Input Validation Cheat Sheet

bemutefrogtownSecurity

Nov 18, 2013 (3 years and 11 months ago)

113 views

Input Validation Cheat Sheet - OWASP
https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet[4/12/2013 12:59:15 PM]
Input Validation Cheat Sheet
Contents
[hide]
1 Introduction
1.1 White List Input Validation
2 Authors and Primary Editors
3 Other Cheatsheets
This article is focused on providing clear, simple, actionable guidance for providing Input Validation
security functionality in your applications.
It is always recommended to prevent attacks as early as possible in the processing of the user’s
(attacker's) request. Input validation can be used to detect unauthorized input before it is processed
by the application. Developers frequently perform black list validation in order to try to detect attack
characters and patterns like the ' character, the string 1=1, or the <script> tag, but this is a massively
flawed approach as it is typically trivial for an attacker to avoid getting caught by such filters. Plus,
such filters frequently prevent authorized input, like O'Brian, when the ' character is being filtered out.
White list validation is appropriate for all input fields provided by the user. White list validation
involves defining exactly what IS authorized, and by definition, everything else is not authorized. If it's
well structured data, like dates, social security numbers, zip codes, e-mail addresses, etc. then the
developer should be able to define a very strong validation pattern, usually based on regular
expressions, for validating such input. If the input field comes from a fixed set of options, like a drop
down list or radio buttons, then the input needs to match exactly one of the values offered to the user
in the first place. The most difficult fields to validate are so called 'free text' fields, like blog entries.
However, even those types of fields can be validated to some degree, you can at least exclude all
non-printable characters, and define a maximum size for the input field.
Developing regular expressions can be complicated, and is well beyond the scope of this cheat
sheet. There are lots of resources on the internet about how to write regular expressions, including:
http://www.regular-expressions.info/ and the OWASP Validation Regex Repository. The following
provides a few examples of ‘white list’ style regular expressions:
White List Regex Examples
Validating Data from Free Form Text Field for Zip Code (5 digits plus optional -4) ^\d{5}(-
\d{4})?$

Validating Data from Fixed List Drop-Down Box For U.S. State Selection
Introduction
White List Input Validation
Read
View source
View history

Log in / create account
Page
Discussion
Navigation
Home
About OWASP
AppSec Conferences
Chapters
Downloads
Mailing Lists
Membership
News
OWASP Books
OWASP Gear
OWASP Initiatives
OWASP Projects
Presentations
Press
Video
Volunteer With OWASP
Reference
Activities
Attacks
Code Snippets
Controls
Glossary
How To...
Java Project
.NET Project
Principles
Technologies
Threat Agents
Vulnerabilities
Language
English
Español
Toolbox
What links here
Related changes
Input Validation Cheat Sheet - OWASP
https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet[4/12/2013 12:59:15 PM]

^(AA|AE|AP|AL|AK|AS|AZ|AR|CA|CO|CT|DE|DC|FM|FL|GA|GU|HI|ID|IL|IN|IA|KS|KY|LA|ME|MH|MD|MA|MI|MN|MS|
MO|MT|NE|NV|NH|NJ|NM|NY|NC|ND|MP|OH|OK|OR|PW|PA|PR|RI|SC|SD|TN|TX|UT|VT|VI|VA|WA|WV|WI|WY)$

Validating a Free Form Text Field for allowed chars (numbers, letters, whitespace, .-_)
^[a-zA-Z0-9\s._-]+$ (Any number of characters)
^[a-zA-Z0-9\s._-]{1-100}$ (This is better, since it limits this field to 1 to 100
characters)
Note: \s matches any whitespace character (i.e., space, tab, carriage return, or linefeed, [
\t\r\n])
Note: most regular expressions flavors do not need to escape the . (dot) inside character
classes []
using \. then results in two literal characters \ (backslash) and . (dot) which is
most likely not wanted
Note: the use of - inside character classes [] depends on the regular expressions flavors,
possible
variants are: unescaped if first character, unescaped if last character or must be
always escaped as \-
Java Regex Usage Example
Example validating the parameter “zip” using a regular expression.

