IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [validation]

Validation (in contrast with verification) is assurance that a product, service, or system meets the needs of the stakeholders. It could contain the acceptance phase.

122 questions
241
votes
12 answers

Is single quote filtering nonsense?

Penetration testers found out that we allow single quotes in submitted data fields, and want us to apply rules (input validation) to not allow them in any value. While I'm aware that single quotes are popular for SQL injection attacks, I strongly…
Peter Walser
  • 1,781
  • 2
  • 11
  • 9
120
votes
11 answers

Hacker used picture upload to get PHP code into my site

I'm working on a website — right now it's in early stages of testing, not yet launched and just has test data - thank goodness. First of all, a hacker figured out the password to log onto the websites 'administration' pages*. I think they used a key…
Williamz902
  • 1,285
  • 2
  • 8
  • 6
32
votes
2 answers

How does subresource integrity actually help?

Subresource integrity basically lets me know that a resource I'm about to download is valid, because the hash of its contents matches what I expect. But this assumes that I'm already running on some trusted and verified code. If a hacker has…
David says Reinstate Monica
  • 1,108
  • 1
  • 15
  • 20
28
votes
6 answers

Filter user input before the database or upon display?

Given a web application where user data must be properly escaped to avoid XSS, is it better to try to remove the "bad stuff" before it enters the database, or is it best to allow it in the database but be careful about escaping output when it is…
bstpierre
  • 4,868
  • 1
  • 21
  • 34
22
votes
5 answers

Input Sanitization vs Output Sanitization

In the bits that I've searched about this, I've seen a few people declare as word-of-god that you should only sanitize outputs and not inputs. Why? Would it not be safer to cover both ends?
Todd Schwine
  • 349
  • 1
  • 2
  • 5
21
votes
5 answers

Why are certificates limited in time?

If a certificate has a limited duration of, say 5 years, but it gets somehow compromised after 2 years, waiting the 3 remaining years for it to get invalid is not a real solution to the breach problem. (3 years is eternity in IT, I guess) Also, if…
Philipp
  • 353
  • 1
  • 3
  • 6
19
votes
2 answers

Should you let users know if an email has been taken during registration validation?

In many web applications, email is required to be a unique field, and users aren't allowed to register an account if their email already exists in the database. When performing validation on the registration form, you would presumably check if an…
Matt Dalzell
  • 293
  • 2
  • 6
16
votes
1 answer

What's the difference between escaping, filtering, validating and sanitizing?

An application needs to handle input and output of untrusted data carefully. As the case may be, values have to be escaped, filtered, validated or sanitized. There often seems to be a sloppy and interchangeable use of these terms although they are…
Arminius
  • 43,922
  • 13
  • 140
  • 136
14
votes
2 answers

Validating an SSL certificate chain according to RFC 5280: Am I understanding this correctly?

we're in the process of replacing certificates with SHA1 hash due to Google's move to let them appear less secure in Chrome. The replacement certificates use a different intermediate CA than the ones we're currently using, but the same root CA.…
luxifer
  • 143
  • 1
  • 1
  • 6
14
votes
3 answers

Why bother validating the hostname for a Google Recaptcha response?

Google's Recaptcha has hostname validation "baked-in". When a user submits a Recpatcha response, the domain from which the response was acquired is validated against the whitelist of domains you provided when you setup the Recaptcha. However, if…
AJB
  • 316
  • 2
  • 12
12
votes
5 answers

Should a website limit characters that can be entered in its fields?

I got into a (somewhat heated) discussion with my colleague today about what characters our application should accept. This was prompted by the discovery that you can enter anything in the search box and the application will dutifully perform a…
Vilx-
  • 998
  • 2
  • 7
  • 15
12
votes
2 answers

When does iOS check validity of enterprise certificates?

Here is an article that should give a little more context (and see my comment on it, same username, for additional info). iOS developers are able to distribute apps outside of the App Store using an Enterprise provisioning profile. This allows apps…
n00neimp0rtant
  • 223
  • 2
  • 6
12
votes
3 answers

Should IP addresses be validated to prevent SQL Injection?

In PHP I retrieve a user's IP address ($_SERVER['REMOTE_ADDR']) to use it in some MySQL queries, but I do not validate them to be true IP addresses. Should I validate user IP addresses before using them in MySQL queries, or will they always be valid…
Hope4You
  • 333
  • 3
  • 10
11
votes
3 answers

White list or black list sanitation for international input?

There seem to be so many ways to create nefarious input that white-listing what input is good usually feels like the safer, simpler option. For instance, one can fairly easily craft a white list regex that includes good things [a-zA-Z0-9], but…
jaketrent
  • 213
  • 2
  • 6
9
votes
1 answer

E-voting: receipt-free, verifiable, and anonymous

Background In response to a system design concept, a question was posed: How do you achieve electronic voting, anonymity, and verifiability at the same time? I was informed that most experts in the field believe it to be practically impossible…
Dave Jarvis
  • 269
  • 1
  • 11
1
2 3
8 9