CSC 1029 Input Validation Quiz

Questions and Answers

What is the primary purpose of input validation in software applications?

To improve application performance

To prevent unauthorized input and security vulnerabilities (correct)

To enhance user interface design

To streamline coding processes

Which type of validation checks that data adheres to a specified format or template?

Range validation

Type validation

Syntactic validation (correct)

Semantic validation

What does an input validation attack typically involve?

Sending overly large data packets

Using encryption to secure input data

Entering data into a program for testing purposes

Deliberately submitting malicious data to exploit vulnerabilities (correct)

What is the significance of an allow list in input validation?

It specifies acceptable values for input

According to a secure implementation overview, what type of issues primarily affect security?

Input validation and everything else

What does a format check in input validation ensure?

That the input complies with a set template or pattern

What is the primary function of an input mask?

To limit input to specific characters

What are some common types of input validation checks?

Length, type, and range validation

Which type of validation ensures that a start date does not come after an end date?

Semantic validation

What does range validation check?

If a number falls within allowable limits

Which type of validation checks whether the input is within defined limits?

Range validation

What is a potential outcome of failing to implement proper input validation?

Security vulnerabilities and bugs

What is a characteristic of allow list validation?

It blocks all inputs not on a predefined list

Which of the following would NOT be considered a good practice in input validation?

Allowing all data types without constraint

What is a key benefit of performing a length check on input data?

Prevents the entry of excessively long strings

Which validation type requires knowledge of all potential attack patterns?

Denial list validation

What type of checks ensure that a telephone number has exactly 10 digits?

Length checks

What is one method to validate whether a numeric value is valid for a specific context?

Range checks

In input validation, what is the purpose of performing a reasonable check?

To check reasonableness against set expectations

Which of the following is not a reason to use input validation?

To enhance user experience

Study Notes

CSC 1029 Input Validation

• Objectives: Identify and describe secure coding implementation. Apply secure coding principles based on industry coding standards. Identify common software vulnerabilities.

• Agenda (Week 09):

  • Input Validation Definitions
  • Input Validation (Format, Length, Type, Range)
  • Allow List and Deny List
  • Handling input errors
  • Demo
  • TODO
  • Resources for Help

OWASP Input Validation Cheat Sheet

• Review the article to define:
  • Syntactic Validation
  • Semantic Validation
  • Allow List
  • Block (Deny) List

Secure Implementation Overview

• Microsoft noted only two types of security implementation issues:
  • Input validation
  • Everything else

Input Validation Defined

• Any program input (e.g., user typing, network connection) can be a source of security vulnerabilities and bugs.
• Treat all input as potentially dangerous.
• Prevent attacks as early as possible in processing user requests.
• Use input validation to detect unauthorized input before processing.

What is Input Validation Attack?

• An attacker deliberately enters malicious input to confuse an application and cause unplanned actions.
• Malicious input can include code, scripts, and commands that exploit vulnerabilities if not validated correctly.

Input Validation: Format/Syntactic

• Syntactic validation enforces correct syntax of structured fields (e.g., SSN, dates, currency symbols).
• Format check ensures data is in a specified format (template), like mm/dd/yyyy for dates.
• Input mask uses special characters to indicate where specific characters can be typed.

Input Validation: Length/Semantic

• Semantic validation ensures data correctness in a business context (e.g., start date before end date, price within range).
• Length checking ensures variables have the appropriate length (e.g., US phone numbers have 10 digits).

Input Validation: Type

• Check if the data type is correct (e.g., numeric, positive number).
• Check data size to verify string lengths and numeric accuracy (e.g., integer size).
• Often recommended to initially enter data as a string and then validate before converting it to another data type.

Input Validation: Range

• Range checking ensures numbers are within a specific range (e.g., months 1-12).
• Reasonable checking verifies values match expectations (e.g., age between 16 and 100).

Allow List

• Allow list validation (also called inclusion or positive validation) is appropriate for all user-provided input.
• It defines what input is authorized, and everything else is blocked.
• Compare input data against expected formats, lengths, types, and ranges.
• Reject any data that doesn't match.

Deny List/Block List

• Deny list validation (also called exclusion or negative validation) requires knowledge of all possible attack patterns (difficult).
• It's a common mistake to use a deny list to try detecting dangerous characters.
• It is a flawed approach as it is easy for attackers to bypass filters.
• It defines what is blocked, with everything else allowed.

Input Validation Format & Length Demo

• "All input is evil, until proven otherwise."
• Garbage in, garbage out.
• Validate input that crosses trust boundaries.
• Validate inputs against expected data: format, length, type, range.

Input Validation Type & Range Demo

• Verify data content matches expected type (e.g., a ZIP code).
• Ensure data contains only expected characters for the data type (e.g., allowed punctuation in a name).

Input Validation Defense-in-Depth

• Input validation is a valuable security tool.
• It should be part of a broader defense-in-depth strategy.
• Multiple layers of defense are necessary for overall application security.

What to Do When Input Fails

• Recovery and Continuing: Recover from input validation failure by sanitizing or fixing the input problem programmatically.
• Failing the Action and Reporting an Error: Disadvantage is that the user experience is interrupted and any in-progress transaction may be lost.

References

• Microsoft Secure Implementation Principles
• Cybersecurity Modules: Security Injections
• Input Validation Cheat Sheet
• Application Security Terminology
• Science Direct - Input validation

TODO

• Post weekly discussion question and research solution to D2L.
• Complete Week 09 Content Module in D2L to 100%.

Help/Questions

• Student Office Hours (by appointment or drop-in)
• Email: [email protected]
• RRCC On-Campus Tutoring
• 24/7 online tutoring (via D2L)

Description

Test your knowledge on input validation principles, secure coding implementation, and common software vulnerabilities as covered in CSC 1029. This quiz will guide you through key concepts like Allow List, Deny List, and error handling techniques. Prepare for secure coding best practices based on industry standards.