Tips for data validation

IMPORTANT FUNDAMENTAL CONCEPT FOR IT SECURITY

Most security breaches can be prevented through proper data validation.

One of the most fundamental concepts in IT security is data validation. It ensures that data in a system can be processed correctly and protects the system from “malicious” data. When used correctly, data validation can prevent a wide range of attacks, including cross-site scripting (XSS), SQL injection, and buffer overflows.

The screenshot on the left shows how important data validation is.

You can see a fraction of the published CVEs (Common Vulnerabilities and Exposures) from April 15, 2021. Within just four hours (12:15–16:15), seven vulnerabilities were published that could have been prevented with sufficient data validation.

For illustration purposes, the affected vulnerabilities are framed in red.

The five golden rules for secure data validation are as follows:

1. Server side Validation
Input validation must always take place on the server. Everything done on the client side is essentially bypassable. For example, if JavaScript is used for input validation, a simple script blocker is sufficient. Attackers can also intercept and modify generated HTTP requests by using a web interception proxy. This can also be used to bypass client-side validation. In principle, there is nothing to be said against additionally performing data validation on the client side. This prevents the server from rejecting many incorrectly formatted requests and the user from having to re-enter all the data. However, this is a usability feature rather than a security feature. So, in overview: Client side = Usability Server side = Security

1. Server side Validation

Input validation must always take place on the server. Everything done on the client side is essentially bypassable. For example, if JavaScript is used for input validation, a simple script blocker is sufficient.

Attackers can also intercept and modify generated HTTP requests by using a web interception proxy. This can also be used to bypass client-side validation.

In principle, there is nothing to be said against additionally performing data validation on the client side. This prevents the server from rejecting many incorrectly formatted requests and the user from having to re-enter all the data. However, this is a usability feature rather than a security feature.

So, in overview:
Client side = Usability
Server side = Security

2. Never Trust Input
Keep this principle in your mind at all times. Even if the data appears to be trustworthy, do not expect it to be properly formatted. All input data, whether from an interface, configuration files, or the database, must be validated. Even if the data is generated by a self-written program, it is still recommended that it be validated. If one of the validation steps fails, the entire content should be rejected. We do not recommend attempting to convert false input to real input because the code that does so can be abused by attackers.

2. Never Trust Input

Keep this principle in your mind at all times. Even if the data appears to be trustworthy, do not expect it to be properly formatted.

All input data, whether from an interface, configuration files, or the database, must be validated.

Even if the data is generated by a self-written program, it is still recommended that it be validated.

If one of the validation steps fails, the entire content should be rejected. We do not recommend attempting to convert false input to real input because the code that does so can be abused by attackers.

3. Using Whitelists
A common mistake is to use blacklists for data validation. A blacklist or block list contains all characters (and strings) that are not allowed. The problem with this is that a blacklist is almost never complete. Attackers often find ways to circumvent a blacklist, for example by encoding forbidden characters. A whitelist, or allow list, contains all values that are allowed. All other values are rejected by default. Such a system can hardly be circumvented. For structured data, there is the possibility to create a whitelist regular expression that specifies which characters may be used and what length the input must have.

3. Using Whitelists

A common mistake is to use blacklists for data validation. A blacklist or block list contains all characters (and strings) that are not allowed.

The problem with this is that a blacklist is almost never complete. Attackers often find ways to circumvent a blacklist, for example by encoding forbidden characters.

A whitelist, or allow list, contains all values that are allowed. All other values are rejected by default. Such a system can hardly be circumvented.

For structured data, there is the possibility to create a whitelist regular expression that specifies which characters may be used and what length the input must have.

4. Validate Syntax and Semantics
Validation of data can be accomplished in two ways. The purpose of syntactic data validation is to ensure that data has the correct syntax, or structure. A social security number, for example, is always a ten-digit number. Date fields and e-mail addresses always have a consistent structure that can be verified. Regular expressions, for example, are useful for this. Semantic data validation involves assessing data values in their context. For example, if an input field is a date of birth, it cannot be in the future. To ensure the highest level of security, the syntax, and semantics must be validated.

4. Validate Syntax and Semantics

Validation of data can be accomplished in two ways.

The purpose of syntactic data validation is to ensure that data has the correct syntax, or structure. A social security number, for example, is always a ten-digit number. Date fields and e-mail addresses always have a consistent structure that can be verified. Regular expressions, for example, are useful for this.

Semantic data validation involves assessing data values in their context. For example, if an input field is a date of birth, it cannot be in the future.

To ensure the highest level of security, the syntax, and semantics must be validated.

5. Output Encoding
The output encoding is an important player in data validation. Essentially, not every “bad” character can be strictly forbidden as input. If you want to avoid XSS but still allow symbols like, output encoding is required. The context always dictates how a character should be encoded. Angle brackets, for example, can be encoded in an HTML context using HTML entities (& lt ; gt ;). Characters that are not permitted in URLs must be encoded in the HTTP context. Using URL encoding, the & symbol, for example, can be represented as%26. Other common encodings include ASCII and UNICODE for text and Base64 for binary data.

5. Output Encoding

The output encoding is an important player in data validation. Essentially, not every “bad” character can be strictly forbidden as input.

If you want to avoid XSS but still allow symbols like, output encoding is required.

The context always dictates how a character should be encoded. Angle brackets, for example, can be encoded in an HTML context using HTML entities (& lt ; gt ;). Characters that are not permitted in URLs must be encoded in the HTTP context. Using URL encoding, the & symbol, for example, can be represented as%26.

Other common encodings include ASCII and UNICODE for text and Base64 for binary data.

In conclusion:

If you follow these five golden rules, you can avoid many security gaps.

Some of them include:

OWASP Top Ten A1: Injection
OWASP Top Ten A7: Cross-Site Scripting

Furthermore, attacks are made more challenging in general, and the attack surface is reduced.

Would you like to learn more about IT Security or increase your Company's Security?
Our Advanced Threat Inspection solution can help you build effective protection for your assets against cyberattacks. If you would like to learn more, please contact our accomplished security experts.

Contact

It always starts with a conversation

Let‘s talk about how we can improve your security posture – today!

Get in touch