exploit vulnerable parsers, contain malware for distribution, or enable directory traversal attacks. Image files can contain embedded scripts or exploit image processing vulnerabilities. Even file names require validation to prevent path injection. Threat modeling must consider the full lifecycle of uploaded files from receipt through processing to serving.