Tuesday, May 23, 2006
A Modular Approach to Data Validation in Web Applications
I haven't actually read the article yet. It might be interesting, might not. But I do take umbrage at the first sentence of this posting:
Validation (or the lack thereof) is not the root cause of these vulnerabilities. XSS and SQL injection are, by definition, all about confusion. Confusing code with data, and vice versa. Validation is one (of several) ways to deal with the problem, and in some cases it is the best. But to say it is the root cause of the issue is a mistake.
EDIT: oh, wait this is that same paper that was beat to death on webappsec. The actual PDF doesn't make the same simple (but wrong) statements as the TSS story. It's actually one of the better brief explanations of validation concerns that I have ever read. I still do not, however, share the author's opinion that sanitizing data is a subclass of validation, and I think that lumping them together will confuse the ignorant.
Of course, one of the replies neatly sums up the whole thing, so there is no need to really even read the PDF:
- handle simple input validation (string, number, length etc.) when input enters your system, either from the user or a subsystem
- Never massage input to make it valid - throw away and give an error message
- Handle domain specific input validation in your domain objects as this is domain knowledge
- Handle meta characters when data is leaving your system
Data that is not validated or poorly validated is the root cause of a number of serious security vulnerabilities affecting applications, such as Cross Site Scripting and SQL Injection
Validation (or the lack thereof) is not the root cause of these vulnerabilities. XSS and SQL injection are, by definition, all about confusion. Confusing code with data, and vice versa. Validation is one (of several) ways to deal with the problem, and in some cases it is the best. But to say it is the root cause of the issue is a mistake.
EDIT: oh, wait this is that same paper that was beat to death on webappsec. The actual PDF doesn't make the same simple (but wrong) statements as the TSS story. It's actually one of the better brief explanations of validation concerns that I have ever read. I still do not, however, share the author's opinion that sanitizing data is a subclass of validation, and I think that lumping them together will confuse the ignorant.
Of course, one of the replies neatly sums up the whole thing, so there is no need to really even read the PDF:
- handle simple input validation (string, number, length etc.) when input enters your system, either from the user or a subsystem
- Never massage input to make it valid - throw away and give an error message
- Handle domain specific input validation in your domain objects as this is domain knowledge
- Handle meta characters when data is leaving your system