Input validation, also known as input whitelisting/blacklisting or data validation, is the correct testing of any input supplied by a user or application. Input validation prevents improper data from entering a system or web application. Typically it is difficult to identify a malicious user or attacker; therefore applications should treat all input as untrusted and implement the correct controls to check and validate all input entered into the application. If an application fails to correctly check and validate user supplied input and accept unvalidated data this could potentially lead to injection attacks, and/or in some cases compromised systems.
Blacklisting vs Whitelisting for Input Validation
Input validation could use either whitelist or blacklist techniques, however the preferred technique is to whitelist data. Whitelisting only allows data which is present on a pre approved list to be entered into the application, all other input that is not on the list is not accepted. Input blacklisting is the reverse of whitelisting, and depends on programmers predicting all unexpected dangerous input data. Typically blacklisting is more error prone, as a single mistake could be made more easily with blacklisting which attackers could potentially identify with enumeration.
What is an Input Validation Attack?
An input validation attack happens when an attacker or malicious user intentionally enters dangerous or malicious input data with intention of creating a condition that was beyond the scope of the systems design. For example an attacker my attempt to include dangerous special characters as user supplied input to expose error messages or perform proof of concept injection attacks.
Different Types of Injection Attacks
Dangerous or malicious input could include code, scripts and commands, which if the application fails to correctly validate inputcould be used to exploit various application vulnerabilities known as injection attacks, some of which are included within the OWASP Top 10.
Common Injection Attack Types:
• Cross-Site Scripting (XSS)
• SQL Injection (SQLi)
• NoSQL Injection
• XML Injection
• LDAP Injection
• Code Injection
• OS Command Injection
• Host Header Injection (CRLF)
• Local File Inclusion (LFI)
• Remote File Inclusion (RFI)
• Server-Side Injection (SSRF)
Input Validation should not be the primary method of preventing injection attacks, but could be used as used a defense in depth approach which if correctly implemented could significantly contribute to reducing the impact.