INPUT01/02 Unbounded Inputs and Missing Request Size Limits

This page covers:

• INPUT01: Unbounded string inputs (no length constraints / validation)
• INPUT02: Missing request size limits (no body caps / upload limits)

What this means

SiteShadow flagged places where user-controlled input can be arbitrarily large (query params, JSON bodies,

headers, file uploads) without server-side constraints.

Why it matters

Unbounded inputs can lead to denial-of-service, unexpected memory/CPU usage, log explosions, and higher

infrastructure cost.

Safer examples

1) Validate and cap input lengths (server-side)

Reject overly long fields early (e.g., usernames, search queries, comments).

2) Configure request body and upload size limits

Apply limits at both the app layer and your reverse proxy/CDN/WAF.

3) Constrain "expensive" endpoints

Use pagination, max page sizes, and query complexity limits; avoid unbounded list/search endpoints.

How SiteShadow detects it (high level)

• Detects request parsing and upload handling paths without visible size caps.
• Flags fields that flow into expensive operations (parsing, DB queries, rendering) without length/range constraints.

References

• OWASP Input Validation Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
• CWE-400: https://cwe.mitre.org/data/definitions/400.html

---

← Back to Vulnerability Library