Input Validation – “All Input is Evil” – CS0
Any program input – such as a user typing at a keyboard or a network connection – can potentially be the source of security vulnerabilities and disastrous bugs. All input should be treated as potentially dangerous.
Determined attackers can use carefully crafted input to cause programs to run unauthorized commands. This technique can be used to delete or damage data, run malicious programs, or obtain sensitive information.
Risk – How Can It Happen?
All program inputs are a potential source of problems. If external data is not validated to ensure that it contains the right type of information, the right amount of information, and the right structure of information, it can cause problems.
Drawing used by permission of Dominik Joswig
- In December 2005, a Japanese securities trader made a $1 billion typing error, when he mistakenly sold 600,000 shares of stock at 1 yen each instead of selling one share for 600,000 yen. A few lines of code may have averted this error.
Fat fingered typing costs a trader’s bosses £128m, The Times Online, December 09, 2005
- Web applications are highly vulnerable to input validation errors. Inputting the invalid entry “!@#$%^&*()” on a vulnerable e-commerce site may cause performance issues, or “denial of service”, on a vulnerable system, or invalid passwords such as “pwd’” or “1=1— ” may result in unauthorized access.
- A Norwegian woman mistyped her account number on an internet banking system. Instead of typing her 11-digit account number, she accidentally typed an extra digit, for a total of 12 numbers. The system discarded the extra digit, and transferred $100,000 to the (incorrect) account. A simple dialog box informing her that she had typed too many digits would have helped avoid this expensive error.
Olsen, Kai. “The $100,000 Keying error” IEEE Computer, August 2008
- The site xssed.com lists nearly 13,000 vulnerable Web pages, including sites such as yahoo.com, google.com, msn.com, facebook.com, craigslist.com and cnn.com
Example in code:
testScore = int(input('Enter test score: ')) if testScore >= 90: print('Your grade is A') elif testScore >= 80: print('Your grade is B') elif testScore >= 70: print('Your grade is C') elif testScore >= 60: print('Your grade is D') else: print('Your grade is F')
This code fails to check for negative test scores or for test scores above 100.
Code Responsibly– How Can I Properly Validate Input?
Check all input: Below is a partial list of some checks to include:
- Range check - check numbers to ensure they are within a range of possible values, e.g., the value for month should lie between 1 and 12.
- Reasonable check: check values for their reasonableness, e.g. (age > 16) && (age < 100)
- Arithmetic check: check variables for values that might cause problems such as division by zero.
- Format check – check that the data is in a specified format (template), e.g., dates have to be in the format DD/MM/YYYY.
The following function shows input validation for a test score:
def check_input(min, max): prompt = "Enter an integer number between %d and %d: " % (min, max) value = int(input(prompt)) while (value < min or value > max): value = int(input(prompt)) return value
Recover Appropriately: A robust program will respond to invalid input in a manner that is appropriate, correct, and secure. When your program runs across invalid input, it should recover as much as possible and then repeat the request or otherwise alert the user to a problem. Arbitrary decisions such as truncating or otherwise reformatting data to “make it fit” should be avoided.
total = 0 print('Please enter 10 ages: ') for i in range(10): age = int(input('Please enter age: ')) total = total + age print('average age is ',float(total)/10)
- Compile and run the program from the background section.
- What happens if you enter a test score of 110? -5? What should happen?
- Compile and run Program 1.
- Complete the security checklist for this program (print the checklist).
- What variable should be validated? Describe what you should check for.
- Could integer overflow occur for the variable ‘total’? How?
- Optional: Change the program to properly validate the input.
*Copying and pasting programs may result in syntax errors and other inconsistencies. It is recommended you type each program.
|Vulnerability: Failure to Validate Input Course: CS0|
|Check each line of code|
|1. Mark with a V each variable that is input|
|For each V, which of the following is applicable|
|1. Check length?|
|2. Check range (reasonableness)?|
|3. Check format?|
|4. Check type?|
|Highlighted areas indicate vulnerabilities!|
- Which type of input validation (length, range, format, or type) applies to each of the following:
- phone number
- credit card number
- Which of the examples above would be the most challenging to properly validate?
Further Work (optional – check with your instructor if you need to answer the following questions)
- What are the challenges of adding input validation to your program?
- Another important security strategy is “defense in depth”. Explain what you think this means. How could this relate to input validation?
- Describe some input validation that you have encountered when using software such as registering for courses, checking your account balance, using a game or ordering an item online. Have you ever encountered a problem?