Lec 6 Data Validation

Data Validation

Process of minimizing malformed data from entering the system

Data Validation

Ensures that the application is robust against all forms of input data, whether obtained from the user, infrastructure, external entities or database systems

Failure to properly validate input

Data Validation: Most common web application security weakness is the _____ from the client or environment

Failure to properly validate input

Data Validation: Leads to almost all of the major vulnerabilities in applications, such as Interpreter Injection

Should never be trusted

Data Validation: Data from the client _____ for the client has every possibility to tamper with the data

Data Validation

Should be applied to all input data, at minimum

Allowed set of characters

Data Validation: Define the _____ to be accepted

Minimum and maximum

Data Validation: Defines a _____ length for the data (e.g. {1,25}).

Performed on the server

Data Validation: Ensure that any input validation performed on the client is also _____

Not

Data Validation Components: Data validation is _____ the primary method of preventing XSS, SQL Injection

Tampered with

Data Validation Components: Ensure that the data has not been _____ and is the same as before

Business rules

Data Validation Components: Ensure that data is not only validated, but _____ is/are correct. e.g. Interest rates fall within permitted boundaries

Strongly typed

Data Validation Components: Ensure that the data is _____, correct syntax, within length boundaries, contains only permitted characters, or that numbers are correctly signed and within range boundaries

Correct syntax

Data Validation Components: Ensure that the data is strongly typed, _____, within length boundaries, contains only permitted characters, or that numbers are correctly signed and within range boundaries

Within length boundaries

Data Validation Components: Ensure that the data is strongly typed, correct syntax, _____, contains only permitted characters, or that numbers are correctly signed and within range boundaries

Contains only permitted characters

Data Validation Components: Ensure that the data is strongly typed, correct syntax, within length boundaries, _____, or that numbers are correctly signed and within range boundaries

Numbers are correctly signed and within range boundaries

Data Validation Components: Ensure that the data is strongly typed, correct syntax, within length boundaries, contains only permitted characters, or that _____

Be included wherever data passes

Integrity Checks: Integrity checks must _____ from a trusted to a less trusted boundary

Application to client browser

Integrity Checks: Data passes from _____ in a hidden field

Third-party payment gateway

Integrity Checks: Data passes to _____, such as a transaction ID used internally upon return

Performed on every tier

Validation: Validation must be _____

Per the function

Validation: Validation should be performed as _____ of the server executing the code

Web/presentation tier

Validation: The _____ should validate for web related issues

Persistence layers

_____ should validate for persistence issues such as SQL injection

Business Rules

Known during design, and they influence implementation

Simplest

Business Rules: There are good, bad, and “best” approaches to business rules. Often the best approach is the _____ in terms of code.

Data Validation Strategies

Accept Known Good, Reject Known Bad, Sanitize, No Validation

Accept Known Good

Data Validation Strategies: Also known as “whitelist” or “positive” validation

Reject Known Bad

Data Validation Strategies: Also known as “negative” or “blacklist” validation

Sanitize

Data Validation Strategies: Rather than accept or reject input, another option is to change the user input into an acceptable format

No Validation

Data Validation Strategies: Unsafe and strongly discouraged

No Validation

Data Validation Strategies: Leads to direct elimination of application, host and network security controls

White List Validation

Recommended to prevent attacks as early as possible in the processing of the user’s (attacker’s) request

White List Validation

Usually based on regular expressions

Filename uses an expected extension

Upload Verification: Use input validation to ensure the uploaded _____ type

Defined maximum file size

Upload Verification: Ensure the uploaded file is not larger than a _____

Verify the image is valid

Upload Verification: Use image rewriting libraries to _____ and to strip away extraneous content

Set the extension of the stored image

Upload Verification: _____ to be a valid image extension based on the detected content type of the image from image processing

Within a list of defined image types

Upload Verification: Ensure the detected content type of the image is _____

New filename

Upload Storage: Use a _____ to store the file on the OS

User-controlled text

Upload Storage: Do not use any _____ for this filename or for the temporary filename

Analyzed

Upload Storage: Uploaded files should be _____ for malicious content

Correct content-type

Public Serving of Uploaded Content: Ensure uploaded images are served with the _____

@

Email Validation Basics: Check for presence of at least one _____ symbol in the address

64

Email Validation Basics: Ensure the local-part is no longer than _____ octets

Deliverable

Email Validation Basics: Ensure the address is

255

Email Validation Basics: Ensure the domain is no longer than _____ octets

Case-sensitive in the local portion

Email Validation Basics: A mailbox address must be _____ of the address (left of the rightmost @ character)

Non-alphanumeric characters

Email Validation Basics: A mailbox address must have _____ in the local-part

Zero or more

Email Validation Basics: A mailbox address must have _____ labels

Data Validation Components

Validation, Integrity Checks, Business Rules