-2

I have a input text field for accepting Email ID. If Email ID is not entered by User, I have a client side validation using Java Script to display error message which reads like, "Please enter valid email id". Code is like,

if(EmailIdIsNull)
{
   error = "Please enter valid email id";
   //Submit this error message to the form
}

This way of handling the check is vulnerable to hazardous character injection. For eg., one changed "Please enter valid email id" to "%22@27%3ECIMG+SRC%3D.html%22%3E"

Solution for this was given as,

"If available, use structured mechanisms that automatically enforce the separation 
between data and code. These mechanisms may be able to provide the relevant quoting,
encoding and validation automatically, instead of relying on the developer to provide
this capability at every point where output is generated"

Am looking for an explanation of the above solution. Also, how can one apply above solution in my case regarding client side check of email id?

Vikas V
  • 693
  • 8
  • 12
  • Maybe it's just me, but I have no clue what you're asking. – Adi Aug 09 '13 at 09:41
  • @Svetlana Am looking for an explanation for, "If available, use structured mechanisms that automatically enforce the separation ......" Which I have mentioned in my question.. – Vikas V Aug 09 '13 at 09:47
  • Possible source of the quote: http://cwe.mitre.org/data/definitions/116.html (@Svetlana) – Perseids Aug 09 '13 at 09:58
  • 1
    Can you please explain why you believe your code is vulnerable to an injection attack? As far as I see there is no user data injected anywhere. – Perseids Aug 09 '13 at 10:03
  • I think your doubt should be explained better. What is the problem with that sentence? – kinunt Aug 09 '13 at 10:04
  • @VikasV Nope, still a bad question. You're not explaining your issue correctly. What are you afraid of? You're talking about someone changing "Please enter valid email id" to some other string, how will they do that? and I'm not the only one having a hard time deciphering your question. – Adi Aug 09 '13 at 10:09
  • @Perseids +1 for your comment. I think you're the only one here who understood the true problem of this question. – Adi Aug 09 '13 at 10:29
  • Am not sure how my code is vulnerable to an injection attack. There was a penetration test for my website from a security tool which reported this. And the solution given was,"If available, use structured mechanisms that automatically enforce the separation...." Am not able to understand what does that mean. Am looking for an explanation for that statement.. – Vikas V Aug 09 '13 at 10:49

2 Answers2

2

First of all, you should never rely on client-side code for any sort of validation whatsoever. It is laughably trivial to bypass any validation on the client-side.

Instead, you should always sanitize and escape any inputs on the server side. Sure, you can perform client-side validation to ensure a good user experience, but always validate on your server as well.

I presume that email address will be written to a database somewhere. In that case, use parameterized queries instead of dynamic SQL. That will protect you from SQL injection attacks. You should escape the data when outputting it to prevent XSS attacks. The XSS and SQL injection prevention cheatsheets from OWASP is a helpful reference here.

Adi
  • 43,808
  • 16
  • 135
  • 167
  • can you kindly edit your answer and provide explanation for "If available, use structured mechanisms that automatically enforce the separation ......." which I have mentioned in my question.. – Vikas V Aug 09 '13 at 09:48
  • 1
    @VikasV Parameterized queries **IS** enforcing the separation of code from data. I suggest you read the links in my answer. –  Aug 09 '13 at 09:49
  • -1 Although the question itself is badly written and doesn't describe the problem well enough, your answer has nothing to do with the question. Also, that's not what separation of code from data means. – Adi Aug 09 '13 at 09:53
1

Parametrized queries or prepared statements are an example of "mechanisms that automatically enforce the separation between data and code".

The problem when there are no separation between data and code is that data introduced by a user can be injected in code and can manipulate the application in ways not thought by the programmer.

For other mechanisms that "provide the relevant quoting, encoding and validation automatically" you can search information about OWASP ESAPI or Java Spring Security Framework.

The recomendation of not "relying on the developer to provide this capability at every point where output is generate" is because if you rely in a human probably you will have errors. If you use a centralized API that makes impossible to programmers to miss a input validation, you will be safer.

kinunt
  • 2,759
  • 2
  • 23
  • 30