Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

Re: Validation Validation Validation

by kabeldag (Hermit)
on Feb 06, 2007 at 05:03 UTC ( [id://598484]=note: print w/replies, xml ) Need Help??


in reply to newb: Best way to protect CGI from non-form invocation?

Just a general approach to such a situation. Not a comprehensive solution ...

  1. Attempt to validate properties below the Application Layer of the OSI model.

  2. 1.0 Validate IP address and other Transport and Network Layer properties as required.

    1.1 Log Transport and Network Layer connections and scrutinise.

  3. Attempt to validate Application Layer properties of the OSI model.

  4. 2.0 Validate/Authenticate Application Layer/HTTP access to documents. Setup authentication for
           HTTP server usage.

    2.1 Validate Application Layer HTTP header parameters.

  5. Attempt to validate Application Layer connection/session properties and input data.

  6. 3.0 Validate Application layer document specific access. Session id token combined with IP
           address and or other parameters via some sort of encoding technique. A user/password auth
           combination with perhaps 'CAPTCHA' techniques to validate the
           user login.

    3.1 Validate session form input. Use hidden form values, data length checks, valid characters and or
           words. Validate input times so that input doesn't come too quick or too late.

    3.2 Log important events such as logins and form input with appropriate client/session data.

    3.3 Scrutinise event logs ... form input/submissions, authentication etc.

Logging events is important for validation as well as other reasons. If a determined or experienced bastard
passes all of the validation checks, you can always check the the logs for patterns. Random or not, you
will notice patterns and can take appropriate action. Beware of blocking/black-listing certain IP's though, you may end up blocking a completely okay network because somebody spoofed an IP or block.

It is easy to spoof Network and Transport Layer packet properties, as well as Applicaiton layer properties such
as the document referrer etc, but if you have no validation, you have no security.

By no means have I listed every possible validation method nor may I be 100% on target.
I have just listed a general layered overview. There are suggestions already mentioned in this thread/node,
but don't stop there. Think about the type of situation you have and apply a security measure to match. Common sense.

Update (:-s) : Fixed some HTML formatting

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://598484]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others surveying the Monastery: (3)
As of 2024-03-29 15:45 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found