• Golden Rule: All external inputs, no matter what they are, should be examined and validated
  • Do not log unvalidated user inputs, as it may result in leaking sensitive data
  • Ensure that a data validation mechanism is present
  • Ensure that the data validation occurs on the server side
  • Ensure that proper length checks on all inputs exist
  • Examine where data validation occurs, and if a centralized model or decentralized model is used
  • Ensure that all fields, cookies, HTTP headers/bodies & form fields are validated
  • Ensure that there are no backdoors in the data validation model

Best Practices for Input Validation (Cont’d)

  • Apply known good values, i.e., whitelists, wherever it is feasible
  • Do not incorporate input strings of untrusted sources into format strings
  • Ensure that all inputs are canonicalized
  • Perform filtering and validation mechanisms based on the strings’ character data
  • Ensure that inputs follow correct syntax and content restrictions
  • Use java.sql.PreparedStatement class to prevent SQL injection attacks
  • Ensure that all inputs that can (and will) be modified by a user such as HTTP headers, input fields, hidden fields, etc., are properly validated
  • Ensure that the data is well-structured and contains only known good characters, if possible