Repel invalid requests
The Open Web Application Security Project
has practical guidelines for implementing a secure web site. The first
item on their list of security concerns is validating requests.
A reasonable approach is to first validate all requests before performing
any other processing. Such checks can include:
-
check for requests whose overall size is unreasonably large (some attacks
send requests with large payloads, in an attempt to overload the server)
-
check for unknown parameter names
-
"sanity checks" for unreasonable parameter values, not expected
during normal operation (for example, text of unreasonably large size,
or a checkbox taking an unexpected value)
Early in processing, sanity checks on parameter values may be either complete
or partial validations:
-
complete - for example, items presented to the user in a static drop down
list, under normal operation, will take only the values defined by the
web application. Any other value constitutes an invalid request (almost
always a hack) which may be given a short, unpolished response, perhaps
in static HTML.
-
partial - for example, a free form text area can be checked for size, but
not for detailed content. As a second example, a business identifer can
be checked for textual form, but validating it against the datastore is
not appropriate at this early stage in processing
Checks on parameter values might be performed at two stages in processing
- early sanity checks (as described above), and later "business" validations.
For example, if an Age
is typed into a text input
control,
the parameter value can be validated in two steps:
-
first, validate the input can indeed build an
Integer
. This validation
might be performed on the application's behalf by a framework which defines
reasonable policies for converting text into an Integer
, Date
,
BigDecimal
, and so on.
-
second, validate the
Integer
is, say, in the range 0..150
.
This sort of validation can only be performed by an application, not by
a framework.
This two-step validation style is used in the WEB4J
framework. In WEB4J, business validations are performed by a Model
Object constructor.
Controls in an HTML form can perform simple validations.
For example, a control for entering a number may be assigned a minimum and maximum accepted value.
In order to be secure and robust, an app should repeat such validations on the server-side.
See Also :