Input Validation Cheat Sheet



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |- Last revision (mm/dd/yy): // = Introduction =
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

This article is focused on providing clear, simple, actionable guidance for providing Input Validation security functionality in your applications.

White List Input Validation
It is always recommended to prevent attacks as early as possible in the processing of the user’s (attacker's) request. Input validation can be used to detect unauthorized input before it is processed by the application. Developers frequently perform black list validation in order to try to detect attack characters and patterns like the ' character, the string 1=1, or the &lt;script&gt; tag, but this is a massively flawed approach as it is typically trivial for an attacker to avoid getting caught by such filters. Plus, such filters frequently prevent authorized input, like O'Brian, when the ' character is being filtered out.

White list validation is appropriate for all input fields provided by the user. White list validation involves defining exactly what IS authorized, and by definition, everything else is not authorized. If it's well structured data, like dates, social security numbers, zip codes, e-mail addresses, etc. then the developer should be able to define a very strong validation pattern, usually based on regular expressions, for validating such input. If the input field comes from a fixed set of options, like a drop down list or radio buttons, then the input needs to match exactly one of the values offered to the user in the first place. The most difficult fields to validate are so called 'free text' fields, like blog entries. However, even those types of fields can be validated to some degree, you can at least exclude all non-printable characters, and define a maximum size for the input field.

Developing regular expressions can be complicated, and is well beyond the scope of this cheat sheet. There are lots of resources on the internet about how to write regular expressions, including: http://www.regular-expressions.info/ and the OWASP Validation Regex Repository. The following provides a few examples of ‘white list’ style regular expressions:

White List Regular Expression Examples
Validating a Zip Code (5 digits plus optional -4) ^\d{5}(-\d{4})?$

Validating U.S. State Selection From a Drop-Down Menu ^(AA|AE|AP|AL|AK|AS|AZ|AR|CA|CO|CT|DE|DC|FM|FL|GA|GU| HI|ID|IL|IN|IA|KS|KY|LA|ME|MH|MD|MA|MI|MN|MS|MO|MT|NE| NV|NH|NJ|NM|NY|NC|ND|MP|OH|OK|OR|PW|PA|PR|RI|SC|SD|TN| TX|UT|VT|VI|VA|WA|WV|WI|WY)$

Java Regex Usage Example

Example validating the parameter “zip” using a regular expression. private static final Pattern zipPattern = Pattern.compile("^\d{5}(-\d{4})?$"); public void doPost( HttpServletRequest request, HttpServletResponse response) { try { String zipCode = request.getParameter( "zip" ); if ( !zipPattern.matcher( zipCode ).matches {  			throw new YourValidationException( "Improper zipcode format." ); 		}  		.. do what you want here, after its been validated ..  	} catch(YourValidationException e ) {  		response.sendError( response.SC_BAD_REQUEST, e.getMessage );  	}  }

Some white list validators have also been predefined in various open source packages that you can leverage. For example:
 * Apache Commons Validator

Goal of Input Validation
Input validation is performed to minimize malformed data from entering the system. Input Validation is NOT the primary method of preventing XSS, SQL Injection. These are covered in output encoding below.

Input Validation Must Be:
 * Applied to all user controlled data
 * Define the types of characters that can be accepted (often U+0020 to U+007E, though most special characters could be removed and control characters are almost never needed)
 * Defines a minimum and maximum length for the data (e.g. {1,25} )

Client Side vs Server Side Validation
Be aware that any JavaScript input validation performed on the client can be bypassed by an attacker that disables JavaScript or uses a Web Proxy. Ensure that any input validation performed on the client is also performed on the server.

Positive Approach
The variations of attacks are enormous. Use regular expressions to define what is good and then deny the input if anything else is received. In other words, we want to use the approach "Accept Known Good" instead of "Reject Known Bad"

Example A field accepts a username. A good regex would be to verify that the data consists of the following [0-9a-zA-Z]{3,10}. The data is rejected if it doesn't match.

A bad approach would be to build a list of malicious strings and then just verify that the username does not contain the bad string. This approach begs the question, did you think of all possible bad strings?

Robust Use of Input Validation
All data received from the user should be treated as malicious and verified before using within the application. This includes the following
 * Form data
 * URL parameters
 * Hidden fields
 * Cookie data
 * HTTP Headers
 * Essentially anything in the HTTP request

Input Validation
Data recieved from the user should be validated for the following factors as well:

1. Boundary conditions (Out of range values)

2. Length of the data inputed (for example, if the input control can accept only 8 character, the same should be validated while accepting the data. The input chars should not exceed 8 characters).

= Authors and Primary Editors =

Dave Wichers - dave.wichers [at] aspectsecurity.com

Other Cheatsheets

 * }