Validating user data in Web Apps

Web applications are an easy target for script kiddies and black hats alike. Web applications also have some form of access to the organization’s data. It is imperative that protection mechanisms be put in place against attempts to break into web applications.

 


Validating the data that a web user sends to the web server is of paramount importance as far as web application security is concerned. Malicious users try to send unexpected data to the web application to see how it will react and to try and get it to behave in an unexpected way.

 

In this article, we will look at the different aspects to input validation

 

1. Use well known APIs where possible for data validation
OWASP ESAPI (Enterprise Security API) is available for Java and has interfaces for input validation. Apache Struts is another similar framework. Organisations should also have standard APIs (probably taken from ESAPI or Struts) which developers can use. Developers should not be required to write input validation code for each application separately.

 

2. Specify acceptable data types
If a field should contain only integers, allow only integers. Reject all other field types. Additionally a range may also be specified. For eg. between 0 and 100

 

3. Use white lists
Do not try and define all possible bad characters. You may miss out some. Instead define the good and acceptable characters

 

4. Limit input size
If you are validating login ID, limit the input to 20 characters, 100 characters for name, 15 digits for phone number, 3 for age and so on.

 

5. Canonicalize data
If user input may be encoded and should be decoded into plain text like ASCII before processing it. ESAPI has automatic canonicalization of data.

 

6. Validate every field
Every field in every form, hidden variables, cookies, session variables, .NET standard variables etc should be validated before being processed

 

7. Server side validation + client side validation
Client side validation should be used for speeding up the application. Server side validation should not be overlooked as malicious users may modify data after client side validation is done.

 

8. Output encode characters
Typically, XSS attacks can happen if output encoding is not in place. Output encoding should be done for data that comes from the database and does not need to be executed on the browser. Change to >