How clean is your data?

Hand holding disinfectant and spraying it

You might have heard the term “data sanitisation” applied to devices. We need to permanently remove data on portable storage devices and hard drives before we get rid of them.

But today I want to talk about a different form of data sanitization: input sanitisation.

The question you need to answer is this:
How clean is the data that you are saving in your application?

Why sanitise?

Three of the most common website attacks share a common cause: a lack of input sanitisation. These risks are:

  • SQL injection
  • Cross-site scripting (XSS)
  • Remote file inclusion (RFI)

Input sanitisation is about making sure that user input does not contain malicious instructions.

Data input

Let’s take a quick look at the various ways that data is input into your web application:

  • Authorisation: when the user logs in with a user name and password.
  • Form data: when the user enters data on your web form in textboxes and text areas.
  • 3rd party applications: when you use functionality like a web service to get information.
  • Search queries: when the user types in keywords in a search box on your site.

Authorisation

You already know that proper authorisation is important. You have to check that the user has a valid name and password. In a previous email I wrote about the importance of how you store passwords. And I’ve also written about the importance of controlling user access.

Form data

Any data entered via forms must be checked before you write it to your database system. It is standard practice to conduct basic validation. Usually we first check the data on the client with JavaScript, and then again on the server. But what are you checking?

Most of the time we check data to make sure it matches the business rules for our application. Yes, the data appears to be a valid email address. Yes, the number falls within the required range.

But what about free-form text fields, like comments? Could they contain dangerous data? The answer is yes. Malicious users can use comment fields to sneak in JavaScript or SQL statements.

3rd party services

We often use 3rd-party applications and services for extra functionality. While web services have many advantages, they are also a security risk. You run a risk that an attacker can introduce malicious code into the web service message.

Search queries

It’s also important to sanitise what users type in the search input. This is a place where a malicious user can enter HTML or code that can expose you to exposes an XSS attack.

Here are some resources for further reading:

Leave a Comment

Your email address will not be published. Required fields are marked *