Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I currently have the problem in one of my self-written apps that the app receive

ID: 658894 • Letter: I

Question

I currently have the problem in one of my self-written apps that the app receives user input (JSON) from another app, but I am not able to check if this input is good or malicious. I can't check this because I do not know what is in this data, i.e. I know how the header should look like, but the data changes. But, before the remote app is able to send information it has to authenticate itself. Is this enough for providing security against malicious attacks via sending bad data, or should I improve the security? If yes, how?

Explanation / Answer

No, authentication is not a sufficient compensating control for lack of input validity checking.

You can't ever trust input from users and and other systems (and I recommend not trusting input from your own system, as well). As an example, I've had roughly 5 instances in the last three months where a trusted user's system acted as an unwitting conduit for a scan or attack. In one case, their system was carefully tucking malicious input from a third party into valid (schema-appropriate) XML and forwarding it under their credentials. Oops!

You may not know what to expect for the valid content of the data but you should be able to look at both the structure of the data and invalid content of the data.

Structure - If it's a phone number, zip code, SSN, or other structured data, you can do syntax checking to make sure it fits the appropriate pattern.

Invalid Content - If it's unstructured text, you can validate size, and you can look for and quote metacharacters that are often used to abuse parsers and processors (`, ;, (), {}, &, <>, etc.). This is a difficult task to do comprehensively, which is why the Web Application Firewall market has sprung up - it offloads the scanning of content for malicious strings to a specialized tool that can focus on the task.

Related Questions

I create certain files using \"dd\" and \"echo\" as follows: dd if =/dev/zero of
Question #3578774
I create certain files using \"dd\" and \"echo\" as follows: dd if =/dev/zero of
Question #3580774
I create this table for predicting I need help calculating revenue and completin
Question #2552389
I create web applications most in RoR and PHP. About a year ago a company wanted
Question #654627
I created 3 classes for code below: this is the first class: public class StateL
Question #3588856
I created a 0.1M TRIS buffer in the lab, with a pH of 7.28 and a volume of 50.6m
Question #532625
I created a GUI Login App where a password when submitted it is inputted into a
Question #3906902
I created a GUI Login App where a password when submitted it is inputted into a
Question #3907188
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I currently have some code that checks if squash and tennis scores are valid, bo
Next
I currently have this assignment running fine with Eclipse; however, I am requir

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.