Difference between revisions of "Input Validation"

From OWASP
Jump to: navigation, search
 
(Reverting to last version not containing links to www.textzeltrors.com)
 
(10 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{Template:Countermeasure}}
+
{{Template:Control}}
 +
{{Template:Stub}}
  
==Description==
+
<br>
 +
[[Category:OWASP ASDR Project]]
  
Input validation refers to the process of validating all the input to an application before using it. Input validation is absolutely critical to application security, and most application risks involve tainted input at some level.
 
  
Many applications do not plan input validation, and leave it up to the individual developers. This is a recipe for disaster, as different developers will certainly all choose a different approach, and many will simply leave it out in the pursuit of more interesting development.
+
Using black and/or white lists which defines valid input data. Such approach is more accurate and provides better risk analysis, when there is need of modification of the lists.
  
See [[Data_Validation]] for more.
+
E.g. When we expect digits as an input, then we should perform accurate input data validation.
  
==Examples ==
+
<pre>
  
==Related Threats==
+
#include <stdio.h>
 +
#include <ctype.h>
 +
#include <string.h>
  
==Related Attacks==
+
int main(int argc, char **argv)
 +
{
 +
      char a[256];
 +
      strncpy(a, argv[1], sizeof(a)-1);
  
==Related Vulnerabilities==
+
      int b=0;
  
==Related Countermeasures==
+
      for(b=0; b<strlen(a); b++) {
 +
              if(isdigit((int)a[b])) printf("%c", a[b]);
 +
      }
 +
 
 +
      printf("\n");
 +
      return 0;
 +
}
 +
</pre>
 +
 
 +
In PHP for input data validation we may use e.g. preg_match() function:
 +
 
 +
 
 +
<pre>
 +
<?php
 +
  $clean = array();
 +
  if (preg_match("/^[0-9]+:[X-Z]+$/D", $_GET['var'])) {
 +
    $clean['var'] = $_GET['var'];
 +
  }
 +
?>
 +
</pre>
 +
 
 +
For special attention deserves modifier "/D", which additionally protects against HTTP Response Splitting type of attacks.
 +
 
 +
 
 +
Avoid using of environment variables if the attacker may alter their values.
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
Check [[:Category:Input Validation]] for contents
 +
 
 +
[[Category: Control]]
 +
[[Category:Input Validation Control]]

Latest revision as of 13:29, 27 May 2009

This is a control. To view all control, please see the Control Category page.

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.




Using black and/or white lists which defines valid input data. Such approach is more accurate and provides better risk analysis, when there is need of modification of the lists.

E.g. When we expect digits as an input, then we should perform accurate input data validation.


#include <stdio.h>
#include <ctype.h>
#include <string.h>

int main(int argc, char **argv)
{
       char a[256];
       strncpy(a, argv[1], sizeof(a)-1);

       int b=0;

       for(b=0; b<strlen(a); b++) {
               if(isdigit((int)a[b])) printf("%c", a[b]);
       }

       printf("\n");
       return 0;
}

In PHP for input data validation we may use e.g. preg_match() function:


<?php
  $clean = array();
  if (preg_match("/^[0-9]+:[X-Z]+$/D", $_GET['var'])) {
     $clean['var'] = $_GET['var'];
  }
?>

For special attention deserves modifier "/D", which additionally protects against HTTP Response Splitting type of attacks.


Avoid using of environment variables if the attacker may alter their values.




Check Category:Input Validation for contents