Input Validation
Input validation is any technique used to ensure that the data entered into a field or variable in an application is handled appropriately by that application.
- can be done locally (client-side) or remotely (server-side)
- can use both techniques
- client-side validation can be easily bypassed
- must always use server-side input validation
- Injection attacks exploit the input mechanisms applications rely on to execute malicious commands and scripts
- Without effective input validation,
- applications are vulnerable to many different classes of injection attacks:
- SQL injection
- code injection
- cross-site scripting (XSS)
- and many others
- applications are vulnerable to many different classes of injection attacks:
Info
OWASP’s overview of input validation
How it Works
- Where an application accepts string input,
- the input should be subjected to normalization or sanitization procedures before being accepted
- Normalization means that a string is stripped of illegal characters or substrings and converted to a predetermined character set
- ensures that the string is in a format that can be safely processed by the input validation method
- mitigates the risk of receiving characters that may be processed as instructions
- Normalization means that a string is stripped of illegal characters or substrings and converted to a predetermined character set
- the input should be subjected to normalization or sanitization procedures before being accepted
- attack often uses obfuscation to disguise the nature of malicious inputs
- swaps characters to formats still recognized by the server but more likely to be missed by application firewalls and IDS systems
- e.g., obfuscating directory traversal with percent encoding:
- before:
/show=../../../../etc/config - after:
/show=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/config
- before:
Input Validation Methods
| Validation Method | Description |
|---|---|
| Allowlisting | This method only permits inputs that match a predetermined and approved set of values or patterns. |
| Blocklisting | This approach explicitly blocks known harmful inputs, such as certain special characters or patterns commonly used in attacks. |
| Data Type Checks | These checks ensure the input data is of the expected type, such as a string, integer, or date. |
| Range Checks | These validate that numeric inputs fall within expected ranges. |
| Regular Expressions | Also known as regex, these are used to match input to expected patterns or signs of malicious activity. |
| Encoding | This helps to safely and reliably prevent special characters in input from being interpreted as executable commands or scripts. |