There’s an axiom in the appsec community - “all input is
evil”. Every piece of data sent by the user may be teeming with virulent host
compromising attacks, and that you better validate ANY and ALL user-modifiable parameters
or your computer will explode in a mushroom cloud of buffer overflows.
There's a common misstep that people make when figuring
out how to fix these issues.
“Is there a method I can use to validate all my data coming
in?”
Well, it turns out that you can’t. Sorry. Each piece of data
needs to be validated separately.
Phone numbers need to look like phone numbers, usernames
need to look like usernames, uploaded images need to look like uploaded images,
and there isn’t any method out there that’s “one size fits all”.
Input validation isn’t for wimps.
Rudy and I did a Fishbowl Talk at TechEd, where we spoke extemporaneously about whatever was on our mind that week. Check it out here.
Self-proclaimed "alpha-geekess" and all around nice person Rachel Appel has given me a virtual shout-out on her blog.
http://www.rachelappel.com/2008/07/17/YesItrsquosThatEasyToGetHacked.aspx
I guess our presentation at TechEd was good enough to get me labeled as a "security expert" whose screencast needs to be watched by "every single developer and every sys admin". Thanks Rachel!