SiteShadow
Back to vulnerability library
Detected byPro-tier static analysisPro

INPUT01/02 Unbounded Inputs and Missing Request Size Limits

This page covers:

What this means

SiteShadow flagged places where user-controlled input can be arbitrarily large (query params, JSON bodies,

headers, file uploads) without server-side constraints.

Why it matters

Unbounded inputs can lead to denial-of-service, unexpected memory/CPU usage, log explosions, and higher

infrastructure cost.

Safer examples

1) Validate and cap input lengths (server-side)

Reject overly long fields early (e.g., usernames, search queries, comments).

2) Configure request body and upload size limits

Apply limits at both the app layer and your reverse proxy/CDN/WAF.

3) Constrain "expensive" endpoints

Use pagination, max page sizes, and query complexity limits; avoid unbounded list/search endpoints.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.