CategorySecurity - CategoryWeb

---

Input Validation Vulnerability

All input to your web application needs to be validated.

Invalid or missing input validation leads to almost all of the major vulnerabilities in (web) applications. On the other hand: proper input validation is one of the strongest measures helping fight almost all web application attacks as of today. It effectively helps helps preventing Cross Site Scripting (XSS), SQL injections, buffer overflows, format string attacks, cookie poisoning ... (the list is long).

When you program your eDeveloper server side programs its a good approach to assume that all input is malicious. You should never rely on client-side validation - which you may have built into a html page by adding some Java Script. Be aware of the fact that all input to your web application could have been tampered and use client side validation for quick user responsiveness only.

The parts of the http/https request to your Magic applications which can be tampered are:

• URL
• Cookies
• Form fields
• Hidden fields
• HTTP headers

Consider constraining all input through entry points and encode all output thru exit points (output validation) - wherever possible (:= centralized code. Scattered code is hard to maintain).

Wherever possible check all parameters against a strict format that specifies exactly what input will be allowed.
This is called "positive" or "white list" validation. Negative approaches are much harder to maintain and are not likely to be effective.

Regular expressions are invaluable when it comes to input validation and sanitation of parameters for your Internet programs.
If you want for instance ensure that a paramter for your program does only contain word characters (letter, digits and underscore character) and is least 3 characters long but not longer than 30 characters you would simply use an reguslar expression like following: ^[A-Za-z0-9\_]{3,30}$ or (shorter) \w{3,30}. See the page on regular expressions for more sophisticated input validation based on regular expressions.
Note that above check is a "white list" check. You check for valid characters! It would be wrong to check for invalid or "bad" characters. There might be some ways of encoding malicious data in a way which passses you sanitation which you are simply not aware of.

Unfortunately eDevloper does not (yet) have functions which allow to check if a given string matches a regular expression or not. You need to find yourself a library or ActiveX.
Note: Since we talk about internet and security here ... be sure that it is really a good library or control. Particular important is that the library/control is thread safe and does not give unpredictable results when you do your validations in a parallel execution task or in a program ran by a multi-threaded Enterprise Server. If a developer can't tell you if a library is thread-safe or not ... DON'T use it for internet. You may open a serious security hole; maybe even a backdoor to your system.


Use eDeveloper strongly typed parameters and variables and do not use GetParam() as alternative method for a Magic & Internet program to receive input.