From the course: CISSP Cert Prep (2021): 8 Software Development Security

Input validation

From the course: CISSP Cert Prep (2021): 8 Software Development Security

Start my 1-month free trial

Input validation

- [Instructor] Any case where users supply input to an application, opens that application up to exploitation. User supplied input may contain code designed to interact with the database, manipulate the browsers of future visitors to the site, or perform any of a number of other attacks. Elsewhere in this course series, you learned about some of those attacks including SQL injection and cross-site scripting. One of the most important ways that we can protect against input based attacks is the use of input validation. This technique filters user input making sure that the input provided by end users doesn't contain malicious or otherwise unexpected values. There are two different approaches that we can take to input validation. Whitelisting and blacklisting. Whitelisting is the most powerful approach to input validation. In this approach, the developer specifies the exact type of input that is allowed from the end user and any input not matching that specification is rejected. For example, if the application is asking a user to enter their year of birth and input validation routine could check to make sure that the input is a four digit number. It could go further to make sure that the four digit number is a reasonable year of birth for someone who is alive today. We can't always precisely specify the types of inputs that should be allowed. So whitelisting is not always practical. For example, if we had a web application that allowed someone to enter a job posting on an employment website, we probably wouldn't be able to precisely define the nature of that job posting. It might contain letters, numbers, special symbols, hyperlinks, and could be extremely short or extremely long. In those cases we turn to blacklisting as an input validation technique. Instead of describing the input that is allowed, blacklisting describes the input that is not allowed. For example, we might prohibit the use of HTML tags in user input to protect against cross-site scripting attacks. We might also prevent the use of SQL keywords to protect against injection attacks. Blacklisting is a more flexible technique than whitelisting, but it's very difficult to describe all possible types of malicious input. So most security professionals consider it less effective than a whitelisting approach. When you perform any type of input validation it's very important to ensure that that validation takes place on the server itself and not within the client's browser. It's tempting to use some JavaScript code to perform validation within a web browser, but you need to remember that the user controls the browser and the user can disable the input validation routine if you take this approach.

Contents