Repel invalid requests
The Open Web Application Security Project has practical guidelines for implementing a secure web site. The first item on their list of security concerns is validating requests.
A reasonable approach is to first validate all requests before performing any other processing. Such checks can include
- check for requests whose overall size is unreasonably large (some attacks send requests with large payloads, in an attempt to overload the server)
- check for unknown parameter names
- "sanity checks" for unreasonable parameter values, not expected during normal operation (for example, text of unreasonably large size, or a checkbox taking an unexpected value)
- complete - for example, items presented to the user in a static drop down list, under normal operation, will take only the values defined by the web application. Any other value constitutes an invalid request (almost always a hack) which may be given a short, unpolished response, perhaps in static HTML.
- partial - for example, a free form text area can be checked for size, but not for detailed content. As a second example, a business identifer can be checked for textual form, but validating it against the datastore is not appropriate at this early stage in processing
- first, validate the input can indeed build an Integer. This validation might be performed on the application's behalf by a framework which defines reasonable policies for converting text into an Integer, Date, BigDecimal, and so on.
- second, validate the Integer is, say, in the range 0..150. This sort of validation can only be performed by an application, not by a framework.
See Also :
Would you use this technique?