Input Validation vs. Output Validation (was: ISA Server and SQL Injection)

["Jeff Williams" <jeff.williams () aspectsecurity com>]

Postel's Law says "TCP implementations will follow a general principle of 
robustness: be conservative in what you do, be liberal in what you accept 
from others."  -- Jon Postel, RFC 793, Sept. 1981 (much respect).

This "sender validates" philosophy is great for interoperability but crazy 
for security. I think applications need to be very careful about what they 
are willing to accept from others (and careful about what they produce). 
Especially where the input is supposed to be coming from another 
application.  If your application receives input that could not possibly 
have been generated by a legit user, why not just reject it?

I think of validation and encoding as two separate things. And each can be 
appropriate for both input and output.

INPUT: I like to see applications that validate (meaning compare against a 
pretty tight specification of what ought to be allowed) everything as soon 
as possible after it is received. This prevents the spread of the taint. Of 
course you have to canonicalize before validation. I also think HTML entity 
encoding input is reasonable when you have to allow certain characters in 
the input.  So changing ' to ' might work for your application.  It will 
certainly help stop injection attacks as entity encoding is inert in all 
interpreters that I known of.

OUTPUT: Validating output means checking to see that the output you're about 
to send matches what you expected to send. This is certainly not widely 
practiced, but can be very effective at preventing your application from 
relaying attacks to other applications.  Some of the application firewalls 
are intercepting credit-card numbers and social-security numbers and ***'ing 
them out.  That's interesting and good.  More often, applications do output 
encoding, to make sure that output doesn't contain potentially dangerous 
characters. This can disable attacks on interpreters that end up with data 
from your application.

I really don't think one technique is better than another. They do different 
things and should be used in combination.

--Jeff

----- Original Message ----- 
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
To: "Jan P. Monsch" <jan.monsch () csnc ch>
Cc: <webappsec () securityfocus com>
Sent: Wednesday, March 02, 2005 11:29 AM
Subject: RE: ISA Server and SQL Injection


re: point #2, that's an interesting perspective.

Input validation and cannonicalization has primacy to my mind
as many attacks are *done* once input is processed, regardless
of output encoding/error handling.

Additionally, input validation can stop embedded and secondary
application attacks that the primary application can't control
(e.g.--application taking input is the data broker for other applications
that will handle/parse/output the data, from CRM systems to
administrative applications to log readers).

Ideally those all have proper encoding of their output as well,
but in reality they often don't.

Using inject script tags (XSS, etc.) as your example, while output
encoding is an effective defense in certain cases, one problem is
that you don't always know or control where your output is going.

<OT>
I see this as more and more of a problem in today's modern, complex,
distributed computing environments. We plug more and more apps
together to the point where in some cases pen testing "app X" is as
silly as pen testing "node 1" on a interconnected network, as appX,
appY, and appZ are so tied together they really need to be tested
and treated as one entity, even though they all have a unique UI.
</OT>

-ae

> -----Original Message-----
> From: Jan P. Monsch [mailto:jan.monsch () csnc ch]
> Sent: Tuesday, March 01, 2005 3:37 PM
> Cc: webappsec () securityfocus com
> Subject: Re: ISA Server and SQL Injection
>
>
> Hi there!
>
> I have lots of discussions with customers regarding the issue of
> perimeter application filters. May conclusion regarding the
> issue is as
> follows:
>
> 1. Validation in the application itself is the best and most efficient
> way of handling code injection problems. Because the application knows
> about its domain but the gateway filter not. In addition the
> application
> can provide appropriate error messages for incorrect input.
>
> 2. Output validation is much better then Input validation,
> because most
> problems are related to incorrectly encoding input parameters into
> output. In addition proper output encoding allows to use critical
> characters like < > within the application. This is especially
> important
> in back-office applications.
>
> 3. Output validation should be handled in a security
> framework, built by
> a security expert. It must be implemented such that the business
> developer has not to worry about encoding stuff. (I know this
> is a ideal
> world szenario)
>
> 4. In may opinion validation on the gateway does only make sense if it
> used in a transitional way until input/output validation in the
> application has been implemented or it is used as a part of intrusion
> detection.
>
> Regars Jan