Questions tagged [input-validation]
The input-validation tag has no summary.
13 questions
9
votes
3
answers
3k
views
Is it acceptable to ignore potential XSS payloads if they are not executed on our side?
I'm responsible for a web application where users can upload a file containing data in a specific syntax, which then automatically fills out a form instead of requiring manual input.
The issue is that ...
- 101
9
votes
2
answers
3k
views
Can buffer overflow attacks become impossible?
I admit that I don't fully understand how buffer overflow attacks works, but as far I understand, the attacker send an input that is longer than the section of memory that is supposed to temporarily ...
- 191
1
vote
1
answer
144
views
Is it possible to perform input validation in a system with "true" end-to-end encryption?
Imagine there is a secret key, which is used for symmetric encryption. I.e.: anyone with this key can encrypt / decrypt a message.
A service allows users to store a message under a certain filepath, ...
- 113
2
votes
0
answers
171
views
How to scan and sanitize STL files?
Is there any tools to scan and/or sanitize .stl files?
I maintain a security-critical GitHub repo. A contributor recently created a PR that includes changes to .md, .scad, and .stl files.
The changes ...
- 1,166
1
vote
2
answers
3k
views
How to resolve server-side request forgery (SSRF) warning for a HTTP request that takes Python package names as input?
I'm working on a function that returns a HTTP response from https://pypi.org/simple/ when Python's pip installer requests it for a package. When pushing my code onto GitHub, the CodeQL checks warn of ...
0
votes
1
answer
232
views
Primary techniques to prevent against hacks when passing user input to CLI arguments?
What are the main kinds of hacks that can be used when passing user input from the command line, and what are the key techniques to prevent against them (like to prevent against browser XSS attacks, ...
- 726
4
votes
1
answer
362
views
Is there any benefit to normalize unicode/utf-8 names that I am overlooking?
Reading how Spotify was normalizing unicode inconsistently, and now I'm questioning if I am overlooking any issue on accepting non-normalized usernames.
From what I can tell, lowercase was first used ...
- 355
0
votes
0
answers
2k
views
Input sanitization
Is unwanted characters removal enough to prevent most attacks (Python) ? Obviously the code should have more sophisticated rules (ex.remove more than one consecutive white spaces after a new line), ...
- 1
1
vote
1
answer
236
views
Phishing: can input data be saved before I hit the button?
I just clicked a phishing link and foolishly entered my credit card details. I realized it was phishing before I hit SUBMIT. Is there a chance I exposed my data?
15
votes
6
answers
7k
views
Preventing users from tampering with input
Let's say that I have a single-page web app written in JavaScript and a server-side API, both changeable by me. The app calculates some values based on user input and POSTs these to the API. The ...
- 375
0
votes
1
answer
154
views
How would you test the security of a flat file processing application? [closed]
How would you test the security of a flat file processing application?
Perhaps the question is more about how does the back-end of an application that takes a flat file with a specific template as ...
0
votes
0
answers
609
views
CWE-915 (overpost/mass assignment) and antiforgery when not saving posted object to storage
Veracode has found overpost or mass-assignment flaws (CWE 915) in our MVC portal. Technically, this is true, but I am wondering how much of an effort we would need to put into this, especially since ...
- 103
0
votes
3
answers
175
views
How to generate malicious input at processing stage?
I am developing an application and It needs to be highly secured. Because of that reason, I am researching more security vulnerabilities and I found the below paragraph. This is related to input ...
- 653