Data Validation

The lack of data validation, both input and output data, within web applications is one of the most common and most critical flaws that web applications contain. All data being sent to a web application must be checked for validity. Some examples include input fields, hidden fields, cookies, request headers, response headers, uploaded files, and XML content.

The best way to validate data in a web application is to allow only "known good values." This may mean that values 1, 5, 10, 50, and 65 are allowed, and then anything else is rejected. If the known good values are not known, such as in a description text box, then "known good characters" should only be allowed. This may mean that the field value is checked against a regular expression, such as [a-zA-Z], to ensure that the characters are valid. This can be implemented in PHP using the preg_match function.

If, for some reason, the good characters are not known, then the data should be checked for known bad characters and values, such as symbols or even byte ranges to ensure that the input is not binary data.

The last resort in validating input is to sanitize the input by stripping bad characters or encoding the characters to ensure that they are not used in a malicious manner. This means that the data is accepted by the web application after known bad characters or values are sanitized or stripped; however, this may leave the web application vulnerable if an attacker is able to use the sanitization function to bypass other validation steps. An example may be a web application that removes the word JavaScript. If an attacker sends the data JavaJavaScriptScript, then the web application would remove the JavaScript section from the middle of the value, leaving the sanitized value to be JavaScript. Therefore, the attacker has bypassed the validation step.

If these validation steps are not implemented correctly, an attacker may be able to bypass these checks by using case-insensitive characters, HTML entities, URL encoding, Unicode encoding, long Unicode encoding, Hexadecimal encoding, embedding encoded tabs, new lines or carriage returns within words, injecting null characters, binary characters, and removing semicolons.

Data should also be checked for length to ensure that it matches what is expected by the web application. This also places size limits on malicious scripts or exploit attempts, therefore restricting the possible attacks that could be carried out. Length checks may also make log flushing and denial of service attacks, such as filling up the root or var filesystem, much harder. ModSecurity can be used as a second layer of security to limit the size of parameters or requests to ensure large requests are dropped.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook

Post a comment