{"id":319,"date":"2018-12-04T13:25:11","date_gmt":"2018-12-04T13:25:11","guid":{"rendered":"https:\/\/int64software.com\/blog\/?p=319"},"modified":"2019-01-03T09:48:33","modified_gmt":"2019-01-03T09:48:33","slug":"hardening-website-security-part-4-safely-handling-user-input","status":"publish","type":"post","link":"https:\/\/int64software.com\/blog\/2018\/12\/04\/hardening-website-security-part-4-safely-handling-user-input\/","title":{"rendered":"Hardening Website Security \u2013 Part 4: Safely Handling User Input"},"content":{"rendered":"\n

Introduction<\/h2>\n\n\n\n

It feels like almost every week there\u2019s another news item about personal information being stolen because yet another company\u2019s website got hacked.<\/p>\n\n\n\n

Most of these attacks are perpetrated through social engineering, persuading somebody to hand over some detail which allows the hacker to gain additional privileges and, eventually, access to personal information. However, a lot are still carried out due to poor security or misconfigured websites.<\/p>\n\n\n\n

This is the second in a series of articles which will aim to demystify some of the concepts you must get your head around if you hope to run a secure website in the 21st century.<\/p>\n\n\n\n

Contents<\/h2>\n\n\n\n

The series will be consist of the following topics:<\/p>\n\n\n\n

1. HTTP Security Headers<\/a>
    1a. HSTS Preloading<\/a>
2. User Session Security<\/a>
3. Database Security<\/a>
4. Safely Handling User Input<\/p>\n\n\n\n

Topics Not Covered<\/h3>\n\n\n\n

I have opted not to cover server infrastructure security concerns at this time due to the huge number of possible configurations (hosting packages or VPS, operating systems, dashboard systems, firewalls, etc.) While I may cover some of these specifically in future articles, there\u2019s too much nuance in these subjects to be able to do them justice here.<\/p>\n\n\n\n

Disclaimer<\/h3>\n\n\n\n

Everything presented in this article is the result of years of experience, or trial and (frequent) error. Messing around with the code and\/or settings on a live site can (and likely will) lead to unexpected, possibly disastrous results. The information presented here is correct to the best of the author\u2019s knowledge, but in matters of security we strictly advise the reader to make sure they carry out additional research and understand the dangers before making any changes to their own systems or web sites. Any code presented here is done so as example only, and may be incomplete or contain errors. Readers should be careful when copying and pasting code from any website, this site included. Int64 Software Ltd, its employees and its representatives accept no liability for damage caused by the misuse, either intentional or unintentional, of the information presented in its posts and articles.<\/p>\n\n\n\n

Section Overview<\/h2>\n\n\n\n

In the final part of this series, we\u2019re going to look at the proper way to handle raw user input from your website, and what can go wrong if it isn\u2019t properly sanitized before storing or using the data.<\/p>\n\n\n\n

Potential Attacks<\/h2>\n\n\n\n

Cross-Site Scripting (XSS)<\/h3>\n\n\n\n

As covered in previous parts of this series, XSS attacks are used by hackers to inject malicious code into the client side of your website. Successfully deploying an XSS attack can lead to data theft, session hijacking, or malware distribution, so it is critically important that it is prevented.<\/p>\n\n\n\n

Example of an XSS attack<\/h4>\n\n\n\n
\"Example
Example of normal user input on a comment form<\/figcaption><\/figure>\n\n\n\n

Here we have a simple web form. When a user enters their name and a comment, it is added to the comments list below.<\/p>\n\n\n\n

\"Example
Example of an XSS attack using a comment form<\/figcaption><\/figure>\n\n\n\n

An attacker may attempt to enter a script into one of these fields, and if you aren\u2019t properly handling user input you will be vulnerable to attack.<\/p>\n\n\n\n

SQL Injection<\/h3>\n\n\n\n

More consisely covered in the Database Security<\/a> part of this series, an SQL Injection attack may allow an attacker to directly manipulate your database through improperly handled user input.
<\/p>\n\n\n\n

Rules for Handling User Input in Order to Mitigate Threats<\/h2>\n\n\n\n

Rule 1: Define an expected data type and enforce it (syntactic)<\/h4>\n\n\n\n

When designing your forms, think about each input and what type of data you\u2019re expecting to receive. So if you\u2019re asking for a Date of Birth, then make sure that the information received can be parsed to a date correctly; if you\u2019re asking for someone\u2019s age, then make sure it can be parsed to a valid integer.<\/p>\n\n\n\n

Failure to fully plan for this rule can lead you to ignoring the validation of a particular field because, for example, it\u2019s a slider which will only ever send numbers, so why worry, right? Wrong: just because you\u2019ve made the form element into a slider, it doesn\u2019t stop an attacker from submitting any data they choose.<\/p>\n\n\n\n

Rule 2: Remove unexpected code from the input <\/h4>\n\n\n\n

Use an established method or library to sanitize potential attack vectors from the input data.<\/p>\n\n\n\n

Rule 3: Encode expected code<\/h4>\n\n\n\n

If you are expecting code in the input, then encode it so that it displays safely without running. For example, you may using an HTML encoding library so that all \u201c<\u201d and \u201c>\u201d characters are rendered into their safe HTML equivalent \u201c&lt;\u201d and \u201c&gt;\u201d. This will mean that, while they still display as the intended character, they won\u2019t cause blocks such as script blocks to open and close.<\/p>\n\n\n\n

Rule 4: Define limits and enforce them (semantics)<\/h4>\n\n\n\n

Ensure that you set appropriate limits for the user input data. This may be specifying a max file size if using a file upload features, maximum string length if receiving text, or a minimum and maximum number if receiving integers.<\/p>\n\n\n\n

Rule 5: Beware of directory navigation attempts<\/h4>\n\n\n\n

If you\u2019re receiving input which may be interpreted as a file or directory on the server, it is critically important that you make sure to limit where that path can go. Watch out for directory navigation imperatives (\u201c..\/\u201d or \u201c.\/\u201d) as they may be used to deploy scripts or make changes to critical files on your web server.<\/p>\n\n\n\n

Rule 6: When processing arrays, apply all the other rules for each element<\/h4>\n\n\n\n

Finally, if you receive data from multiple inputs of the same name (checkboxes for example), make sure to apply these rules to every element in the array.<\/p>\n\n\n\n

Conclusion<\/h2>\n\n\n\n

This wraps up our series on Hardening Website Security for now. If you\u2019ve found it useful, we\u2019d appreciate you sharing it with your friends and colleagues, and follow us on Twitter (@Int64Software<\/a>) for notifications about future articles.<\/p>\n","protected":false},"excerpt":{"rendered":"

In the final part of this series, we\u2019re going to look at the proper way to handle raw user input from your website, and what can go wrong if it isn\u2019t properly sanitized before storing or using the data.<\/p>\n","protected":false},"author":1,"featured_media":323,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","footnotes":""},"categories":[13,14,50,7],"tags":[79,9,76,80,68,81],"class_list":["post-319","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","category-int64-software","category-security","category-tutorial","tag-hacking","tag-security","tag-sql-injection","tag-user-input","tag-webdev","tag-xss"],"_links":{"self":[{"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/posts\/319","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/comments?post=319"}],"version-history":[{"count":8,"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/posts\/319\/revisions"}],"predecessor-version":[{"id":438,"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/posts\/319\/revisions\/438"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/media\/323"}],"wp:attachment":[{"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/media?parent=319"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/categories?post=319"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/tags?post=319"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}