Input Validation – “All Input is Evil” – CS0

 

Background

Summary:

Any program input – such as a user typing at a keyboard or a network connection – can potentially be the source of security vulnerabilities and disastrous bugs. All input should be treated as potentially dangerous.

Description:

Determined attackers can use carefully crafted input to cause programs to run unauthorized commands. This technique can be used to delete or damage data, run malicious programs, or obtain sensitive information.

Risk – How Can It Happen?

All program inputs are a potential source of problems. If external data is not validated to ensure that it contains the right type of information, the right amount of information, and the right structure of information, it can cause problems.

Fat Finger
Drawing used by permission of Dominik Joswig

Examples of Occurrence:

  • In December 2005, a Japanese securities trader made a $1 billion typing error, when he mistakenly sold 600,000 shares of stock at 1 yen each instead of selling one share for 600,000 yen. A few lines of code may have averted this error. Fat fingered typing costs a trader’s bosses £128m, The Times Online, December 09, 2005
  • Web applications are highly vulnerable to input validation errors. Inputting the invalid entry “!@#$%^&*()” on a vulnerable e-commerce site may cause performance issues or denial of service on a vulnerable system or invalid passwords such as “pwd’” or “1=1— ” may result in unauthorized access. http://www.processor.com/editorial/article.asp?article=articles%2Fp3112%2F32p12%2F32p12%2F32p12.asp&guid=&searchtype=&WordList=&bJumpTo=True
  • A Norwegian woman mistyped her account number on an internet banking system. Instead of typing her 11-digit account number, she accidentally typed an extra digit, for a total of 12 numbers. The system discarded the extra digit, and transferred $100,000 to the (incorrect) account. A simple dialog box informing her that she had typed too many digits would have helped avoid this expensive error. Olsen, Kai. “The $100,000 Keying error” IEEE Computer, August 2008
  • The site xssed.com lists nearly 13,000 vulnerable Web pages, including sites such as yahoo.com, google.com, msn.com, facebook.com, craigslist.com and cnn.com

Example in Code (Example 1):

import java.util.*;
public class Testscore {
  public static void main(String[] args) {
    Scanner console = new Scanner(System.in);

    System.out.println("Enter test score");
    int testScore = console.nextInt();

    if (testScore >= 90)
      System.out.println("Your grade is A");
    else if (testScore >= 80)
      System.out.println("Your grade is B");
    else if (testScore >= 70)
      System.out.println("Your grade is C");
    else if (testScore >= 60)
      System.out.println("Your grade is D");
    else
      System.out.println("Your grade is F");
  }
}

This code fails to check for negative test scores or for test scores above 100.

Code Responsibly – How Can I Properly Validate Input?

Check all input: Below is a partial list of some checks to include:

  • Length check: variables are checked to ensure they are the appropriate length, for example, a US telephone number has 10 digits.
  • Range check - numbers checked to ensure they are within a range of possible values, e.g., the value for month should lie between 1 and 12.
  • Reasonable check: values are checked for their reasonableness, e.g. (age > 16) && (age < 100)
  • Divide by Zero: variables are checked for values that might cause problems such as division by zero.
  • Format check – Checks that the data is in a specified format (template), e.g., dates have to be in the format DD/MM/YYYY.

The following function shows input validation to check range and/or reasonableness::

static int getValidNum(int min, int max)
{
      Scanner console = new Scanner(System.in);
      int value =   console.nextInt();
      while ((value < min || value > max))
      {
        System.out.println("Enter number between "+ min + " and " + max);
        value =   console.nextInt();
      }
      return value;
}

Recover Appropriately: A robust program will respond to invalid input in a manner that is appropriate, correct, and secure. When your program runs across invalid input, it should recover as much as possible, and then repeat the request, or otherwise continue on. Arbitrary decisions such as truncating or otherwise reformatting data to “make it fit” should be avoided.

Lab Assignment

Program 1

import java.util.*;
public class WhileEx
{
  public static void main(String[] args)
  {
    Scanner console = new Scanner(System.in);
    int age;
    int total = 0;

    System.out.println("Please enter 10 ages: ");
    for (int i = 0;i < 10; i++)
    {
      age = console.nextInt();
      total = total + age;
    }
    System.out.println("average age is " + (float)total/10);
  }
}

Lab Questions:

  1. Type* the program (Example 1) from the section above and compile. Run.
  2. What happens if you enter a test score of 110? or  -5? What should happen?
  3. Type* Program 1 and compile. Run.
  4. Complete the security checklist for this program.( Print the checklist).
  5. What variable should be validated and describe what you should check for?
  6. Could integer overflow occur for the variable total? How?
  7. Optional: Change the program to properly validate the input.

*Copying and pasting programs may result in syntax errors and other inconsistencies. It is recommended you type each program.

 

Security Checklist

Security Checklist

Vulnerability: Failure to Validate Input Course: CS0  
Check each line of code  
1. Mark with a V each variable that is input  
For each V, which of the following is applicable  
1. Check length?  
2. Check range (reasonableness)?  
3. Check format?  
4. Check type?  
Highlighted areas indicate vulnerabilities!  
 

Discussion Questions

  1. Which type of input validation (length, range, format, or type) applies to each of the following:
    • phone number
    • age
    • credit card number
    • name
    • state
  2. Which of the examples above would be the most challenging to properly validate?

Further Work (optional - check with your instructor if you need to answer the following questions)

  1. What are the challenges of adding input validation to your program?
  2. Another important security strategy is "defense in depth". Explain what you think this means. How could this relate to input validation?
  3. Describe some input validation that you have encountered when using software such as registering for courses, checking your account balance, using a game, ordering an item online. Have you ever encountered a problem?
 
Copyright © Towson University