Internet-based computer software applications, or “web” applications, may be vulnerable to malicious attacks if they do not properly validate user inputs before processing them and using them in security-sensitive operations. A common practice is to perform such validation by constraining user inputs at the web application interfaces with which users interact. Thus, for example, an HTML-based web page that is presented to a user may include parameters that are to be populated only via drop-down boxes with a limited set of predefined values for selection by the user, as well as hidden parameters that are not meant to be directly modified by the user, where the parameters are then to be forwarded to the underlying web application