Input validation and output encoding
Demonstrate that the organization systematically validates all inputs against defined criteria and encodes outputs appropriately for the target context before rendering or executing, preventing injection attacks and data integrity failures.
Description
What this control does
Input validation and output encoding are complementary security controls that protect applications from injection attacks and data corruption. Input validation examines all user-supplied and external data against defined acceptance criteria (type, length, format, range) before processing, rejecting malformed or suspicious data at entry points. Output encoding transforms data destined for interpreters (HTML, SQL, OS shells, XML) by converting special characters into safe representations, preventing the data from being executed as code. Together, these controls enforce the principle that data and code must remain separate throughout the application lifecycle.
Control objective
What auditing this proves
Demonstrate that the organization systematically validates all inputs against defined criteria and encodes outputs appropriately for the target context before rendering or executing, preventing injection attacks and data integrity failures.
Associated risks
Risks this control addresses
- SQL injection attacks that extract, modify, or delete database contents by injecting malicious SQL commands through unvalidated user inputs
- Cross-site scripting (XSS) attacks that execute malicious JavaScript in users' browsers by reflecting unencoded user input in web pages
- Command injection attacks that execute arbitrary operating system commands by passing unvalidated data to system shells or processes
- XML External Entity (XXE) attacks that read local files or perform server-side request forgery through improperly parsed XML input
- Path traversal attacks that access unauthorized files by injecting directory traversal sequences in file path parameters
- LDAP injection attacks that bypass authentication or extract directory information through manipulated query strings
- Data corruption or application crashes caused by oversized inputs, unexpected character sets, or malformed data structures exceeding buffer limits
Live threat patterns this control mitigates:
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's secure coding standards, input validation policy, and output encoding guidelines to understand documented requirements for data handling
- Select a representative sample of 5-8 applications across different technology stacks (web, mobile, API) and business criticality levels for detailed assessment
- Review application source code or configuration to identify all external input points including form fields, URL parameters, API endpoints, file uploads, and third-party integrations
- Examine implemented validation routines to confirm they use allowlists defining acceptable patterns rather than denylists of known bad patterns, and verify validation occurs server-side
- Test each identified input point by submitting payloads containing SQL metacharacters, HTML/JavaScript tags, OS command separators, and path traversal sequences to observe rejection behavior
- Trace data flow from input through processing to output contexts and verify context-appropriate encoding functions are applied (HTML entity encoding for web pages, parameterized queries for databases, shell escaping for system calls)
- Review automated testing results from static application security testing (SAST) and dynamic application security testing (DAST) tools for input validation and output encoding vulnerabilities
- Interview development team members to confirm training on injection prevention techniques and verify secure coding practices are enforced through code review and automated pipeline checks