Input Validation - An Application Security Perspective
Introduction
Input validation is the “key” to application security. 50 to 60 % of security vulnerabilities in almost 70 % of applications are due to poor input validation.
There are several attack vectors possible due to poor input validation
1) Cross Site Scripting
2) SQL injection
3) Response splitting
4) Buffer overflow
5) XML injection
6) Directory Traversals
7) Denial of service
Need for user input:
Business Applications need data to work upon so that meaningful information is delivered to the user. The relevancy and the context of the information are ascertained by user supplied input like for ex: username and password or some personal data like address, telephone and email details. Many applications either store these data or do some manipulations to render useful results.
How attackers use them?
User input fields are the major entry points for most of the attackers. If the application has a cross site scripting vulnerability they can steal the cookie and thereby have an un-authorized access to the system or inject a malicious SQL query to launch an SQL injection attack or can cause buffer overrun and thereby execute a remote code or in the worst case can launch a denial of service attack (DoS)
What is the countermeasure?
Validate, validate and validate the user input.
àValidate data for type, length, format and range.
àAssume all input is malicious.
àCentralize your approach.
àDo not rely on client-side validation.
àConstrain, reject, and sanitize your input.
Input Validation Strategy
An effective strategy can adopt following ways
· Constrain input.
· Validate data for type, length, format, and range.
· Reject known bad input.
· Sanitize input
Input Validation Explained:
Input validation can be performed in two ways
1) Exclusion list approach (also called as blacklist approach)
2) inclusion list approach (also called as whitelist approach)
Exclusion list or a black list approach means filtering the bad data. It is basically a list of malicious user inputs and all other inputs is treated as good.
Inclusion list approach involves allowing only known good inputs. It is a list of all good inputs which a system can accept.
As a security strategy, it is better to adhere to inclusion list approach than to an exclusion list as the list of accepted values is limited in comparison to several un-known and unforeseen unacceptable values. Secondly, a black list approach may accidentally treat a malicious input to be safe.
But in certain situations where a whitelist approach cannot be easily implemented, a blacklist approach suits better. And in such situations it is advised to use a combination of whitelist as well as a blacklist, instead of following a single approach throughout the application.
Server side or Client side validation?
User input validation should be done both at client and server side. In security perspective, Server side validation is a must. Client side validation can be easily bypassed by turning off javacript in the browser. Hence never rely upon client side validation. But for several other benefits , client side validation should be done along with server side. The following table elucidates the reasons
ValidationType |
Superior User Experience |
Immediate Response |
Superior performance |
Increased Security |
Client Side |
ü |
ü |
ü |
|
Server Side |
ü |
It can be easily seen from the above table that client side validation brings in higher performance by reducing unnecessary round trips to the server. Since the validation is at the client, the error information can be immediately shown to the users so that they can correct without having to wait until a response comes from the server. This makes applications highly interactive and usable.
When it comes to security, the bottleneck with client side validation is that this technique heavily relies on client side scripting languages likes javascript or vbscript which can be thwarted very easily. Applications completely relying on client side validations are highly vulnerable as an attacker can easily bypass the validation on the browser.
ASP.NET Validator Controls
The .NET Framework provides validation controls that validate user input and show appropriate error messages whenever invalid data is encountered in a validation control. This helps to save huge time when there is a need to duplicate this validation on both the client and server. These controls can be used both on client and on server side and enhance performance by avoiding server round trips wherever possible.
Additionally, a ValidationSummary control is provided to display all error messages for a page in one area of the screen.
Usage of ASP.NET Validator control: <asp:control_name id="some_id" runat="server" />
Validation Type |
Appropriate Control |
Description |
Required Entry |
The RequiredFieldValidator Control |
Ensures that the user does not skip an entry. |
Comparison to a Value |
The CompareValidator Control |
Compares a user's entry against a constant value, against the value of another control (using a comparison operator such as less than, equal, or greater than), or for a specific data type |
Range Checking |
The RangeValidator Control |
Checks that a user's entry is between specified lower and upper boundaries. You can check ranges within pairs of numbers, alphabetic characters, and dates |
Pattern matching
|
The RegularExpressionValidator Control |
Checks that the entry matches a pattern defined by a regular expression. This type of validation enables you to check for predictable sequences of characters, such as those in e-mail addresses, telephone numbers, postal codes, and so on. For details, |
User-defined |
The CustomValidator Control |
Checks the user's entry using validation logic that you write yourself. This type of validation enables you to check for values derived at run time |
Courtesy - MSDN– https://msdn2.microsoft.com/en-us/library/bwd43d0x(VS.80).aspx
Input Validation using Regular Expressions
There are several validation routines freely available at https://www.guidancelibrary.com/default.aspx/Home.RegExInputValCode
These routines help defend against most common input related attacks.
For additional information, please visit following links
https://msdn2.microsoft.com/en-us/library/aa302420.aspx
https://www.guidancelibrary.com/