Web Input Boundary and Validation Matrix
The most common web application security weakness is the failure to properly validate input from the client or environment. This weakness leads to almost all of the major vulnerabilities in applications, such as interpreter injection, locale/Unicode attacks, file system attacks and buffer overflows. Data from the client should never be trusted for the client has every possibility to tamper with the data.
In many cases, Encoding has the potential to defuse attacks that rely on lack of input validation. For example, if you use HTML entity encoding on user input before it is sent to a browser, it will prevent most XSS attacks. However, simply preventing attacks is not enough - you must perform Intrusion Detection in your applications. Otherwise, you are allowing attackers to repeatedly attack your application until they find a vulnerability that you haven’t protected against. Detecting attempts to find these weaknesses is a critical protection mechanism.
Boundary value analysis is a software testing design technique to determine test cases covering off-by-one errors. The boundaries of software component input ranges are areas of frequent problems.
Code injection is a computer bug that is caused by processing invalid data. Code injection can be used by an attacker to introduce (or “inject”) code into a computer program to change the course of execution. The results of a Code Injection attack can be disastrous. For instance, code injection is used by some Computer worms to propagate.
The following is a Web Input Boundary and Validation Matrix which is based on the Testing Applications on the Web: Test Planning for Mobile and Internet-Based Systems book by Hung Q. Nguyen, Bob Johnson and Michael Hackett. It can be used to ensure that all customer facing forms are thoroughly checked against out-of-scope values and various injections attacks. If you find the matrix useful you might enjoy the whole book as well.
Download: Web Input Boundary and Validation Matrix (.xls)