From the course: Threat Modeling: Denial of Service and Elevation of Privilege

Unlock the full course today

Join today to access over 22,400 courses taught by industry experts or purchase this course individually.

Validation to defend against elevation

Validation to defend against elevation

From the course: Threat Modeling: Denial of Service and Elevation of Privilege

Start my 1-month free trial

Validation to defend against elevation

- [Instructor] Let's start with validation, making sure the data is what you expect. There's a level at which this is simply good reliability practice. If the data isn't well-formed, what are you going to do with it anyway? By the way, that's text with extra diacritic marks. A lot of them. There's an argument that HTML became one of the most popular technologies in the world because browsers were generous in their parsing. And now HTML is a freaking mess and parsing HTML is a morass of workaround for technical debt taken on in 1994. You don't want or need that debt. You can check your input and the details depend on the code you're writing. There's also a point where validation goes beyond reliability, checking for good-natured bad data, to evilly-crafted data, data that's encoded three times because your parser looks at the first two, pointers to pointers to pointers, new lines where you expect carriage returns,…

Contents