
	Home > Ask the Security Experts > Information Security Threats Questions & Answers > How to prevent input validation attacks

Ask The Security Expert: Questions & Answers

EMAIL THIS

How to prevent input validation attacks

EXPERT RESPONSE FROM: Ed Skoudis

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 23 August 2006
How does canonicalization work? What should I do to prevent this input validation attack?

EXPERT RESPONSE
Canonicalization is a fancy word for a fairly simple concept. It stems from the fact that there are more than 47 gazillion ways to encode characters for the Web today. Some of the most popular are UTF-8, UTF-16, and so on (which are described in detail in RFC 2279) A single character, such as a dot (.), may be represented in many different ways, such as ASCII 2E, Unicode C0 AE and many others. The problem is, with all of these different ways of encoding user input, a Web application's filters can be easily confused if they're not carefully built. For example, if you wanted to filter dots, but only remove ASCII 2E, it is possible for someone to use an alternative Unicode format with C0 AE and squeeze a dot past your filter. Web applications often filter user input for evil characters, like quotes that might be part of SQL injection attacks or script tags (like < and >) that might be part of a cross-site scripting attack. However, if the Web application filter only searches for UTF-8 input an attacker could use another encode, like UTF-16, to code the evil characters and bypass the filter.

Canonicalization, means converting something into a simpler, more fundamental form. Web sites should have code that converts user input from a variety of different encoding forms to a single simple form that everything after will utilize, like UTF-8. The filters and all subsequent processes are applied after canonicalization, so everything has the same impression of what the user input will mean. This conversion process is called canonicalization. As a user, there is nothing you can do about canonicalization issues on the Web sites you use. But, as a Web developer, you'll want to make sure that you appropriately canonicalize the data you receive from users. There's a wonderful Web application developer's guide at the Open Web Application Security Project (OWASP) that describes the details of the code you'd need to write to canonicalize data.

More on preventing Web application attacks

Visit our Web Application Attacks Learning Guide for Web application security tools and tactics to protect against these specific attack types.

Learn ten dos and dont's for secure coding.

Sound Off! -

Be the first to post a message to Sound Off!

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Information Security Threats
	What are the dangers of cross-site request forgery attacks (CSRF)?
	Should social engineering tests be included in penetration testing?
	What kind of data is compromised during a Google hack?
	Best practices for using restriction policy whitelists
	Defining mobile device security concerns
	What security measures can be taken to stop crimeware kits?
	What software development best practices can prevent input validation attacks?
	What is the most secure way for application developers to manage cookies?
	Is there a market for standalone antivirus products?
	Can 'herd intelligence' effectively stop malware?

Application Attacks (Buffer Overflows, Cross-Site Scripting)

Tips for SQL injection protection

Microsoft addresses XSS in Internet Explorer

Internet Explorer open to spoofing, scripting attacks

Software still plagued with security holes, researcher says

Microsoft tools won't be quick fix for SQL injection attacks

Microsoft identifies tools to address SQL injection attacks

New defenses for automated SQL injection attacks

Alarming SQL injection attacks

Adobe Flash Player flaw previously patched, Symantec says

Adobe zero day flaw being actively exploited in wild

Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

cache poisoning (SearchSecurity.com)

cyberterrorism (SearchSecurity.com)

dictionary attack (SearchSecurity.com)

directory harvest attack (SearchSecurity.com)

distributed denial-of-service attack (SearchSecurity.com)

JavaScript hijacking (SearchSecurity.com)

ping of death (SearchSecurity.com)

script kiddy (SearchSecurity.com)

stack smashing (SearchSecurity.com)

SYN flooding (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Advanced Search | Site Index

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.


TechTarget Corporate Web Site \| Media Kits \| Reprints \| Site Map All Rights Reserved, Copyright 2003 - 2008, TechTarget \| Read our Privacy Policy