
	Home > Ask the Security Experts > Expert Archive: Information Security Threats Questions & Answers > How to prevent input validation attacks

Ask The Security Expert: Questions & Answers

EMAIL THIS

How to prevent input validation attacks

EXPERT RESPONSE FROM: Ed Skoudis, past SearchSecurity.com expert

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 23 August 2006
How does canonicalization work? What should I do to prevent this input validation attack?

Canonicalization is a fancy word for a fairly simple concept. It stems from the fact that there are more than 47 gazillion ways to encode characters for the Web today. Some of the most popular are UTF-8, UTF-16, and so on (which are described in detail in RFC 2279) A single character, such as a dot (.), may be represented in many different ways, such as ASCII 2E, Unicode C0 AE and many others. The problem is, with all of these different ways of encoding user input, a Web application's filters can be easily confused if they're not carefully built. For example, if you wanted to filter dots, but only remove ASCII 2E, it is possible for someone to use an alternative Unicode format with C0 AE and squeeze a dot past your filter. Web applications often filter user input for evil characters, like quotes that might be part of SQL injection attacks or script tags (like < and >) that might be part of a cross-site scripting attack. However, if the Web application filter only searches for UTF-8 input an attacker could use another encode, like UTF-16, to code the evil characters and bypass the filter.

Canonicalization, means converting something into a simpler, more fundamental form. Web sites should have code that converts user input from a variety of different encoding forms to a single simple form that everything after will utilize, like UTF-8. The filters and all subsequent processes are applied after canonicalization, so everything has the same impression of what the user input will mean. This conversion process is called canonicalization. As a user, there is nothing you can do about canonicalization issues on the Web sites you use. But, as a Web developer, you'll want to make sure that you appropriately canonicalize the data you receive from users. There's a wonderful Web application developer's guide at the Open Web Application Security Project (OWASP) that describes the details of the code you'd need to write to canonicalize data.

More on preventing Web application attacks

Visit our Web Application Attacks Learning Guide for Web application security tools and tactics to protect against these specific attack types.

Learn ten dos and dont's for secure coding.

BROWSE BY TAG

Application and Platform Security, Application Attacks (Buffer Overflows, Cross-Site Scripting), Expert Archive: Information Security Threats, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Application Attacks (Buffer Overflows, Cross-Site Scripting)
	Adobe warns of critical update for Reader, Acrobat 9.1.3
	9 Ways to Improve Application Security After an Incident
	Developers Need Help with Security Errors
	Buffer overflow tutorial: How to find vulnerabilities, prevent attacks
	SQL injection protection: A guide on how to prevent and stop attacks
	Experts rebuke programmers who use SQL injection as feature
	SANS: Application threats, website flaws pose biggest security threats
	Mozilla helps Adobe push out faster patches
	SSH key compromise shuts down Apache website
	IBM finds sharp spike in malicious content on trusted sites
	Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

Expert Archive: Information Security Threats

The telltale signs of a network attack

Will Google Chrome enhance overall browser security?

Are there antivirus suites that pick up more than just run-of-the-mill viruses?

What tools can a hacker use to crack a laptop password?

Are social networking sites an easy target for malicious hackers?

What are the dangers of cross-site request forgery attacks (CSRF)?

Should social engineering tests be included in penetration testing?

What kind of data is compromised during a Google hack?

Best practices for using restriction policy whitelists

Defining mobile device security concerns

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

buffer overflow (SearchSecurity.com)

cache poisoning (SearchSecurity.com)

cyberterrorism (SearchSecurity.com)

dictionary attack (SearchSecurity.com)

directory harvest attack (SearchSecurity.com)

distributed denial-of-service attack (SearchSecurity.com)

JavaScript hijacking (SearchSecurity.com)

ping of death (SearchSecurity.com)

stack smashing (SearchSecurity.com)

SYN flooding (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy