OWASP Top Ten Proactive Controls - C3: Validate all Input & Handle Exceptions

What is input validation?

Input validation is a programming technique that ensures only properly formatted data is allowed into a software system. It's a critical security measure to prevent various injection attacks, ensuring that data is treated as data and not as executable commands.

Why is input validation important?

Failing to properly validate input opens the door to a range of attacks, including:

• SQL Injection: Attackers can inject malicious SQL code into data fields, manipulating database queries and potentially gaining access to sensitive information.
• Cross-Site Scripting (XSS): Malicious scripts injected into web pages can execute in users' browsers, stealing session tokens or personal data.
• Remote Code Execution (RCE): Injected commands can be executed on the web application server, giving attackers control of the system.

These attacks can lead to data breaches, system compromise, and denial of service.

What types of validation are there?

There are two main types of validation:

• Syntactic validation: Checks if the data is in the expected format (e.g., a four-digit account ID should consist only of numbers).
• Semantic validation: Checks if the data makes sense in the application's context (e.g., a start date must be before an end date).

What are allow lists and deny lists?

• Allow lists: Define acceptable input patterns. Only data matching these patterns is allowed. This is the recommended approach for input validation.
• Deny lists: Attempt to block known bad input patterns. This method is less effective as attackers can often find ways to bypass the filters.

Where should input validation be performed?

Always perform input validation on the server side. Client-side validation using JavaScript can be bypassed, so it should only be used for user experience enhancements. Server-side validation ensures that all input is checked regardless of client-side measures.

How can regular expressions be used for input validation?

Regular expressions define patterns for matching text. They can be used to create allow lists for input validation, specifying the acceptable format for data. However, poorly designed regular expressions can lead to denial of service vulnerabilities (ReDoS).

What is mass assignment, and how can it be prevented?

Mass assignment vulnerabilities occur when frameworks automatically bind HTTP request parameters to server-side objects. Attackers can exploit this by adding unexpected parameters to modify data they shouldn't have access to. Prevent this by:

• Using Data Transfer Objects (DTOs): Intermediary objects that explicitly define which fields can be updated.
• Setting up allow lists: Define which fields can be auto-bound for each page or feature.

What are the limitations of input validation?

While crucial, input validation isn't a silver bullet. Some valid input may still pose security risks (e.g., a valid email address could contain a SQL injection payload). Therefore, other security measures like parameterized queries and output encoding are necessary.

What are some best practices for validating data during deserialization?

Deserializing untrusted data is inherently risky as it can lead to the execution of arbitrary code. When dealing with serialized data:

• Avoid processing serialized data from untrusted sources if possible.
• Implement integrity checks and encryption.
• Enforce strict type constraints.
• Isolate deserialization code in low-privilege environments.
• Log security exceptions and monitor deserialization activity.

References:

• https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/