Input Validation

With input validation, malicious or misshaped data can't get into the system and cause parts to break down or leak confidential information. As soon as data from the outside world is received, input validation should happen.

All inbound data that could come in from external sources, including web clients, mobile clients and 3rd party apps should be validate before being processed.

Input validation can prevent common vulnerabilities like XSS, SQL Injection, and others from having an impact on the system if it is implemented correctly.

Implementing Input validation

All input should be checked for both validation of data format (Syntactic Validation) and logical relevance ( Semantic Validation )

For example, a data field like age would have a?Syntactic Validation?of

1. Should be a number.
2. Should be a whole integer no decimal points allowed ( a value like 2.34 wouldn't be accepted )

and would have a?Semantic Validation?like:

1. Should be between 18-100 as the system would consider values like 600 years old a spam content

It is always advisable to stop malformed payloads as early as possible in the user's (the attacker's) request handling. Input validation can be used to find out if an input is not supposed to be there before the program processes it.

Syntactic Validation

Structured fields should be validated to ensure proper syntax (e.g., SSN, date, currency symbol).

Required Fields Validation

Validation should start with a check to see if the incoming payload has all of the needed fields. If it doesn't, the whole payload will be disqualified, and the system will save computational cost if it rejects incomplete payloads at the first interaction.

Field Type Validation

One of the primary validation check should be based on the field type. For example, if you expect a string, a number, a json object, or an array, your validation code should reject content that doesn't match the expected input type.

If you're expecting a file, make sure that the file's MIME type and filename use the expected extension. This will help you make sure that the file you receive is one of the allowed file types.

Length Validation

The amount of spam will be decreased by checking the minimum and maximum length of input values. Not just strings but also arrays, object attributes, number lengths, and bytes count in streams are subject to length validation.

Additionally, if length validation is performed before format validation, the amount of spam content will be reduced because less computational resources will be used during format validation check.

Format Validation

Most input fields have to follow a certain pattern for the value to be valid. For example, dates are stored in a fixed format like "YYYY-MM-DD" or "DD-MM-YYYY" . A data validation process that checks that dates are in the right order helps keep data and time consistent. That same concepts can apply for email, mobile, and username format validation.?One of the recommended methods to validate format is by using Regular expressions but be aware of?RegEx Denial of Service (ReDoS) attacks. A software that uses a badly written Regular Expression will run very slowly and use a lot of CPU resources for a long time.

??

It's recommended to validate the field length before validating the format to reduce the possibility of causing ReDos. Also, it is preferable to define a minimum and maximum length for the data (e.g.,?{1,25}) instead of using "+" in regex.

Validating Rich User Content:

Validating user-submitted rich content is quite challenging. To stop malicious payload from reaching the backend server or other users, use?HTML Sanitizer.

Post Validation Steps:

1. After validation is complete the system should create a new object by?cloning?only the expected fields from the incoming payload to avoid unknown fields to sneak into our system.
2. After we've used the incoming data to make a?valid clone version, we should?sanitize?fields that could be used to inject code. And apply the needed formatting to avoid problems with how the information is processed or presented. Formatting could include removing extra spaces, removing new lines, changing characters to lowercase, or replacing specific characters.

Semantic Validation

Semantic validation is about making sure that the input value makes sense. For example, an app might only let people of a certain age sign up. Rejecting people older than a certain age would be a form of semantic validation.

Another example of semantic validation is when a system requires users to log in with a business email and checks their email against a blacklist of non-business addresses.

learn more at qantra.io