Data that is not validated or poorly validated is the root cause of a number of serious security vulnerabilities affecting applications. This paper presents a modular approach to performing thorough data validation in modern web applications so that the benefits of modular component based design; extensibility, portability and re-use, can be realised. It starts with an explanation of the vulnerabilities introduced through poor validation and then goes on to discuss the merits of a number of common data validation methodologies. Finally, a modular approach is introduced together with practical examples of how to implement such a scheme in a web application. This follows two main principles:
• Data should be validated in the data model, where the validation rules have maximum scope for interpreting the context; and
• Escaping of harmful meta-characters should be performed just before the data is processed, typically in the data access components.
Implementing such a modular approach contributes to the application being loosely coupled and ensures that it can safely be extended and components reused, without incurring unnecessary
development time to re-implement validation routines.
This document is in PDF format. To view it click here.