‘A Modular Approach to Data Validation in Web Applications’

Summary

‘Data that is not validated or poorly validated is the root cause of a number of serious security vulnerabilities affecting applications. This paper presents a modular approach to performing thorough data validation in modern web applications so that the benefits of modular component based design; extensibility, portability and re-use, can be realised. It starts with an explanation of the vulnerabilities introduced through poor validation and then goes on to discuss the merits of a number of common data validation methodologies. Finally, a modular approach is introduced together with practical examples of how to implement such a scheme in a web application. This follows two main principles:

 * Data should be validated in the data model, where the validation rules have maximum scope for interpreting the context; and
 *Escaping of harmful meta-characters should be performed just before the data is processed, typically in the data access components.

Implementing such a modular approach contributes to the application being loosely coupled and ensures that it can safely be extended and components reused, without incurring unnecessary development time to re-implement validation routines.’

Credit:

‘The information has been provided by Sam Fielden.
The original article can be found at: http://www.corsaire.com/white-papers/060116-a-modular-approach-to-data-validation.pdf


Details

Introduction:
Inadequate input validation is listed as the most serious security issue affecting web applications according to the OWASP top ten (http://www.owasp.org/documentation/topten.html). Many common security issues in applications are caused by inadequate input validation including:

 * Parameter manipulation, and therefore subversion of logic or security controls.
 * Code injection, such as Cross Site Scripting, SQL Injection and Operating System command injection attacks (OWASP 4 and 6).
 * Legacy C/C++ vulnerability classes, such as buffer overflows, integer wrap and format string vulnerabilities.

Performing complete data validation in applications is therefore an important step in ensuring that the application processes data in a secure manner. A number of approaches can be adopted when implementing data validation mechanisms within an application, each with its own advantages and disadvantages.
A modular approach to software design allows components and tiers to be loosely coupled. This allows the individual components to be re-used in other applications and makes the task of extending the application, by for example adding another type of client, much simpler and easier. When a data validation mechanism is designed it should also support modular design principles to ensure that when the application is extended or components re-used, very little additional work has to be done in the way of validation.

For further reading please visit: http://www.corsaire.com/white-papers/060116-a-modular-approach-to-data-validation.pdf

Categories: Reviews