Hello folks,

I just completed my blog series on Input Validation Strategies on our hackers blog - http://blogs.msdn.com/hackers

Dan Cornell summarized this series perfectly on his blog http://denimgroup.typepad.com/denim_group/2008/01/first-line-of-d.html - here is what he had to say -
--------------------------------------------------------------------------------------------------------------------------------------------------------------

First Line of Defense for Web Applications - Series of Great MSDN Blog Posts

By Dan Cornell

Atvsonbeach

There is a fantastic set of blog posts over on the Hackers blog on MSDN taking a deep look at input validation. Input validation is the most important thing you can do to make applications safer from malicious attackers.  If input validation is implemented well, you can even have glaring vulnerabilities in your application code but have the validation layer render them unexploitable or at least reduce the impact.  This isn't true all the time and input validation won't protect against many classes of attack, but starting with input validation as your foundation puts you in a position to avoid a lot of really silly, easy to find and exploit vulnerabilities.

The installments are:

My favorite part about this series are the examples in parts 4 and 5.  They go through common, ineffective protection measures that teams implement and provide examples of attack payloads that circumvent these protections.  This is great information because a lot of development teams are using these ineffective protection mechanisms ("we replace every ' character with '' to prevent SQL injection...") and think that they are safe.  Having a set of clear and concise counter-examples is very useful in being able to see how applications remain exposed.

The series of articles also does a great job of demonstrating how black-list (negative) validation is a not-very-secure and ultimately brittle approach to validation.  They even provide an example of how the built-in ASP.NET Cross Site Scripting (XSS) protection (based on black-list validation) has been defeated in the past.

Even though there are a lot of ASP.NET specific examples, the principles covered in these posts apply to anyone developing applications deployed in a hostile environment - regardless of implementation platform.

--Dan
dan _at_ denimgroup.com

PS - I took the photo while riding ATVs on the beaches in Costa Rica last fall.

--------------------------------------------------------------------------------------------------------------------------------------------------------------

Thanks & Stay Secure
Anmol Malhotra