ansaurus

Question

Should you do validation checks that go outside the possiblility of normal user activity?

Answer 1

+7 A:

Anything you do in HTML or JavaScript is not sufficient to prevent someone from posting data directly to your HTTP server. So treat anything that is sent by the browser (even cookies!) as "user input" and guard accordingly.

Because even though your form may not allow me to send a friend request to myself, if I'm running Fiddler I can just set a breakpoint, change a POST variable, then resume the request and your server has no idea.

In fact, that's a great eye opening exercise. If you go download Fiddler you can watch everything that the browser sends or receives with your web site. Anything being sent by the browser should not be implicitly trusted.

Josh Einstein 2010-04-10 03:24:22

Thanks Josh, appreciate the information.

Scarface 2010-04-10 03:31:25

By the way when you say cookies, what do you mean by that? Users do not send cookies do they?

Scarface 2010-04-10 03:32:12

Absolutely. When you store a cookie, the browser stores them on the client. They are then transferred up to the server with *every* single request. That's why they can't be trusted because they could be modified or spoofed. It's also a good reason not to store much information in cookies. A better solution is to store some kind of key and keep the actual data secure on the server.

Josh Einstein 2010-04-10 03:37:23

You mean in a session? I currently use cookies only for certain update messages like the ones stackoverflow uses saying you have messages. I set a cookie to expire in a day if the user closes the box and does not check their messages, so that in a day it will pop back up. Should I try to do this in an alternative manner? If not, how can you check a cookie? I am only checking if they exist with javascript. Could someone send some sort of virus that would affect me just from these operations?

Scarface 2010-04-10 03:42:46

LOL nah I didn't mean to make you paranoid. Barring some server vulnerability they can't just send you a virus. But they can send you data that you aren't expecting. So if you put a UserID in a cookie you can't trust that the UserID sent back by the browser is the same thing you stored. Small pieces of insecure state data is fine.

Josh Einstein 2010-04-10 03:50:27

LMAO ok Josh good to know. I am still fairly new at development so sometimes I way overthink things or extrapolate in unnecessary places.

Scarface 2010-04-10 03:55:04

Answer 2

+3 A:

Yes you should. Haven't we noticed a pattern in some site's URL's and then copied the url but changed some part to get around some restriction in the site bypassing login/access control? Do you want your site to be susceptible to that too?

2010-04-10 03:24:59

no I do not, thanks naumcho.

Scarface 2010-04-10 03:30:46

Answer 3

+2 A:

Of course. The whole point of validation is to properly handle input outside what you're expecting. If users gave you what you expected, you wouldn't have to validate. You need to assume your user could throw absolutely anything at you. As noted, they can bypass the browser entirely using manual HTTP requests. Always code defensively.

Matthew Flaschen 2010-04-10 03:25:06

thanks Matthew, appreciate it.

Scarface 2010-04-10 03:29:52

Answer 4

+3 A:

Of course.

You can't go far enough validating input. Treat it as garbage and plan accordingly. If you want everything to work smoothly make sure that everything checks out.

Josh K 2010-04-10 03:26:04

Nice way of putting it Josh lol. Treat it all as garbage, thanks.

Scarface 2010-04-10 03:30:21

Answer 5

+3 A:

A good description I once heard from some famous CS guy (not sure whom, a C writer?) went like "Some time in the early 90's evil on the internet started outgrowing the good on the internet. Any scheme founded upon the idea of enumerating badness is destined to fail (because there's so much of it)".

Don't describe the bad things IE functions like - isSQLcommand(), isJavaScript(), compilesToBinaryandRuns(). This is called Blacklisting and you will exhaust yourself doing it and there is always someone smarter and more evil than you out there.

Instead focus on whitelisting. Enumerate the good, and list only the things you expect to occur. Have a select HTML element with male/female options?

if (selectInput == 'male' || selectInput == 'female'){
    //proceed
}
else {
    //dump the user data and start over
}

EDIT

It was Marcus Ranum, a security expert:

http://www.ranum.com/security/computer_security/editorials/dumb/

Alex Mcp 2010-04-10 03:31:57

I like the way you put that, I was not really thinking in that fashion before. Nice suggestion, thanks Alex.

Scarface 2010-04-10 03:35:37

ps when you used || is that the same as 'or'?

Scarface 2010-04-10 03:38:35

Yes, sorry. "Double Pipes" are the "OR" operator in a lot of languages (javascript is what's in my head these days)

Alex Mcp 2010-04-10 03:44:09

Nice article, thanks Alex

Scarface 2010-04-10 03:47:14

ansaurus

tags:

views:

answers:

Should you do validation checks that go outside the possiblility of normal user activity?

Of course.

related questions