Input Validation

What is Input Validation?

Input Validation is the correct testing for of any input that is supplied by something else. All applications require some type of user input. User input could come from a variety of sources, an end-user, another application, a malicious user, or any number of other sources. A malicious user is not going to announce that he/she is here to attack your software. This stands to reason that all input should be checked and validated, because you do not know exactly who or what is giving you input to process. Applications and software should check all input entered by a user, but this is not the only time that input should be checked. Although an end user is very unlikely to input specific SOAP requests to a web service, a malicious user could. Maybe you are getting input from a database. Where did that input come from? Was it your application, was it another application, is it some shared database table that another application is storing data in that you would never expect? Testing all input could protect against a future potiential security hole and vulnerability in the software application.

Problems resulting from incorrect input validation could lead to all sorts of problems and vulnerabilities. Here is a listing of some of vulnerabilities that could be solved just by validating input.

• buffer overflows
• injection attacks
• DoS attacks
• memory leakage
• information disclosure
• compromised systems

This list is definitely not all inclusive. There are all sorts of other types of vulnerabilites that would be solved by input validation. If there is one thing that could solve a huge number of security vulnerabilities it would be input validation.

Anyone can learn to help solve these problems. You do not need to be a security guru, or white hat hacker, you can start making a difference today by testing the extremes. Verify that the correct input is accepted. Determine if the feature is coded using whitelists, blacklists, or nothing at all.