Input Validation, also known as data validation, is the testing of any input (or data) provided by a user or application against expected criteria. Input validation prevents malicious or poorly qualified data from entering an information system. Applications should check and validate all input entered into a system to prevent attacks and mistakes. Input validation is also important when receiving data from external parties or sources. Incorrect input validation can allow injection attacks, memory leakage, and ultimately a compromised system(s).
Input validation can use two distinct sets of criteria for validation. These criteria for comparison can be an allow list or deny list. Allow-list data validation is preferable over deny-listing data validation. Deny-listing relies on IT staff knowing all attacks that exist (what to specifically deny) and may be used against your application or system. Allow-lists rely on IT staff knowing what commands and data types are permitted or acceptable, and permitting them to pass through their systems (having systems rejecting ALL malicious data scanned by the filters).
Setting up allow or deny lists are very important for strong defense-in-depth security in your data handling systems and applications.
What does this mean for an SMB?
There are ‘Input Validation Attacks’ where hackers deliberately enter malicious input with the intention of confusing, crashing, or corrupting an application. The result of these actions is to cause an unplanned action, system outage, or even remote access. Malicious input can include code, scripts, and commands, which if not validated correctly can be used to exploit vulnerabilities. The most common input validation attacks include Buffer Overflow, XSS attacks, and SQL injection. The OWASP Top 10 mentions input validation as an alleviation strategy for both SQL injection and XSS but it should not be used as the primary method of preventing these attacks, though if properly implemented, it can considerably lower their impact. Having those working in application security should be well aware of these threats as well as the other 9 threats listed in the OWASP Top Ten.
CyberHoot includes a training program for developers that overviews the top 10 mistakes programmers make in application development.
- Adopt two-factor authentication on all critical Internet-accessible services
- Adopt a password manager for better personal/work password hygiene
- Require 14+ character Passwords in your Governance Policies
- Follow a 3-2-1 backup method for all critical and sensitive data
- Train employees to spot and avoid email-based phishing attacks
- Check that employees can spot and avoid phishing emails by testing them
- Document and test Business Continuity Disaster Recovery (BCDR) plans
- Perform a risk assessment every two to three years
Start building your robust, defense-in-depth cybersecurity plan at CyberHoot.