Best Input Validation Strategy

By Paladion

December 15, 2005

What’s the best strategy to validate the inputs in our application?

  1. Look out for malicious input during validation and filter that out
  2. Specify what’s good, and allow only that
  3. I love a combination of both

The best answer to this quiz is 3) I love a combination of both.

The first strategy, that of filtering out bad inputs, is called a black list filter. You study all the different forms of attack and then specify what all constitute an attack. Those inputs are filtered out. At first look, this seems to be obviously a good strategy. However, remember that new attacks might emerge that use a different input pattern, or worse you might miss out a few attack strings in your specifications. Those attacks will go through your input validation logic and cause damage. So, black list filters are to be used sparingly.

Option 2 is called a White list validation strategy. For every input, the acceptable rang of values is specified (eg. Username is alphanumeric with 5 to 20 characters.). Any input that violates the rule is filtered out. This is a cautious strategy and very strong too. White list filters pose two challenges though: one, it requires a lot of effort to define the acceptable range of values for every input in a large application; second, some free flowing inputs may accept almost any value that it becomes impossible to define a meaningful white list filter. For instance, consider the comment field in a feedback form, as in the case here: almost any range of values is acceptable, and a white list is difficult to define.

Thus the best strategy for input validation is to use a combination of both a white list and a black list. Use a white list whenever possible; but when a meaningful white list is impractical, use a black list to block malicious input. Remember to keep the black list updated or to use a second layer of defense in case the validation is breached. A good example is the use of a black list filter to protect against Cross Site Scripting in a free-flowing text box, say a comment field. A second layer of defense is to escape all < and > symbols with &lt; and &gt;. Thus, even if an attacker gets through the black list, the attack would still not succeed.

Tags: Quiz