Difference between revisions of "Don't trust user input"

From OWASP
Jump to: navigation, search
 
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
{{Template:Principle}}
 
{{Template:Principle}}
 +
 +
<br>
 +
[[Category:OWASP ASDR Project]]
 +
  
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
Line 5: Line 9:
 
==Description==
 
==Description==
  
A principle is a simple rule that helps to guide security decisions in complex situations.
+
A user or client will not always submit data your application will expect.  By building robust applications that do not trust user input by default, you ensure the application will be able to handle unexpected data gracefully. Examples of user input include: form data, client information such as user-agent strings, cookies, referer, etc.  Anything that is submitted in an HTTP request should be considered user input.
# Start with a one-sentence description of the principle
+
# Describe the principle and how it should be applied to security decisions
+
 
+
  
 
==Examples==
 
==Examples==
  
===Short example name===
+
===Phone number===
 
: A short example description, small picture, or sample code with [http://www.site.com links]
 
: A short example description, small picture, or sample code with [http://www.site.com links]
  
Line 27: Line 28:
 
==Related [[Controls]]==
 
==Related [[Controls]]==
  
* [[Controls 1]]
+
* [[Input Validation]]
* [[Controls 2]]
+
  
  
Line 35: Line 35:
 
* http://www.link1.com
 
* http://www.link1.com
 
* [http://www.link2.com Title for the link2]
 
* [http://www.link2.com Title for the link2]
 +
 +
[[Category:Principle]]

Latest revision as of 18:52, 7 April 2009

This is a principle or a set of principles. To view all principles, please see the Principle Category page.



Last revision (mm/dd/yy): 04/7/2009

Description

A user or client will not always submit data your application will expect. By building robust applications that do not trust user input by default, you ensure the application will be able to handle unexpected data gracefully. Examples of user input include: form data, client information such as user-agent strings, cookies, referer, etc. Anything that is submitted in an HTTP request should be considered user input.

Examples

Phone number

A short example description, small picture, or sample code with links

Short example name

A short example description, small picture, or sample code with links


Related Vulnerabilities


Related Controls


References