The OWASP Top 10 Proactive Controls are used in the development of web applications.
Ensure all user input is properly validated and sanitized to prevent injection attacks and other security vulnerabilities. For example, implement strict input validation using allowlists and enforce proper data formatting to prevent SQL injection and remote code execution; Apply encoding techniques to escape special characters in user-supplied data before rendering it in web applications, mitigating cross-site scripting (XSS) risks; Handle exceptions securely by logging errors without exposing sensitive information, preventing attackers from gathering insights into system behavior; Continuously monitor and test input validation mechanisms to detect and remediate potential weaknesses, ensuring robust protection against injection-based exploits.
1. Prevent Malicious Data from Entering the System 1.1 Allowlisting vs Denylisting Allowlist inputs to accept only expected values, rather than denylisting which tries to block unwanted input. This reduces the chances of bypassing validation. 1.2 Client-Side and Server-Side Validation Perform input validation on both client and server sides. Server-side validation is mandatory for security, while client-side validation improves user experience. 1.3 Regular Expressions Use regular expressions (regex) cautiously. Ensure they are specific and well-constructed to prevent ReDoS attacks (regular expression denial of service). 1.4 Unexpected User Input (Mass Assignment) Prevent mass assignment by avoiding direct binding of user input to internal objects. Only allow expected and validated fields to be updated. 2. Limits of Input Validation Input validation is not a complete defense. It should be paired with output encoding and proper security controls to fully secure the application from injection and data manipulation attacks. 3. Use Mechanisms that Uphold the Separation of Data and Commands 3.1 JavaScript Injection Attacks Prevent JavaScript injection attacks by sanitizing and validating all dynamic content, and using Content Security Policy (CSP) to restrict executable code. 3.2 Validating and Sanitizing HTML Sanitize HTML inputs to ensure only safe content is rendered. Use trusted libraries to filter out unsafe HTML elements or attributes that could be exploited for XSS attacks. By allowlisting inputs, validating thoroughly, and maintaining the separation between data and executable commands, organizations can reduce risks of injection and unauthorized data manipulation.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-12-03-01-01 | Prevent malicious data from entering the system | Implement input validation to ensure only properly formatted data is accepted. Use allowlisting for inputs to only accept expected values, reducing the risk of malicious data entry. | Development | Security Engineers, Software Developers |
| SSS-02-12-03-01-02 | Validate inputs on both client-side and server-side | Perform input validation on both client-side and server-side to ensure consistency and security. While client-side validation improves user experience, server-side validation is mandatory for security. | Development | Frontend Developers, Backend Developers |
| SSS-02-12-03-01-03 | Use well-constructed regular expressions | Use regular expressions (regex) carefully, ensuring they are specific and optimized to avoid performance issues such as ReDoS (Regular Expression Denial of Service). | Development | Security Engineers, Software Developers |
| SSS-02-12-03-01-04 | Prevent mass assignment vulnerabilities | Avoid mass assignment vulnerabilities by ensuring that only expected and validated fields can be updated. Do not bind unfiltered user input directly to internal objects. | Development | Backend Developers, Security Teams |
| SSS-02-12-03-01-05 | Use mechanisms that uphold the separation of data and commands | Prevent injection attacks, including JavaScript injections and SQL injection, by keeping data and commands separate. Sanitize inputs, implement Content Security Policies (CSP), and use trusted libraries for sanitization. | Development | Security Engineers, Web Developers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1849) OWASP Proactive Controls OWASP Proactive Controls |