Untitled

Report on Input Validation in Name and Email Fields


---

Observation:

During the retest, it was observed that the input validation issue in the name field has been successfully resolved. Validation is now implemented on both the client side and the server side, ensuring secure processing of user inputs for the name field. However, the email field still permits disallowed special characters such as !, #, $, %, ^, *, etc., violating the email format standards specified in RFC 5322. This discrepancy indicates incomplete backend validation for the email field.


---

Impact:

Security Risks:

Backend validation gaps allow attackers to bypass client-side restrictions through direct HTTP requests.

Exposes the application to injection attacks, such as SQL Injection or XSS.


Functional Issues:

Invalid email formats may fail during communication with email servers.

Causes operational inefficiencies and poor user experience.


Compliance Risks:

Non-adherence to RFC standards for email validation impacts compliance and system reliability.




---

Remediation Recommendations:

Server-Side Validation:

Apply strict server-side validation to the email field, allowing only characters specified in RFC 5322 (a-z, A-Z, 0-9, ., -, _, +, @).


Consistency in Validation:

Ensure that client-side and server-side validation rules are aligned to prevent bypass.


Sanitization and Escaping:

Sanitize all inputs and escape special characters to mitigate injection attacks.


Validation Testing:

Conduct regular tests to ensure validation rules are effective and secure.




---

References:

1. RFC 5322 - Internet Message Format


2. OWASP Input Validation Cheat Sheet



The resolution of the input validation issue in the name field—both on the client side and the server side—is commendable. Applying similar practices to the email field will enhance overall system security and reliability.