Input validation is the first step of checking the type and content of data supplied by a user or application.
For web applications, input validation means verifying user inputs provided in web forms, query parameters, uploads, and so on.
Improper input validation is a major factor in many web security vulnerabilities, including cross-site scripting (XSS) and SQL injection.
Input validation is a programming technique that ensures only properly formatted data may enter a software system component.
It is always recommended to prevent attacks as early as possible in the processing of the user's (attacker's) request. Input validation can be used to detect unauthorized input before it is processed by the application.
What Are Input Validation Strategies?
1. Syntactical and Semantic Validation
An application should check that data is both syntactically and semantically valid (in that order) before using it in any way (including displaying it back to the user).
Syntax validity means that the data is in the form that is expected. For example, an application may allow a user to select a four-digit “account ID” to perform some kind of operation. The application should assume the user is entering a SQL injection payload, and should check that the data entered by the user is exactly four digits in length, and consists only of numbers (in addition to utilizing proper query parameterization). Another examples are forcing the users to correct syntax of SSN, Date, Currency symbols, etc)
Semantic validity includes only accepting input that is within an acceptable range for the given application functionality and context. For example, a start date must be before an end date when choosing date ranges, Or the price should be within the prescribed range.
2. Whitelisting vs Blacklisting
There are two general approaches to performing input syntax validation, commonly known as blacklisting and whitelisting:
-
Blacklisting or blacklist validation attempts to check that given data does not contain “known bad” content.
For example, a web application may block input that contains the exact text <SCRIPT> in order to help prevent XSS. However, this defense could be evaded with a lower case script tag or a script tag of mixed case.
-
Whitelisting or whitelist validation attempts to check that a given data matches a set of “known good” rules.
For example a whitelist validation rule for a US state would be a 2-letter code that is only one of the valid US states.
When building secure software, whitelisting is the recommended minimal approach. Blacklisting is prone to error and can be bypassed with various evasion techniques and can be dangerous when depended on by itself. Even though blacklisting can often be evaded it can often useful to help detect obvious attacks. So while whitelisting helps limit the attack surface by ensuring data is of the right syntactic and semantic validity, blacklisting helps detect and potentially stop obvious attacks.
3. Client side and Server side Validation
Input validation must always be done on the server-side for security. While client-side validation can be useful for both functional and some security purposes it can often be easily bypassed. This makes server-side validation even more fundamental to security. For example, JavaScript validation may alert the user that a particular field must consist of numbers but the server side application must validate that the submitted data only consists of numbers in the appropriate numerical range for that feature.
However, there is a lot more to Input Validation in real-life, as there many scenarios which practically demand a very careful handling of Input Validation. For example, email address validation, file uploading, special files, and so much more.
Guys, what do you think about Input Validation?
Kindly leave me your thoughts in the comment section.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM