CSC 1029 Week 09 Input Validation PDF
Document Details
Uploaded by DivineZebra9695
Red Rocks Community College
Tags
Related
Summary
This document is a lecture or presentation about input validation, which is important for secure coding implementation. It includes different types of input validation checks like format, length, type, and range checks, and strategies like allow- and deny-list approaches.
Full Transcript
CSC 1029 INPUT VALIDATION OBJECTIVES AGENDA: WEEK 09 1. Input Validation Definitions Identify and describe secure coding 2. Input Validation implementation. Format Leng...
CSC 1029 INPUT VALIDATION OBJECTIVES AGENDA: WEEK 09 1. Input Validation Definitions Identify and describe secure coding 2. Input Validation implementation. Format Length Apply secure coding Type principles based on Range industry coding standards. 3. Allow List and Deny List Identify common software 4. How to handle input errors vulnerabilities. 5. Demo 6. TODO 7. Resources for Help OWASP INPUT VALIDATION CHEAT SHEET Review the article – Define in your notes Syntactic Validation Semantic Validation Allow List Block (Deny) List SECURE IMPLEMENTATION OVERVIEW Noted by Microsoft: There are only two types of security implementation issues: 1.Input validation 2. Everything else INPUT VALIDATION DEFINED Any program input – such as a user typing at a keyboard or a network connection – can potentially be the source of security vulnerabilities and disastrous bugs. All input should be treated as potentially dangerous. It is always recommended to prevent attacks as early as possible in the processing of the user's (attacker's) request. Input validation can be used to detect unauthorized input before it is processed by the application. WHAT IS INPUT VALIDATION ATTACK? An input validation attack occurs when an attacker deliberately enters malicious input with the intention of confusing an application and causing it to carry out some unplanned action. Malicious input can include code, scripts and commands, which if not validated correctly can be used to exploit vulnerabilities. INPUT VALIDATION: FORMAT | SYNTACTIC Syntactic validation should enforce correct syntax of structured fields (e.g. SSN, date, currency symbol). Format check – Checks that the data is in a specified format (template), e.g., dates have to be in the format mm/dd/yyyy. A format check is a validation check which ensures that entered data is in a particular format or pattern. The format that data must be in is specified using an input mask. The input mask is made up of special characters which indicate what characters may be typed where INPUT VALIDATION: LENGTH | SEMANTIC Semantic validation should enforce correctness of their values in the specific business context (e.g. start date is before end date, price is within expected range). Length check: variables are checked to ensure they are the appropriate length, for example, a US telephone number has 10 digits. INPUT VALIDATION: TYPE Is the data type correct? If the value is supposed to be numeric, is it numeric? If it is supposed to be a positive number, is it a negative number instead? Data size Checks If the data is a string, is it of the correct length? Is it less than the expected maximum length? If it is numeric, is it of the correct size or accuracy? (For example, if an integer is expected, is the number that is passed too large to be an integer value?) Recommended to have data entered as a string and then validate before converting to another data type. INPUT VALIDATION: RANGE Range check numbers checked to ensure they are within a range of possible values, e.g., the value for month should lie between 1 and 12. Reasonable check values are checked for their reasonableness, e.g. (age > 16) && (age < 100) ALLOW LIST Allow list validation (sometimes referred to as inclusion or positive validation) is appropriate for all input fields provided by the user. involves defining exactly what IS authorized or allowed, and everything else is NOT authorized or blocked. This Photo by Unknown author is licensed under CC Use the allow listing approach which compares input data BY-NC. against expected data formats, lengths, types and ranges. Any data that does not match the expected data patterns is considered malicious and should be safely rejected by the application DENY LIST | BLOCK LIST Deny-list validation (sometimes known as exclusion or negative validation) requires that you know all possible attack patterns which is extremely difficult to perform correctly. It is a common mistake to use deny-list validation in order to try to detect possibly dangerous characters and patterns like the apostrophe ' character, the string 1=1, or the tag, but this is a massively flawed approach as it is trivial for an attacker to bypass such filters. Deny-list defines what is blocked and everything else if allowed. INPUT VALIDATION FORMAT & LENGTH DEMO Input Validation Tips: o “All input is evil, until proven otherwise” o Garbage IN Garbage Out o Validate input that crosses trust boundaries o Validate inputs against expected data: Format Length Type Range INPUT VALIDATION TYPE & RANGE DEMO Data content: Does the data look like the expected type of data? For example, does it satisfy the expected properties of a ZIP Code if it is supposed to be a ZIP Code? Does it contain only the expected character set for the data type expected? If a name value is submitted, only some punctuation (single quotes and character accents) would normally be expected, and other characters, such as the less than sign ( Content > Resources for Help
