Tips For Data Validation - ATI
Tips For Data Validation - ATI
(/besecure/en/?
noRedirect=1)
The screenshot on the left shows how important data validation is.
You can see a fraction of the published CVEs (Common Vulnerabilities and
Exposures) from April 15, 2021. Within just four hours (12:15–16:15), seven
vulnerabilities were published that could have been prevented with sufficient data
validation.
The five golden rules for secure data validation are as follows:
Input validation must always take place on the server. Everything done on
the client side is essentially bypassable. For example, if JavaScript is used
for input validation, a simple script blocker is sufficient.
Attackers can also intercept and modify generated HTTP requests by using
a web interception proxy. This can also be used to bypass client-side
validation.
So, in overview:
Client side = Usability
Server side = Security
2. Never Trust Input
Keep this principle in your mind at all times. Even if the data appears to be
trustworthy, do not expect it to be properly formatted.
If one of the validation steps fails, the entire content should be rejected. We
do not recommend attempting to convert false input to real input because
the code that does so can be abused by attackers.
3. Using Whitelists
The problem with this is that a blacklist is almost never complete. Attackers
often find ways to circumvent a blacklist, for example by encoding
forbidden characters.
A whitelist, or allow list, contains all values that are allowed. All other values
are rejected by default. Such a system can hardly be circumvented.
The purpose of syntactic data validation is to ensure that data has the
correct syntax, or structure. A social security number, for example, is always
a ten-digit number. Date fields and e-mail addresses always have a
consistent structure that can be verified. Regular expressions, for example,
are useful for this.
Semantic data validation involves assessing data values in their context. For
example, if an input field is a date of birth, it cannot be in the future.
To ensure the highest level of security, the syntax, and semantics must be
validated.
5. Output Encoding
If you want to avoid XSS but still allow symbols like, output encoding is
required.
Other common encodings include ASCII and UNICODE for text and Base64
for binary data.
In conclusion:
If you follow these five golden rules, you can avoid many security gaps.
Some of them include:
• OWASP Top Ten A1: Injection
• OWASP Top Ten A7: Cross-Site Scripting
Furthermore, attacks are made more challenging in general, and the attack surface is
reduced.
Would you like to learn more about IT Security or increase your Company's
Security?
Our Advanced Threat Inspection solution can help you build effective protection for
your assets against cyberattacks. If you would like to learn more, please contact our
accomplished security experts.
cure/en/contact/)
Contact
cure/en/contact/)
Get in touch
Sitemap (/besecure/en/sitemap/)
Privacy Statement (https://bearingpoint.services/en/privacy-statement/)
Company information (https://bearingpoint.services/en/company-information/)