CSC 1029 Input Validation Quiz

Questions and Answers

What is the primary purpose of input validation in software applications?

• To improve application performance
• To prevent unauthorized input and security vulnerabilities (correct)
• To enhance user interface design
• To streamline coding processes

Which type of validation checks that data adheres to a specified format or template?

• Range validation
• Type validation
• Syntactic validation (correct)
• Semantic validation

What does an input validation attack typically involve?

• Sending overly large data packets
• Using encryption to secure input data
• Entering data into a program for testing purposes
• Deliberately submitting malicious data to exploit vulnerabilities (correct)

What is the significance of an allow list in input validation?

It specifies acceptable values for input (B)

According to a secure implementation overview, what type of issues primarily affect security?

Input validation and everything else (B)

What does a format check in input validation ensure?

That the input complies with a set template or pattern (B)

What is the primary function of an input mask?

To limit input to specific characters (C)

What are some common types of input validation checks?

Length, type, and range validation (C)

Which type of validation ensures that a start date does not come after an end date?

Semantic validation (B)

What does range validation check?

If a number falls within allowable limits (B)

Which type of validation checks whether the input is within defined limits?

Range validation (D)

What is a potential outcome of failing to implement proper input validation?

Security vulnerabilities and bugs (B)

What is a characteristic of allow list validation?

It blocks all inputs not on a predefined list (B)

Which of the following would NOT be considered a good practice in input validation?

Allowing all data types without constraint (C)

What is a key benefit of performing a length check on input data?

Prevents the entry of excessively long strings (D)

Which validation type requires knowledge of all potential attack patterns?

Denial list validation (D)

What type of checks ensure that a telephone number has exactly 10 digits?

Length checks (C)

What is one method to validate whether a numeric value is valid for a specific context?

Range checks (D)

In input validation, what is the purpose of performing a reasonable check?

To check reasonableness against set expectations (D)

Which of the following is not a reason to use input validation?

To enhance user experience (A)

Flashcards

Input Validation

Checking user input to prevent security vulnerabilities and errors.

Input Validation Attack

An attack where malicious input is provided to exploit application vulnerabilities.

Syntactic Validation

Checking if user input follows the correct structure.

Format Check

Validating user input to ensure it matches a specific format.

Allow List

Validating user input by permitting only specific values or formats.

Block (Deny) List

Validating user inputs by restricting specific values or formats.

Semantic Validation

Checking the meaning or context of user input beyond format to ensure data is valid and useful

Input Validation Implementation

Using secure coding principles to implement Input Validation

Common Software Vulnerabilities

Weaknesses in software that attackers can exploit.

Secure Coding

Writing software that prevents security issues and exploits by checking and securely handling input and data.

Input Mask

Special characters defining acceptable input formats.

Length Validation

Checking if input data has the correct length.

Type Validation

Ensuring input data is of the correct data type.

Data Size Checks

Validating input data's size constraints (maximum and minimum).

Range Validation

Checking if input values fall within a specified range.

Allow List Validation

Validating input by specifying only permitted values.

Deny List Validation

Validating input by identifying and rejecting specific values.

Reasonable Check

Validating the input values for their appropriateness in a given situation.

Study Notes

CSC 1029 Input Validation

• Objectives: Identify and describe secure coding implementation. Apply secure coding principles based on industry coding standards. Identify common software vulnerabilities.

• Agenda (Week 09):

  • Input Validation Definitions
  • Input Validation (Format, Length, Type, Range)
  • Allow List and Deny List
  • Handling input errors
  • Demo
  • TODO
  • Resources for Help

OWASP Input Validation Cheat Sheet

• Review the article to define:
  • Syntactic Validation
  • Semantic Validation
  • Allow List
  • Block (Deny) List

Secure Implementation Overview

• Microsoft noted only two types of security implementation issues:
  • Input validation
  • Everything else

Input Validation Defined

• Any program input (e.g., user typing, network connection) can be a source of security vulnerabilities and bugs.
• Treat all input as potentially dangerous.
• Prevent attacks as early as possible in processing user requests.
• Use input validation to detect unauthorized input before processing.

What is Input Validation Attack?

• An attacker deliberately enters malicious input to confuse an application and cause unplanned actions.
• Malicious input can include code, scripts, and commands that exploit vulnerabilities if not validated correctly.

Input Validation: Format/Syntactic

• Syntactic validation enforces correct syntax of structured fields (e.g., SSN, dates, currency symbols).
• Format check ensures data is in a specified format (template), like mm/dd/yyyy for dates.
• Input mask uses special characters to indicate where specific characters can be typed.

Input Validation: Length/Semantic

• Semantic validation ensures data correctness in a business context (e.g., start date before end date, price within range).
• Length checking ensures variables have the appropriate length (e.g., US phone numbers have 10 digits).

Input Validation: Type

• Check if the data type is correct (e.g., numeric, positive number).
• Check data size to verify string lengths and numeric accuracy (e.g., integer size).
• Often recommended to initially enter data as a string and then validate before converting it to another data type.

Input Validation: Range

• Range checking ensures numbers are within a specific range (e.g., months 1-12).
• Reasonable checking verifies values match expectations (e.g., age between 16 and 100).

Allow List

• Allow list validation (also called inclusion or positive validation) is appropriate for all user-provided input.
• It defines what input is authorized, and everything else is blocked.
• Compare input data against expected formats, lengths, types, and ranges.
• Reject any data that doesn't match.

Deny List/Block List

• Deny list validation (also called exclusion or negative validation) requires knowledge of all possible attack patterns (difficult).
• It's a common mistake to use a deny list to try detecting dangerous characters.
• It is a flawed approach as it is easy for attackers to bypass filters.
• It defines what is blocked, with everything else allowed.

Input Validation Format & Length Demo

• "All input is evil, until proven otherwise."
• Garbage in, garbage out.
• Validate input that crosses trust boundaries.
• Validate inputs against expected data: format, length, type, range.

Input Validation Type & Range Demo

• Verify data content matches expected type (e.g., a ZIP code).
• Ensure data contains only expected characters for the data type (e.g., allowed punctuation in a name).

Input Validation Defense-in-Depth

• Input validation is a valuable security tool.
• It should be part of a broader defense-in-depth strategy.
• Multiple layers of defense are necessary for overall application security.

What to Do When Input Fails

• Recovery and Continuing: Recover from input validation failure by sanitizing or fixing the input problem programmatically.
• Failing the Action and Reporting an Error: Disadvantage is that the user experience is interrupted and any in-progress transaction may be lost.

References

• Microsoft Secure Implementation Principles
• Cybersecurity Modules: Security Injections
• Input Validation Cheat Sheet
• Application Security Terminology
• Science Direct - Input validation

TODO

• Post weekly discussion question and research solution to D2L.
• Complete Week 09 Content Module in D2L to 100%.

Help/Questions

• Student Office Hours (by appointment or drop-in)
• Email: [email protected]
• RRCC On-Campus Tutoring
• 24/7 online tutoring (via D2L)

Description

Test your knowledge on input validation principles, secure coding implementation, and common software vulnerabilities as covered in CSC 1029. This quiz will guide you through key concepts like Allow List, Deny List, and error handling techniques. Prepare for secure coding best practices based on industry standards.