WebApp Sec mailing list archives
Question on input validation
From: "Noah Gray" <ngray () lightport com>
Date: Tue, 23 Sep 2003 14:43:18 -0400
Input please: Would it be considered any less secure to, rather than validate input parameter types, instead synchronous-key-hash the parameters and compare the hash on the receiving side? For instance: FormA Gets/Posts to FormB with the following parameters: - AuthorizedResourceID - PriviledgedActionType Using the Input and Authorization checking, one must check the types (string/int, not null, greater than 0, etc). Additionally, one must validate the users permission to the Authorized resource, as well as their permission to execute the specified permission. However, using a synch-key hash, such as HMAC-SHA1, I could simply pass a third parameter, ParmHash, that the receiving script could also generate and compare using a shared key. Doing this, I needn't worry about the user's permission to do anything that is signed from my calling script, nor about the input's validity. I can save a round-trip to the database to do any permission lookup, thus making the application more efficient. The only issue is that links or form posts must be pre-generated by the server, and clearly this would not be possible in every situation. The question is, how, if at all, might this be a bad idea? Regards, Noah Gray Application Developer LightPort Advisors ngray at lightport.com
Current thread:
- Question on input validation Noah Gray (Sep 24)
- <Possible follow-ups>
- RE: Question on input validation Scovetta, Michael V (Sep 24)
- Re: Question on input validation Alex Russell (Sep 24)