OWASP Top Ten Proactive Controls 2018 - C5: Validate All Inputs
Learn the significance of input validation & how to mitigate data breaches. Follow best practices, including allowlisting, server-side validation, and handle unexpected user input effectively.
Overview
This article discusses the importance of input validation in software systems and provides guidelines on how to properly validate inputs. It covers syntax and semantic validity, allowlisting vs denylisting, client-side and server-side validation, regular expressions, limits of input validation, challenges of validating serialized data, unexpected user input (mass assignment), validating and sanitizing HTML, and the use of validation functionality in libraries and frameworks.
Description
Input validation is a crucial programming technique that ensures only properly formatted data enters a software system component. This article explains the importance of both syntactic and semantic validity checks, as well as the use of allowlisting and denylisting approaches. It emphasizes that input validation should always be performed on the server-side and highlights the potential vulnerabilities that can arise from complex or serialized data. The article also discusses the challenges of handling unexpected user input and the need for validation libraries and frameworks. Overall, it provides comprehensive insights into the best practices for input validation.
How to Prevent ?
To prevent data breaches related to input validation, it is essential to follow these best practices: 1. Perform both syntactic and semantic validity checks on all user inputs. 2. Prefer allowlisting over denylisting for input validation. 3. Always perform input validation on the server-side to ensure maximum security. 4. Utilize regular expressions to define allowlist rules for validating specific patterns. 5. Be cautious while creating regular expressions to avoid potential denial of service conditions. 6. Understand the limitations of input validation and implement additional defenses such as query parameterization or escaping. 7. Handle unexpected user input, such as mass assignment, by using data transfer objects or setting up allowlist rules. 8. Employ HTML parsing and cleaning libraries for accepting HTML input. 9. Leverage validation functionality provided by libraries and frameworks.
Example Attack Scenarios:
Mass Assignment Attack: An attacker exploits the auto-binding feature of a framework to modify server-side objects that were not meant to be modified. By adding unauthorized parameters to the HTTP request, the attacker can manipulate the access control level or bypass the intended business logic of the application.