This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:WASS Validate Inputs"

From OWASP
Jump to: navigation, search
(Reverting to last version not containing links to www.textacelsitcord.com)
 
Line 1: Line 1:
http://www.textacelsitcord.com
 
 
== Validate user inputs ==
 
== Validate user inputs ==
  
 
User inputs are the life-blood of any applications, but are also the vector for most attacks.  Care must be taken therefore in validating any inputs and restricting their usage.
 
User inputs are the life-blood of any applications, but are also the vector for most attacks.  Care must be taken therefore in validating any inputs and restricting their usage.
  
#The application must take steps to validate data by restricting inputs to expected characters only.  Specifically…
+
#The application must take steps to validate data by restricting inputs to expected characters only.  Specifically…
 
##Any inputs that can be controlled by the user shall have no effect on the intended meaning of SQL or XML queries which utilize their values.
 
##Any inputs that can be controlled by the user shall have no effect on the intended meaning of SQL or XML queries which utilize their values.
 
##The application will not pass off to external systems any user-controlled inputs that have not been validated to have unintentional side-effects
 
##The application will not pass off to external systems any user-controlled inputs that have not been validated to have unintentional side-effects
## Where the application is “unmanaged” (i.e. '''not''' Java, .NET), inputs should be truncated at a necessary length so as not to cause buffer overflow vulnerabilities
+
## Where the application is “unmanaged” (i.e. '''not''' Java, .NET), inputs should be truncated at a necessary length so as not to cause buffer overflow vulnerabilities
 
##Where users are able to upload files into the application, they should be limited to necessary types (e.g. gif, jpeg, etc), checked for malicious content (i.e. Trojans, viruses, etc), and be non-executable (e.g. ASP, EXE, etc)
 
##Where users are able to upload files into the application, they should be limited to necessary types (e.g. gif, jpeg, etc), checked for malicious content (i.e. Trojans, viruses, etc), and be non-executable (e.g. ASP, EXE, etc)
##Users should not be able to modify input values to see other user’s information, or request resources that they would otherwise not have permissions to access
+
##Users should not be able to modify input values to see other user’s information, or request resources that they would otherwise not have permissions to access
 
## Content-Type HTTP Header should be set to a single content type
 
## Content-Type HTTP Header should be set to a single content type

Latest revision as of 18:27, 27 May 2009

Validate user inputs

User inputs are the life-blood of any applications, but are also the vector for most attacks. Care must be taken therefore in validating any inputs and restricting their usage.

  1. The application must take steps to validate data by restricting inputs to expected characters only. Specifically…
    1. Any inputs that can be controlled by the user shall have no effect on the intended meaning of SQL or XML queries which utilize their values.
    2. The application will not pass off to external systems any user-controlled inputs that have not been validated to have unintentional side-effects
    3. Where the application is “unmanaged” (i.e. not Java, .NET), inputs should be truncated at a necessary length so as not to cause buffer overflow vulnerabilities
    4. Where users are able to upload files into the application, they should be limited to necessary types (e.g. gif, jpeg, etc), checked for malicious content (i.e. Trojans, viruses, etc), and be non-executable (e.g. ASP, EXE, etc)
    5. Users should not be able to modify input values to see other user’s information, or request resources that they would otherwise not have permissions to access
    6. Content-Type HTTP Header should be set to a single content type

This category currently contains no pages or media.