OWASP Top Ten 2004 Category A1 - Unvalidated Input

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buf...

The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.

The product filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property.

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

The product receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided.

The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process th...

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes spe...

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralize...

The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs th...

The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.

The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step.

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are as...

The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.

If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input valid...

The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().

When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient ...

Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weakn...

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is cons...