What software development practices prevent input validation attacks?

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

I would like to receive a FREE subscription to Information Security magazine online.
YesNo

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

BROWSE BY TAG Application and Platform Security,   Software Development Methodology,   Application Attacks (Buffer Overflows, Cross-Site Scripting),   Expert Archive: Information Security Threats,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Juniper pulls ATM hacking presentation from Black Hat V.i Labs integrates Google maps to track software piracy Software Piracy pandemic needs government role, better vendor antipiracy plans Software piracy losses total $53 billion, study finds Google study backs browser silent auto update feature Secure software development starts before coding begins Security budget issues to resonate at RSA Conference Twitter worm attack highlights social network flaws Application Attacks (Buffer Overflows, Cross-Site Scripting) Adobe ColdFusion websites being compromised PCI management: The case for Web application firewalls Month of Twitter Bugs project to document Twitter flaws Adobe issues first quarterly patch release fixing 13 flaws Balancing security and performance: Protecting layer 7 on the network Adobe issues Reader update fixing zero-day flaw The Pipe Dream of No More Free Bugs Security Squad: Federal cybersecurity defenses Oracle issues 43 updates, fixes serious database flaws Attackers target new Microsoft PowerPoint zero-day flaw Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Expert Archive: Information Security Threats The telltale signs of a network attack Will Google Chrome enhance overall browser security? Are there antivirus suites that pick up more than just run-of-the-mill viruses? What tools can a hacker use to crack a laptop password? Are social networking sites an easy target for malicious hackers? What are the dangers of cross-site request forgery attacks (CSRF)? Should social engineering tests be included in penetration testing? What kind of data is compromised during a Google hack? Best practices for using restriction policy whitelists Defining mobile device security concerns

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

This question is extremely important, as improper input validation leads to numerous kinds of attacks, including cross-site scripting, SQL injection, command injection, buffer overflows and many others.

Most applications only need to accept a limited set of characters as input, typically plain old alpha and numeric. If an app needs to get a specific name and age, for example, one alpha field and one numeric field will suffice. Without proper filtering, however, attackers might be able to use other characters, including semicolons, greater-than or less-than symbols, and quotation marks to exploit the application. If a software developer does not properly screen all forms of user input to remove unusual characters, the software may be exploitable in countless different ways. Software's input-validation function removes these characters, acting as a shield.

Unfortunately, some software developers either leave out input-validation code altogether, or they implement weak input validation that might not filter out a truly comprehensive set of characters. Also, there are dozens of ways to alter or encode data to dodge validation filters: UTF-8, Hex, Unicode, mixed case and many more. There's a great article by RSnake that shows some different encoding tricks designed to slip cross-site scripting attacks past weak input-validation code.

With that overview in mind, let's turn to your question: how can you prevent input-validation attacks? This is really an issue for software developers, and there isn't much that users can do to prevent these attacks. For software developers that want to make sure that their input-validation code is up to snuff, use the following as a checklist:

• Specify variable types: Use the type enforcement capabilities of your development environment to limit the kind of data that can be entered into some fields. In particular, if you only need to accept an integer in a field, define that variable as an integer (if your development environment and language allow you do that) so that your software will reject any entered strings.
• Don't define all possible badness; instead only accept goodness: Trying to create a comprehensive list of all bad characters for all the different kinds of attacks is next to impossible. Thus, when creating validation code, define what characters are acceptable, such as A-Z, a-z, and 0-9, and filter out everything else. Such a "deny-all-except-for-certain-allowable-characters" approach is a far stronger way to write filtering code.
• Limit size of input: If you ask for someone's age, keeping it to a three-digit field will cover every reasonable case, even the centenarians in your user population. If you ask for someone's name, a hundred or so characters are reasonable. That way, even if you aren't properly filtering for characters appropriately, you are still limiting the real estate that the attacker has to pull off an attack.
• Canonicalize before filtering: If user input is encoded in a fashion that the filters aren't designed to handle, you very well might get hacked. Thus, whenever you receive user input, convert it to a standard encoding scheme, such as plain ASCII, before applying your filters. This process is known as canonicalization, and it converts character streams of different encoding patterns to a single format that is compatible with your filtering code.
• Filter all input: Filter every form of input to your application, including data that comes in via the network, the GUI, files read from the file system and so on. Don't assume that one of your fields or input vectors isn't important. Attackers will hunt for weaknesses and exploit them, so cover all of your bases.
• Filter on the server side: In many applications, attackers might be able to control clients, such as browsers or thick-client GUIs, tweaking their functionality to bypass filtering done at the client. Thus, filter on the server side to protect all back-end functionality.
• Don't worry about multiple layers of filtering: Sometimes, a single application will include multiple modules, each of which filters input that flows through that mod. This architecture could result in a single set of input getting filtered multiple times as it snakes its way through the application. While that might be a performance concern, it's actually a good thing from a security perspective. The layers of filtering act like belts and suspenders to keep the overall application secure.
• Use tried-and-true filters if available: Rather than rolling your own code for user input validation, use filters that have been carefully developed and rigorously tested by others, if you have access to such code. Some software development firms and large enterprises doing in-house development have defined reusable input validation code for all software they create. Find out if your organization has such code, learn how it works, and then use it. If you don't have such code in-house, you can adapt user input-validation code snippets from a variety of free sources. One of my favorites is the user input-validation code for PHP called Inspekt, funded by the OWASP project. Even if you don't use PHP, the concepts in the Inspekt project can be leveraged in other languages.
• Get a penetration test: To make sure your code is secure, subject it to a controlled penetration test to see if flaws can be identified.

More information: