Application Security : What is server side input validation? Why is it needed anyway?
TL;DR Don’t rely on client side input validation. Data sent from client side can be manipulated in many way beating any validation checks. The same input validation must be performed on the server side!
Most of the time when the development team receives penetration testing report, they may keep seeing the following words among the phrases:
- .. Stored XSS ..
- …. Cross Site Scripting XSS …..
- … perform server side input validation ….
- … weak input validation …
Normally, by the time the report reaches to the development team hands, the timeline is already too tight and the roll-out deadline is imminent. Thus, the frustration ensued upon receipt of pentest report with lots of issues. So, some rephrased version of frustrated development team responses tend to be:
“I have developed the functionally correct application according to the application requirements but why does the penetration testing report keep coming back with a lot of issues?”.
There are input validation in place! How can this happen? Can you show me how you performed the testing?
Some rephrased version of project manager response tend to be:
I saw similar issues in previous phases. Why is the same issue happening again?
Thus, the main focus is this article is to help developer aware of the basic security testing approach so that to demystify the “hacking” of application in typical penetration testing. Let’s go through with a sample application.
A simple form submission application:
The following is very simple form submission application as follow:
- user needs to enter username and identification number
- after successful client side validation, the form will be submitted and the server will return welcome page with username and identification number value that was supplied by the user, without performing server side validation.
So, the input validation has been performed according to business need. The functionality is correct. So, there should be no security issue right? The answer, unfortunately, is that there are security issues with this application.
The data transmission flow
Looking under the hood
But the people are insane!
Sample Fix : Performing Server Side Input Validation!
Now, let’s do same rule of input validation on the server side!.
Code Securely and stay safe! It’s an insane world out there :D
Check the github page here for sample application code.