Today, most applications are interactive. Applications accept one or more forms of user inputs. But the question is – are these user inputs reliable? As we all know, not all users can be trusted. As such, it is difficult to assess which inputs are genuine and which aren’t.
User inputs may be in the form of text, a file, and so on. Even an attacker can pretend to be a normal user and try to inject malicious codes and upload malicious files into the application server to gain access to the server. Thus, user inputs may not always be reliable. However, proper security measures can help prevent attacks caused by improper handling of user inputs.
In the text format, an attacker can try to inject a malicious code directly or indirectly (encoding or encrypting a value to bypass the firewall or the rules set to tighten security) into the application server. Similarly, malicious files can be embedded into normal file types that can be uploaded into the application to gain access to the server.
We can mitigate risks posed by user inputs by imposing certain restrictions. The restrictions should be set from the browser level to the server level. Here, input validation and input sanitization play a major role. It’s also important to have a Web Application Firewall (WAF) and set rules to neutralize attacks from user inputs (like restricting the kinds of inputs users can provide).
Proper security configuration in web applications, web servers, and databases are also crucial. Policies should be defined to ensure proper access control to web applications, such as role-based or authentication-based access control for different types of privileged users. It’s also important to properly monitor the actions performed in the web server and set rules for alerts to be sent to concerned people if any malicious actions are detected.
Some of the examples of improper user input are as follows:
- Consider a text field through which a user can provide an input.
Here, there is no input sanitization. So, the user can enter any input and submit it. All inputs will be accepted. If we try with a simple java script, it will just show the following alert:
<script>alert(“Cross Site Scripting”)</script>
If you click on the submit button. The following alert will show.
This is called “Cross Site Scripting”. If an attacker tries to execute any javascript code into the client machine, the input will be accepted due to lack of improper input handling of the application.
However, with proper input handling, it won’t execute the javascript code in the client machine. It will just take the input and display the following message.:
That’s because, in this case, a proper input sanitization mechanism has been put in place.
- Let’s consider another example where the user can upload a file into the web application.
Here, it has been specified that an image file has to be uploaded. But we can upload any file if the file type is not checked. Now, if we try to upload a .php extension file, which contains a backdoor, we’ll be able to do so as no restrictions are applied here.
This is a major security concern- “unrestricted file upload” – one that can be mitigated with proper input validation.
Now, consider a scenario where a proper validation mechanism is in place. Here, we’ll not be able to upload the file.
In this case, proper file upload restrictions are in place.
Conclusion:
User inputs in any form are unreliable. But implementing proper security measures can go a long way in assessing which inputs can be trusted and which not. So, each input, regardless of the format, must be validated properly(texts, file uploads, etc).
Interested