Improper input validation: Still a concern for software security
Which programming error do you feel has the largest impact on potential security breaches and why? How can you ensure the error is prevented during the programming cycle?
A few years ago, I would've said that buffer overflow were the biggest security concern for software developers. Now, in this post-pandemic era we’re a living in, the threats that I believe programmers should be most concerned about relate to web applications, specifically cross-site scripting (XXS) and improper input validation (SQL injection). For this article, I will focus on improper input validation as XXS is a bit more complex and there are other factors that contribute the exploitation of this vulnerability. You may find out more about XXS on at the Common Weakness Enumeration (CWE) database page by clicking here.
Buffer overflows are still a security concern for most program developers. However, due to the advances in CPU and memory chip technology that addresses buffer overflow mitigation techniques (not eliminate) such as address space layout randomization (ASLR), it wouldn’t be fair to label buffer overflow vulnerabilities as a strictly programer error, especially if this vulnerability is dependent on the target hardware; unlike improper input validation vulnerabilities that start and end with the programmer (Stewart, 2016).
Improper input validation refers to an application that receives inputs, such as data, but doesn’t validate the properties of the input to ensure that, when processed, the applicaton behaves as intended (CWE, 2020). For example, SQL injection is a form of improper input validation.
What's most concerning about this type of vulnerability is that it can be used to craft attacks that could compromise not just an application but entire systems as well. Another concerning factor about this vulnerability is that it doesn't just apply to raw input data, improper input validation can also apply to metadata of the raw data!
When a system’s resources are compromised, the confidentiality, integrity, and availability of resources provide attackers an opportunity to conduct malicious activity such as altering the flow of control within a system, gain access and control of resources, or execute arbitrary code that can damage systems can cause physical harm to others.
There are a number of techniques that programmers can implment in order to mitigate the risk associated with improper input validation. One technique is to implement input validation so that only acceptable inputs that fall within a set of given parameters are accepted to be processed, whie all others are rejected. However, this mitigation strategy is not a guarantee that this vulnerability cannot be exploited. When a codes environment changes, it could provide a window of opportunity for an attacker to bypass input validation (CWE, 2021).
References:
CWE. (2021, Match 15th). CWE-20: Improper Input Validation. Retrieved from https://cwe.mitre.org/data/definitions/20.html
Stewart, D. (2016, October 26, 2016). What is ASLR, and how does it keep your computer secure? Retrieved from https://www.howtogeek.com/278056/what-is-aslr-and-how-does-it-keep-your-computer-secure/#:~:text=Address%20Space%20Layout%20Randomization%20%28ASLR%29%20is%20primarily%20used,will%20overwrite%20data%20the%20program%20intends%20to%20access.