🚨 Unlock the Secrets of Secure Code Review with OWASP – A Must-Read for Every Developer! 🔐

Input Validation :

Perform secure input validation on a secure system ( server-side , not client side) it means when the data is send from client to server. This ensure only safe, valid, expected data is processed and stored.
Identify and categorize all the data sources into trusted and untrusted.Doint this helps you to understand what to Validate , Sanitize or treat as potentially dangerous.
Encode the inputs to a common character set before validation. It means converting all incoming data into a Consistent expected format usually (UTF-8) format before you start validating or processing it.Malicious users can use encoding to tricks Bypassing validation and inject dangerous payloads

Example : Encoding Bypass ( %3Cscript%3Ealert('XSS')%3C%2Fscript%3E)

Validate the data lengths to ensure they conform to expected size.
Use allow list to validate expected data types rather that a deny list.
Ensure the protocol header values in both requests and response contains ASCII character. Because ASCII standardization, compatibility, and security across systems.
Use **canonicalization(**Convert data into standared , consistent, normalized format) to handle **obfuscation (**Attacker hides malicous input using unusual formats or encoding to bypass security check) attacks and ensure inputs are processed consistently.

Perform all output encoding on a secure system.
Specify character set such as UTF-8 for all the outputs to ensure consistency .
Ensure ouput encoding is safe and compatible with all target system.
Contextually sanitize all output of untrusted data before it is used in SQLI, XML, LDAP queries to prevent Injection attack.
Sanitize the output untrusted data before passing to Operating System Commands lead to Remote Code Execution.