REST API Input Validation

Understand the nuances of input validation for REST API and the golden rule of security: any input is untrusted and must be validated.

What is input validation?

User input is untrusted and has to be tested. It is either a part of the URL or part of the payload. Testing user input is called input validation. Input validation helps prevent the system from being exploited by an attacker. Detecting a malicious user is difficult; therefore, all users must be treated as untrusted, and input has to be checked from each one of them.

When we have a REST API, we always validate the data at the entry and exit points. We should also be careful to not give complete details of an error to the end user. Rather, we report all details only to authorized users who maintain the system and need access to error reports.

Let’s learn more about the consequences of a poorly validated REST API.

Input validation attack

An attack is called an input validation attack if a malicious user creates a custom malicious input and feeds it to the REST API. If the REST API is vulnerable, it is susceptible to an attack.

So, what can the kind of input can be used by an attacker?

Inputs don’t always have to be in the form of data points. For example, if we’re working in an employee management system, input does not have to always be some attribute related to an employee. Possible types of input could be code, scripts, commands, and so on.

Get hands-on with 1200+ tech skills courses.