Input Validation Principles and Practices

If you use a principle-based approach, you can get rid of classes of security issues. SQL injection, cross-site scripting and other flavors of input injection attacks are possible because of some bad practices. Here's a few of the bad practices:

Bad Practices

you're relying on client-side input
you're not validating input
you're ignoring that input includes querystring, cookies, file and url paths
you're making security decisions on user input
you're not "sanitizing" (i.e. make safe) output

The key to input and data validation is to use a principle-based approach. Here's some of the core princpiples and practices:

Good Practices

validate length, range, format and type
use whitelisting techniques over blacklisting
keep user input out of the control path
don't make security decision from client input

If you use principle-based approach, you don't have to chase every new threat or attack or its variation. Here's a few resources that help get you started:

How To: Protect From Injection Attacks in ASP.NET
How To: Prevent Cross-Site Scripting in ASP.NET
How To: Protect From SQL Injection in ASP.NET
Design Guidelines for Web Applications (see "Input Validation" section)

Published 11 December 06 02:45 by J.D. Meier

Filed under: Security

Comments

# Kevin Lam said on April 27, 2007 3:05 AM:

Hey J.D.,

Nice blog posting -- I just published a blog posting (first of 3 part series) on input validation at http://www.buildingsecurecode.com/2007/04/26/approaches-to-input-validation/.

Thanks,

Kevin

Kevin Lam

Impacta LLC (http://www.impactalabs.com)

"Risk management solutions working for you"

New Comments to this post are disabled

Search

This Blog

Home
Email

J.D. Meier's Blog

Input Validation Principles and Practices

Comments

Search

This Blog

Tags

Archives

Best Of

My Blogs / Wikis

My Books

Personal Development

Syndication