You might have heard the term “data sanitisation” applied to devices. We need to permanently remove data on portable storage devices and hard drives before we get rid of them.
But today I want to talk about a different form of data sanitization: input sanitisation.
The question you need to answer is this:
How clean is the data that you are saving in your application?
Three of the most common website attacks share a common cause: a lack of input sanitisation. These risks are:
- SQL injection
- Cross-site scripting (XSS)
- Remote file inclusion (RFI)
Input sanitisation is about making sure that user input does not contain malicious instructions.
Let’s take a quick look at the various ways that data is input into your web application:
- Authorisation: when the user logs in with a user name and password.
- Form data: when the user enters data on your web form in textboxes and text areas.
- 3rd party applications: when you use functionality like a web service to get information.
- Search queries: when the user types in keywords in a search box on your site.
You already know that proper authorisation is important. You have to check that the user has a valid name and password. In a previous email I wrote about the importance of how you store passwords. And I’ve also written about the importance of controlling user access.
Most of the time we check data to make sure it matches the business rules for our application. Yes, the data appears to be a valid email address. Yes, the number falls within the required range.
3rd party services
We often use 3rd-party applications and services for extra functionality. While web services have many advantages, they are also a security risk. You run a risk that an attacker can introduce malicious code into the web service message.
It’s also important to sanitise what users type in the search input. This is a place where a malicious user can enter HTML or code that can expose you to exposes an XSS attack.
Here are some resources for further reading: