There is a fantastic set of blog posts over on the Hackers blog on MSDN taking a deep look at input validation. Input validation is the most important thing you can do to make applications safer from malicious attackers. If input validation is implemented well, you can even have glaring vulnerabilities in your application code but have the validation layer render them unexploitable or at least reduce the impact. This isn’t true all the time and input validation won’t protect against many classes of attack, but starting with input validation as your foundation puts you in a position to avoid a lot of really silly, easy to find and exploit vulnerabilities.
The installments are:
- Part 1: Why Bother?
- Part 2: What Should You Validate?
- Part 3: Validation Strategies
- Part 4: Top Bloopers – Cross Site Scripting (XSS)
- Part 5: Top Bloopers – SQL Injection
- Conclusion: ASP.NET Platform Features
My favorite part about this series are the examples in parts 4 and 5. They go through common, ineffective protection measures that teams implement and provide examples of attack payloads that circumvent these protections. This is great information because a lot of development teams are using these ineffective protection mechanisms (“we replace every ‘ character with ” to prevent SQL injection…”) and think that they are safe. Having a set of clear and concise counter-examples is very useful in being able to see how applications remain exposed.
The series of articles also does a great job of demonstrating how black-list (negative) validation is a not-very-secure and ultimately brittle approach to validation. They even provide an example of how the built-in ASP.NET Cross Site Scripting (XSS) protection (based on black-list validation) has been defeated in the past.
Even though there are a lot of ASP.NET specific examples, the principles covered in these posts apply to anyone developing applications deployed in a hostile environment – regardless of implementation platform.
dan _at_ denimgroup.com
PS – I took the photo while riding ATVs on the beaches in Costa Rica last fall.