Safe handling of user input

From Security Wiki
Revision as of 03:22, 24 February 2011 by Ssakai (talk | contribs)
Jump to navigationJump to search

Safe handling of user input

Your form wants a six-digit number. Somone will put in a shell command. What will your application do?


Goals

  • Understand the importance of sanitzing user input.


Motivation

Improper handling of user input is one of the most common flaws in web applications. Prevent this type of vulnerability in your application by checking user input first!

Concerns

In this document, we're concerned about preventing vulnerabilities that arise from improper user input handling in internally-developed web applications.

Causes and Consequences

A web application that fails to properly sanitize user input before displaying the input on a page, inserting into a query, or using in a command line can result in vulnerabilities to the following types of attacks:

  • SQL injection - an attacker modifies an SQL query to change its results or perform unauthorized modifications to the site's SQL database.
  • Shell injection - an attacker modifies the shell command executed by a web application to perform unauthorized actions.
  • Cross-site scripting - an attacker injects malicious javascript or other content into a page normally served from a trustworthy URL.
  • Code injection - an attacker injects arbitrary code evaluated or run by the web application's script interpreter.
  • Low-level tricks - an attacker injects arbitrary machine-level code or crashes a process.


Prevention

Don't Trust the Client

First, do not trust the user, nor the user's browser to sanitize input for you. You may use client-side technology such as Javascript or Flash to pre-screen user input, however, you must perform sanity checking on the server side, regardless of what goes on at the client side.

Sanity Checking

Sanity checking is the process of ensuring that user input meets your expectations.

Length

Most scripted languages dynamically allocate buffers of sufficient size for user input, so fitting user input within memory buffer constraints isn't as big of a concern as before with compiled C applications. However, limits still do exist. For example, what will happen when your application tries to store a 256-character string into a database column for a 16-character string? Make sure any assumptions about the length of input are checked. Also, don't forget the case where NO data for an input is provided by a user.

Content

Retrieved from "https://security.sdsc.edu/mediawiki/index.php?title=Safe_handling_of_user_input&oldid=2681"