Skip to main content

user-input-not-validated

Low

What it is

Input fields accept data that violates the expected type, format, or length — such as letters in a numeric field, non-email strings in an email field, or extremely long strings in a text field with no length limit.

Why it matters

Missing input validation can cause:
  • Application errors when invalid data reaches downstream processing
  • Database constraint violations
  • Unexpected behavior in business logic
  • In some cases, performance issues from extremely long inputs
While lower severity than injection vulnerabilities, invalid inputs can trigger unexpected server behavior that aids further exploitation.

How QAOS detects it

The agent identifies form fields and submits type-mismatched, boundary-value, and special character payloads, observing whether the application accepts or rejects them:
  • Numeric fields: submitting letters and special characters
  • Email fields: submitting strings without @
  • Text fields: submitting extremely long strings (10,000+ characters)
  • Bounded fields: submitting values at and beyond stated limits

Examples

Age field: "twenty-five"        ← letters in numeric field
Email field: "notanemail"       ← missing @ symbol
Phone field: "+1 DROP TABLE"    ← special characters
Comment field: "A" * 50000      ← extremely long string

How to fix

Validate all inputs both client-side (for immediate user feedback) and server-side (for security). Client-side validation alone is never sufficient. 
// HTML5 built-in validation
<input type="number" min="0" max="150" required>
<input type="email" required>
<input type="text" maxlength="500">

// Server-side validation with Zod (TypeScript)
const schema = z.object({
  age: z.number().int().min(0).max(150),
  email: z.string().email(),
  comment: z.string().max(500)
})

// Python with Pydantic
class UserInput(BaseModel):
    age: int = Field(ge=0, le=150)
    email: EmailStr
    comment: str = Field(max_length=500)
Return clear, specific error messages when validation fails so users know what to correct.