/hvaonline/posts/list/8.html JForum - http://www.jforum.net Web Application Security Unvalidated Input According to the OWASP Guide, unvalidated input is the most common weakness found in web applications. Tainted input leads to almost all other vulnerabilities in these environments (OWASP, 2005). Before we look at how to prevent this weakness from spreading throughout your web solutions, let’s examine the potential threats to your business when tainted input is allowed to reach your processing components. Figure 1 is a logical view of four of the ways in which input is received by an application bmuht_gpj.95954_04f04b3d3faae05313657ae64562e690/5/8/6002/daolpu/enilnoavh/ten.murofavh//:ptth Input from any one of these sources impacts how an application accesses, processes, and displays data. For example, attackers might add, delete, or modify URL parameters in a query string. Hidden form fields can be changed and the form resubmitted. Database information, especially fields written by other applications, might be either purposely or accidentally tainted. Potential Vulnerabilities There are many possible negative outcomes if input containing either improperly formatted or invalid/malicious content reaches a business critical web application. The following are just a few: Improper HTML display – The lowest impact display issue would be an unprofessional portrayal of your site. On the other end of the spectrum, tainted input can render your display unusable. Further, attackers can force errors in application output to gain some idea of the diligence with which your developers tighten-up their code. If it’s easy to hack a display, it’s a good bet that it’s just as easy to crack other application components. By-passed client side validation – Client side validation is not really validation. It isn’t very difficult for an attacker to disable script execution on her workstation, enter malicious invalid form input, and then submit the form. If there’s no validation on the server side of the transaction, server crashes and the execution of rogue commands are just two of the possible outcomes. Cross-site scripting – Text fields that are not validated might contain HTML tags--like