highAuthentication

Missing Input Validation on User Data

What Is This Vulnerability?

Missing input validation means the application accepts and processes user-supplied data without checking its type, format, length, or range. This can lead to a wide range of vulnerabilities including injection attacks, buffer overflows, application crashes, and data corruption. Input validation is a fundamental security control that forms the first line of defense.

Why It Happens

Developers sometimes trust client-side validation to handle data quality and skip server-side checks. Rapid prototyping often defers validation for later. Dynamic languages make it easy to work with untyped data, and the lack of compile-time type checking means malformed input only causes problems at runtime.

Example Code

Vulnerableroutes/register.ts
app.post("/api/register", async (req, res) => {
  const { email, username, age } = req.body;
  await db.query(
    "INSERT INTO users (email, username, age) VALUES ($1, $2, $3)",
    [email, username, age]
  );
  res.json({ success: true });
});
Fixedroutes/register.ts
import { z } from "zod";

const registerSchema = z.object({
  email: z.string().email().max(255),
  username: z.string().min(3).max(50).regex(/^[a-zA-Z0-9_]+$/),
  age: z.number().int().min(13).max(150),
});

app.post("/api/register", async (req, res) => {
  const parsed = registerSchema.safeParse(req.body);
  if (!parsed.success) {
    return res.status(400).json({ errors: parsed.error.flatten() });
  }

  const { email, username, age } = parsed.data;
  await db.query(
    "INSERT INTO users (email, username, age) VALUES ($1, $2, $3)",
    [email, username, age]
  );
  res.json({ success: true });
});

How Hackers Exploit It

Without validation, attackers can send unexpected data types (objects instead of strings for NoSQL injection), excessively long strings to cause denial of service, negative numbers to manipulate pricing logic, or special characters that trigger injection vulnerabilities downstream. The absence of validation amplifies the impact of nearly every other vulnerability category.

How to Fix It

Validate all input on the server side using a schema validation library like Zod, Joi, or Yup. Define strict schemas that specify the expected type, format, length, and range for every field. Reject requests that do not conform to the schema with descriptive error messages. Never rely solely on client-side validation, as it can be bypassed entirely.

Frequently Asked Questions

Is client-side validation sufficient?
No. Client-side validation improves user experience but provides zero security. Attackers bypass it by sending requests directly with tools like curl or Postman. All validation must be duplicated on the server. Client-side validation is a UX feature, not a security feature.
What should I validate beyond type and format?
Validate string length (min and max), numeric ranges, array sizes, enum values, and cross-field constraints (like confirm_password matching password). Also validate that IDs reference objects the user has permission to access. Business logic validation is just as important as format validation.
How does Zod compare to Joi for input validation?
Zod is TypeScript-native and provides excellent type inference, meaning your validated data is automatically typed without manual type definitions. Joi has a larger ecosystem and more built-in validators. Both are effective choices. Zod is generally preferred in TypeScript projects for its tighter type integration.

Related Security Topics

Insecure Password Reset Flow

Learn about insecure password reset flow and how to fix it.

Unrestricted File Upload Vulnerabilities

Learn about unrestricted file upload vulnerabilities and how to fix it.

Session Fixation Attacks

Learn about session fixation attacks and how to fix it.

Check Your Code for This Vulnerability

Run a free scan to check if your site is affected by missing input validation on user data.