Safe handling of user input

From Security Wiki
Revision as of 03:11, 24 February 2011 by Ssakai (talk | contribs) (Created page with "== Safe handling of user input == Your form wants a six-digit number. Somone will put in a shell command. What will your application do? == Goals == * Understand the importan...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Safe handling of user input

Your form wants a six-digit number. Somone will put in a shell command. What will your application do?


Goals

  • Understand the importance of sanitzing user input.


Motivation

Improper handling of user input is one of the most common flaws in web applications. Prevent this type of vulnerability in your application by checking user input first!

Concerns

In this document, we're concerned about preventing vulnerabilities that arise from improper user input handling in internally-developed web applications.

Causes and Consequences

A web application that fails to properly sanitize user input before displaying the input on a page, inserting into a query, or using in a command line can result in vulnerabilities to the following types of attacks:

  • SQL injection - an attacker modifies an SQL query to change its results or perform unauthorized modifications to the site's SQL database.
  • Shell injection - an attacker modifies the shell command executed by a web application to perform unauthorized actions.
  • Cross-site scripting - an attacker injects malicious javascript or other content into a page normally served from a trustworthy URL.
  • Code injection - an attacker injects arbitrary code evaluated or run by the web application's script interpreter.
  • Low-level tricks - an attacker injects arbitrary machine-level code or crashes a process.
Retrieved from "https://security.sdsc.edu/mediawiki/index.php?title=Safe_handling_of_user_input&oldid=2680"