Denim Group has been acquired by Coalfire. Learn More>>

First Line of Defense for Web Applications – Series of Great MSDN Blog Posts


There is a fantastic set of blog posts over on the Hackers blog on MSDN taking a deep look at input validation. Input validation is the most important thing you can do to make applications safer from malicious attackers.  If input validation is implemented well, you can even have glaring vulnerabilities in your application code but have the validation layer render them unexploitable or at least reduce the impact.  This isn’t true all the time and input validation won’t protect against many classes of attack, but starting with input validation as your foundation puts you in a position to avoid a lot of really silly, easy to find and exploit vulnerabilities.

The installments are:

My favorite part about this series are the examples in parts 4 and 5.  They go through common, ineffective protection measures that teams implement and provide examples of attack payloads that circumvent these protections.  This is great information because a lot of development teams are using these ineffective protection mechanisms (“we replace every ‘ character with ” to prevent SQL injection…”) and think that they are safe.  Having a set of clear and concise counter-examples is very useful in being able to see how applications remain exposed.

The series of articles also does a great job of demonstrating how black-list (negative) validation is a not-very-secure and ultimately brittle approach to validation.  They even provide an example of how the built-in ASP.NET Cross Site Scripting (XSS) protection (based on black-list validation) has been defeated in the past.

Even though there are a lot of ASP.NET specific examples, the principles covered in these posts apply to anyone developing applications deployed in a hostile environment – regardless of implementation platform.

dan _at_

PS – I took the photo while riding ATVs on the beaches in Costa Rica last fall.

About Dan Cornell

Dan Cornell Web Resolution

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *