Cheat Sheet Series – Input Validation - Attack Vector | Penetration Testing

The cheat sheet below condenses insights extracted from the OWASP article about user input validation. This table aims to offer a concise and user-friendly overview that can be swiftly referenced for a quick grasp of key points. For further information, please visit OWASP – Input Validation

Topic	Key Security Points
Goals of Input Validation	• Ensure only properly structured data enters the system to prevent malicious content. • Identify and reject malformed data at the earliest stage to prevent downstream malfunctions. • Validate data from all external sources, including web clients and backend partner feeds. • Combine validation with specific defenses for XSS and SQL Injection.
Input Validation Strategies	• Use Syntactic Validation for predefined structures (e.g., SSN, date formats). • Use Semantic Validation for business context (e.g., start date must precede end date). • Leverage native framework validators, JSON/XML schemas, and rigorous type conversion. • Apply validation to all incoming data to block unauthorized input progression.
Allow List vs. Block List	• Prioritize Allow Listing (defining authorized data) over Block Listing (filtering malicious patterns). • Block lists are often ineffective as attackers can bypass filters with new patterns. • Use strong regular expressions for structured data like dates and email addresses. • Match input against predefined values for restricted fields like dropdowns.
Validating Free-Form Unicode Text	• Use normalization to ensure uniform encoding and remove invalid characters. • Leverage Character Category Allow-Listing (e.g., Unicode “letters” or “decimal digits”). • Prioritize context-aware output encoding, as validation is not the primary defense against XSS.
Public Serving of Uploaded Content	• Ensure correct Content-Type headers are set when serving uploaded files. • Protect “special” files like `crossdomain.xml` and `.htaccess` from manipulation. • Validate filename extensions, maximum file size, and scan content for malicious code.
Email Address Validation	• Perform Syntactic Validation based on RFC 5321 formatting. • Perform Semantic Validation by sending a verification email to ensure mailbox ownership.
Disposable Email Addresses	• Be aware that blocking disposable domains is difficult as provider lists change constantly. • Avoid outright blocking; instead, educate users on the risks of using temporary addresses.
Sub-Addressing	• Recognize sub-addressing (e.g., `[email protected]`) used for user categorization. • Avoid blocking sub-addressing, as it can discourage users from providing real contact info. • Note that users can bypass blocks by using multiple accounts or disposable providers.