Focusing on Input Validation

Saturday, February 11, 2012

Brent Huston


Input validation is the single best defense against injection and XSS vulnerabilities.

Done right, proper input validation techniques can make web-applications invulnerable to such attacks. Done wrongly, they are little more than a false sense of security.

The bad news is that input validation is difficult. White listing, or identifying all possible strings accepted as input, is nearly impossible for all but the simplest of applications.

Black listing, that is parsing the input for bad characters (such as ‘, ;,–, etc.) and dangerous strings can be challenging as well.

Though this is the most common method, it is often the subject of a great deal of challenges as attackers work through various encoding mechanisms, translations and other avoidance tricks to bypass such filters.

Over the last few years, a single source has emerged for best practices around input validation and other web security issues.

The working group OWASP has some great techniques for various languages and server environments. Further, vendors such as Sun, Microsoft and others have created best practice articles and sample code for doing input validation for their servers and products.

Check with their knowledge base or support teams for specific information about their platform and the security controls they recommend.

While application frameworks and web application firewalls are evolving as tools to help with these security problems, proper developer education and ongoing training of your development team about input validation remains the best solution.

Cross-posted from State of Security

Possibly Related Articles:
Information Security
XSS OWASP Application Security Vulnerabilities Best Practices Web Application Firewalls Attacks Secure Coding Cross Site Scripting Input Validation Black Listing Brent Huston
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.