private static final Pattern zipPattern = Pattern.compile("^\d{5}(-\d{4})?$");
public void doPost( HttpServletRequest request, HttpServletResponse response) {
try {
String zipCode = request.getParameter( "zip" );
if ( !zipPattern.matcher( zipCode ).matches() {
throw new YourValidationException( "Improper zipcode format." );
}
.. do what you want here, after its been validated ..
} catch(YourValidationException e ) {
response.sendError( response.SC_BAD_REQUEST, e.getMessage() );
}
}
Some white list validators have also been predefined in various open source packages that you can
leverage. Two packages that provide this are:
Apache Commons Validator
OWASP ESAPI Validators
It is recommended that you use ESAPI to assist with your input validation needs, rather than writing
your own validation routines. The OWASP Enterprise Security API (ESAPI) project has predefined
validators defined in the org.owasp.esapi.Validator interface and implemented in the DefaultValidator
reference implementation. These include:
getValidDate()
getValidSafeHTML()
getValidInput()
getValidNumber()
getValidFileName()
getValidRedirectLocation()
With ESAPI, the previous example can be rewritten as follows:
Example validating the parameter “zip” with generic ESAPI input validator.

public void doPost( HttpServletRequest request, HttpServletResponse response) {
try {
String zipCode = Validator.getValidInput("ChangeAddressPage_ZipCodeField",
request.getParameter( "zip" ), "zipCodePattern", 10, false));
.. do what you want with validated ‘zipCode’ param here ..
} catch( ValidationException e ) {
response.sendError( response.SC_BAD_REQUEST, e.getMessage() );
}
Special pages
Printable version
Permanent link
Input Validation Cheat Sheet - OWASP
https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet[4/12/2013 12:59:15 PM]
}

// zipCodePattern is the name of a property defined in ESAPI.properties, and its value
// is the regular expression: "^\d{5}(-\d{4})?$"
//
// If zipcodes were a frequently used parameter in your application, we would recommend
// that you create your own getValidZipCode() method that builds on top of ESAPI, to make
// it even simpler for your developers to use.
The overall
javadoc for ESAPI is here
And the
javadoc for this specific interface is here.
Dave Wichers - dave.wichers [at] aspectsecurity.com
OWASP Cheat Sheets Project Homepage
Cheat Sheets
Developer Cheat Sheets (Builder)
Authentication Cheat Sheet
Choosing and Using Security Questions Cheat Sheet
Clickjacking Defense Cheat Sheet
C-Based Toolchain Hardening Cheat Sheet
Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
Cryptographic Storage Cheat Sheet
DOM based XSS Prevention Cheat Sheet
Forgot Password Cheat Sheet
HTML5 Security Cheat Sheet
Input Validation Cheat Sheet
JAAS Cheat Sheet
Logging Cheat Sheet
OWASP Top Ten Cheat Sheet
Password Storage Cheat Sheet
Pinning Cheat Sheet
Query Parameterization Cheat Sheet
Ruby on Rails Cheatsheet
REST Security Cheat Sheet
Session Management Cheat Sheet
SQL Injection Prevention Cheat Sheet
Transport Layer Protection Cheat Sheet
Unvalidated Redirects and Forwards Cheat Sheet
User Privacy Protection Cheat Sheet
Web Service Security Cheat Sheet
XSS (Cross Site Scripting) Prevention Cheat Sheet
Assessment Cheat Sheets (Breaker)
Attack Surface Analysis Cheat Sheet
XSS Filter Evasion Cheat Sheet
Mobile Cheat Sheets
Authors and Primary Editors
Other Cheatsheets
Input Validation Cheat Sheet - OWASP
https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet[4/12/2013 12:59:15 PM]
Privacy policy About OWASP Disclaimers
This page was last modified on 9 July 2012, at 10:29.
This page has been accessed 40,668 times.
Content is available under a Creative Commons 3.0 License.
IOS Developer Cheat Sheet
Mobile Jailbreaking Cheat Sheet
OpSec Cheat Sheets (Defender)
Virtual Patching Cheat Sheet
Draft Cheat Sheets
Access Control Cheat Sheet
Business Logic Security Cheat Sheet
Application Security Architecture Cheat Sheet
PHP Security Cheat Sheet
.NET Security Cheat Sheet
Secure Coding Cheat Sheet
Secure SDLC Cheat Sheet
Threat Modeling Cheat Sheet
Web Application Security Testing Cheat Sheet
Grails Secure Code Review Cheat Sheet
IOS Application Security Testing Cheat Sheet
Category: Cheatsheets