Any business that uses a website with online services to do business with their customers are concerned about security. Security is an important factor in ensuring a quality user experience and helps to retain and grow a customer base.
Recently I wrote in my own blog outlining some principles and approaches for website and applications security. In this blog, I will focus on data validation which forms an important part of securing your website or application. Data validation is all about ensuring that any form of data input or output, whether provided by a user or other system, does not compromise your website or application.
Lets start with the inputs – blacklist or whitelist ?
Businesses provide a range of online options for customers to communicate to them, ranging from online feedback/comment forms to online shopping. Each of these options require different data to be entered, from names and email addresses to credit/debit card details. If a user’s input is not properly validated, there can be a risk of an attacker using a code injection technique such as sql injection to compromise a website.
To ensure that appropriate data is entered, there are two approaches to validation;
This approach validates any data input against data that is considered acceptable. For example, a whitelist entry for a valid credit card number would include the rule that the input should consist of sixteen numeric characters, drawn from a list of 0 to 9. By adopting this approach, the focus is on identifying known correct inputs. So if a user enters anything other than numbers, their input will not be accepted and a message should be displayed informing them as to why their entry was not accepted.
This approach differs from whitelisting in that the focus is on identifying inappropriate inputs – malicious or otherwise. When inappropriate content is recognised, it is replaced or removed. The challenge with using the blacklisting approach is that only current known threats can be prevented. There is a possibility that newer threats may be missed. For this reason, the whitelisting approach is generally the preferred approach.
Similar principles for outputs
Before any output is displayed to a user, it should be validated so that the text is in an appropriate format and length. Common examples of output validation include;
- Display a credit card number to a user with asterisks, with only the last four digits being displayed.
- Validate a url link to another site in order to prevent a possible cross-scripting attack.All urls should be correctly formatted.
Strength in numbers
Validating inputs and outputs should be used as one of a range of security measures to ensure a secure user experience of your website or application. I plan to write about other measures such as error handling and proper authentication in future blogs.
In the meantime, I would recommend the following information sources on applications security;
- Open Web Applications Security Project (OWASP)
- Security Ninja – Secure development principles
- Irish Reporting and Information Security Service – useful links section
- Government’s MakeITsecure website