"Accept Known Good" and potential attacks

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
ywickham
Forum Newbie
Posts: 3
Joined: Thu Mar 18, 2010 3:10 pm

"Accept Known Good" and potential attacks

Post by ywickham »

I've just recently been introduced to the concept of "Accept Known Good" via the OWASP document:

http://www.owasp.org/index.php/Data_Val ... known_good

...with the idea of instead of rejecting badly formed input, a whitelist of acceptable inputs can be used to validate against. I understand the basics, love the idea, but I am curious as to what the consensus is in regards to what attacks could still thwart AKG if the code is written such that no user input is ever trusted and the only values passed on to the scripts are the allowable ones from the whitelist?

Hope someone with more insight can elaborate. Be warned - I'm also not a security person, so I may have more questions as this discussion continues.

Thanks!
Attilitus
Forum Commoner
Posts: 27
Joined: Wed Aug 08, 2007 2:32 pm

Re: "Accept Known Good" and potential attacks

Post by Attilitus »

Well... theoretically this is a perfect way to eliminate all bugs related to user input.

However, if the programmer doesn't know what is safe they might accidentally white-list a type of input that isn't safe.
cpetercarter
Forum Contributor
Posts: 474
Joined: Sat Jul 25, 2009 2:00 am

Re: "Accept Known Good" and potential attacks

Post by cpetercarter »

Whitelisting is the right way to go when there is a finite number of acceptable possibilities. For example, if you use a $_GET['page'] variable to navigate from page to page, the only acceptable possibilities might be "login, news, blog, comments, shop". If $_GET['page'] is not in this list, you can reject it.

But whitelisting is more difficult for eg free text input. Checking that the input contains only letters, numbers and normal punctuation marks may not help much - it might leave an attacker plenty of scope for eg an SQL injection attack. In these cases you need to think of additional ways of sanitising the data eg a blacklist of non-acceptable characters or character combinations.

Good security systems have protection in depth - eg secure logins, secure session handling, strong input checking, secure database queries etc. They don't rely on a single magic bullet.
ywickham
Forum Newbie
Posts: 3
Joined: Thu Mar 18, 2010 3:10 pm

Re: "Accept Known Good" and potential attacks

Post by ywickham »

Thank you for your opinion, cpetercarter. It was very helpful and I appreciate it.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: "Accept Known Good" and potential attacks

Post by kaisellgren »

If you can apply white-list filtering on input, then it may only have a flaw when the previously good has now become bad (e.g., one day web browsers allow tags like #strong#, just a silly example), or the "known good" was not understood correctly by the developer and was actually "bad".

White-listing applies to sanitizing and validation. So, in situations like encoding, encryption, escaping, etc., white-listing does not apply.
Post Reply