Data that is not validated or poorly validated is the root cause of a number of serious security vulnerabilities affecting applications. This paper presents a modular approach to performing thorough data validation in modern web applications so that the benefits of modular component based design; extensibility, portability and re-use, can be realised.
It starts with an explanation of the vulnerabilities introduced through poor validation and then goes on to discuss the merits of a number of common data validation methodologies. Finally, a modular approach is introduced together with practical examples of how to implement such a scheme in a web application.
Inadequate input validation is listed as the most serious security issue affecting web applications according to the OWASP top ten. Many common security issues in applications are caused by inadequate input validation including: Parameter manipulation, and therefore subversion of logic or security controls; Code injection, such as Cross Site Scripting, SQL Injection and Operating System command injection attacks; Legacy C/C++ vulnerability classes, such as buffer overflows, integer wrap and format string vulnerabilities.
The vulnerabilities introduced by inadequate input validation are varied, but the cause is the same: The application is only designed to process a defined data set, yet no checks are performed to ensure that the data presented to the application conforms to this set. The result is that an attacker could subvert the application logic, execute unauthorised commands or code on backend systems or compromise the trust the user has in the application.
A modular approach to software design allows components and tiers to be loosely coupled. This allows the individual components to be re-used in other applications and makes the task of extending the application, by for example adding another type of client, much simpler and easier. When a data validation mechanism is designed it should also support modular design principles to ensure that when the application is extended or components re-used, very little additional work has to be done in the way of validation.
Click Here to download the paper