Skip to content
AuditFront
SEC-7 Tech Due Diligence

Tech Due Diligence SEC-7: Input Validation and Application Security

What This Control Requires

The assessor evaluates application-level security controls including input validation, output encoding, protection against injection attacks (SQL, XSS, SSRF), CSRF protection, and adherence to secure coding practices such as the OWASP Top 10.

In Plain Language

Injection attacks, XSS, and SSRF remain the most common ways web applications get compromised. These vulnerability classes are well understood with well-known prevention techniques, so finding them in your codebase during DD tells us something uncomfortable: either security awareness is lacking on the team, or security simply is not a priority in the development process.

We examine how the application handles user input and generates output across the board: input validation and sanitisation practices, output encoding to prevent XSS, SQL injection prevention through parameterised queries, CSRF protection for state-changing operations, SSRF prevention for server-side requests, file upload security, and API security headers like Content-Security-Policy and X-Frame-Options.

Modern frameworks provide built-in protection for many of these issues when used correctly. When we still find these vulnerabilities, it usually means the framework is being misused or custom code is bypassing the protections the framework offers.

How to Implement

Validate input at every entry point to the application using a whitelist approach: define what valid input looks like and reject everything else. Check data type, format, length, allowed characters, and business rules. Lean on framework-provided validation wherever possible.

Prevent SQL injection by using parameterised queries or ORM methods exclusively. Never build SQL statements by concatenating user input. Configure ORM logging so code reviewers can spot any raw queries that slip through. Query builder libraries that make parameterised queries the default path are a good investment.

Prevent XSS with context-aware output encoding. Modern frameworks like React, Angular, and Vue escape output by default in template rendering. Be careful with escape hatches like dangerouslySetInnerHTML (React) or v-html (Vue). Layer on Content-Security-Policy headers for defence in depth.

Add CSRF protection to all state-changing requests. Use anti-CSRF tokens (synchroniser token pattern) or SameSite cookie attributes. API-based applications using Bearer token authentication have lower CSRF risk, but it still needs to be assessed.

Prevent SSRF by restricting server-side requests. Do not let user-controlled URLs drive server-side HTTP calls without validation. Maintain allowlists for external services, block requests to internal network ranges (127.0.0.1, 10.x.x.x, 169.254.169.254), and validate DNS resolution.

Set security headers on all responses: Content-Security-Policy to restrict resource loading, X-Content-Type-Options (nosniff), X-Frame-Options to prevent clickjacking, Strict-Transport-Security to enforce HTTPS, and a sensible Referrer-Policy.

For file uploads, validate file type through content inspection rather than just extension checking. Limit file size, store uploads outside the web root, scan for malware, and generate unique filenames to prevent path traversal.

Evidence Your Auditor Will Request

  • Input validation implementation examples across the codebase
  • ORM or parameterised query usage (no raw SQL with string concatenation)
  • Security headers configuration and validation report
  • SAST scan results showing injection vulnerability findings
  • Content-Security-Policy implementation

Common Mistakes

  • Raw SQL queries with string concatenation creating injection risk
  • XSS vulnerabilities from unescaped user input in templates
  • No Content-Security-Policy header configured
  • SSRF possible through user-controllable URLs in server-side requests
  • File upload validation relies only on file extension, not content inspection

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.8.25 Related
SOC 2 CC6.6 Related

Frequently Asked Questions

How should we prioritise OWASP Top 10 remediation?
Focus on exploitability and impact. Tackle injection flaws (SQL, XSS, SSRF) first, then broken access control, then cryptographic failures. Use the OWASP Risk Rating methodology to rank specific findings. To put it in perspective, a single SQL injection vulnerability in a production endpoint is a critical finding that demands immediate attention.
Is using a modern framework sufficient protection against XSS?
It gives you solid default protection, but it is not bulletproof. Developers can bypass framework protections using things like dangerouslySetInnerHTML, v-html, or bypassSecurityTrustHtml. Not all output contexts are automatically escaped either - URLs, CSS, and inline JavaScript are common gaps. You still need CSP headers and security-aware code review as additional layers.

Track Tech Due Diligence compliance in one place

AuditFront helps you manage every Tech Due Diligence control, collect evidence, and stay audit-ready.

Start Free Assessment