IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [data-validation]

41 questions
39
votes
7 answers

Is it a security vulnerability to tell a user what input characters are valid/invalid?

For input validation on a website, are there any security concerns with disclosing to the user exactly what characters are valid or invalid for a given field? CWE-200: Information Exposure says one should try not to disclose information "that could…
csrowell
  • 487
  • 1
  • 4
  • 7
33
votes
5 answers

Safe email validation

I have been using this RFC822-compliant regular expression for email validation. Pen testers on HackerOne have used the following horrendous email addresses which satisfy the…
Randomblue
  • 1,685
  • 3
  • 15
  • 17
32
votes
4 answers

Which is the best way to sanitize user input in PHP?

These are things I do when users submit data: substr if extra characters found. htmlspecialchars() + ENT_QUOTES + UTF-8 str_replace '<' '>' in user input What more things need to be done?
user2615947
  • 421
  • 1
  • 5
  • 4
24
votes
5 answers

Is HTML5 input pattern validation sufficient (or even relevant) for client-side validation?

An interesting feature of HTML5 is the attribute, which allows the browser to validate the input field's value against a regular expression provided by the developer. Subsequently, this binds to the field's ValidityState which…
msanford
  • 819
  • 1
  • 9
  • 26
11
votes
2 answers

Can a CSV contain malicious code?

I am working with a system that allows users to upload CSV files, that are downloaded by other users. The system validates (amongst other things) that all CSV files can be parsed by an RFC 4180 compliant parser, and are valid UTF-8. It ensures that…
James_pic
  • 2,520
  • 2
  • 17
  • 22
9
votes
1 answer

Feasibility and scalability of a large biometric system (e.g. Aadhaar)

Over the last five years, India has systematically advanced a biometric identification scheme, which now has an enrollment of over 800 million users. To ensure the accuracy of matching for such a large population, the Biometrics Standards Committee…
Jedi
  • 3,906
  • 2
  • 24
  • 42
8
votes
6 answers

How to validate user input

I am having a lot of trouble understanding where I as a developer can validate the data that my users send to me. Let's say for a simple example I have a web page where it has a simple form that contains three fields: Name -> text field email ->…
jacksonecac
  • 183
  • 1
  • 5
6
votes
2 answers

Is breaking out of a Java binary serialized string possible?

During an assessment of an android application I discovered a file which contained serialized data from a standard call to ObjectOutputStream.writeObject(). A string serialized in the data is potentially under attacker control. I wonder if it is…
Orphid
  • 208
  • 1
  • 6
6
votes
2 answers

Does git commit hash prove the history until that point?

I have some data and want to prove it's integrity during time, i.e. prove that a certain state of the data was present a a certain date. For this reason I commit the data to a git repository I keep by myself (and at bitbucket). Now I plan to hand…
Alex
  • 1,207
  • 1
  • 10
  • 9
5
votes
3 answers

Input validation: how to do it if I must accept HTML as part of my input?

I'm writing a service which receives FHIR data and it stores it. FHIR is an HL7 healthcare information standard format which contains HTML by definition, embedded into a JSON or XML, (to ensure human-readability of the document) How should I perform…
Gabor Herman
  • 71
  • 1
  • 4
3
votes
1 answer

Verify that data submitted by user was produced by my app

I'm designing an app (for PC), that is intended to run on users' machines and generate a file with some data. The user will then upload the file to the server, and I want to verify that this file has been produced by my app and hasn't been modified.…
Peter Trifanov
  • 31
  • 1
3
votes
2 answers

The proper way to validate user inputs

I am currently building an multiplayer application game on Android, and the server-side logic is deployed using Cloud Functions, which is a server-less environment. The application logic is as follows: two users are given a question (i.e. the same…
Apper
  • 131
  • 1
3
votes
2 answers

What is at risk if I do not validate Confirm Password on server side and only perform this validation on client side?

While changing password, in my application I am performing only JS validation for password and confirm password field values. It is recommended to have server side validations. But confirm password serves purpose for user to be double sure about the…
Sum
  • 93
  • 1
  • 7
3
votes
1 answer

Uncontrolled Format String Vulnerability in JavaScript

I have been working on input validation vulnerabilities and very new to Uncontrolled Format String Vulnerabilities, as I learned so far its usually exploited through printf functions with "%". I also saw that JavaScript (Node.JS) supports format…
Ekin
  • 163
  • 1
  • 5
2
votes
0 answers

What are the main PII data brokers? (How do certain online companies get accurate age verification?)

A long time ago, I signed up for Apple Pay Cash. After a bit of using the service, I was asked to input my name and birthdate to continue using the service. At the time, I was underage. I input inaccurate information signifying I was 18+ to continue…
Mave
  • 21
  • 2
1
2 3