I've just recently been introduced to the concept of "Accept Known Good" via the OWASP document:
http://www.owasp.org/index.php/Data_Val ... known_good
...with the idea of instead of rejecting badly formed input, a whitelist of acceptable inputs can be used to validate against. I understand the basics, love the idea, but I am curious as to what the consensus is in regards to what attacks could still thwart AKG if the code is written such that no user input is ever trusted and the only values passed on to the scripts are the allowable ones from the whitelist?
Hope someone with more insight can elaborate. Be warned - I'm also not a security person, so I may have more questions as this discussion continues.
Thanks!
"Accept Known Good" and potential attacks
Moderator: General Moderators
Re: "Accept Known Good" and potential attacks
Well... theoretically this is a perfect way to eliminate all bugs related to user input.
However, if the programmer doesn't know what is safe they might accidentally white-list a type of input that isn't safe.
However, if the programmer doesn't know what is safe they might accidentally white-list a type of input that isn't safe.
-
cpetercarter
- Forum Contributor
- Posts: 474
- Joined: Sat Jul 25, 2009 2:00 am
Re: "Accept Known Good" and potential attacks
Whitelisting is the right way to go when there is a finite number of acceptable possibilities. For example, if you use a $_GET['page'] variable to navigate from page to page, the only acceptable possibilities might be "login, news, blog, comments, shop". If $_GET['page'] is not in this list, you can reject it.
But whitelisting is more difficult for eg free text input. Checking that the input contains only letters, numbers and normal punctuation marks may not help much - it might leave an attacker plenty of scope for eg an SQL injection attack. In these cases you need to think of additional ways of sanitising the data eg a blacklist of non-acceptable characters or character combinations.
Good security systems have protection in depth - eg secure logins, secure session handling, strong input checking, secure database queries etc. They don't rely on a single magic bullet.
But whitelisting is more difficult for eg free text input. Checking that the input contains only letters, numbers and normal punctuation marks may not help much - it might leave an attacker plenty of scope for eg an SQL injection attack. In these cases you need to think of additional ways of sanitising the data eg a blacklist of non-acceptable characters or character combinations.
Good security systems have protection in depth - eg secure logins, secure session handling, strong input checking, secure database queries etc. They don't rely on a single magic bullet.
Re: "Accept Known Good" and potential attacks
Thank you for your opinion, cpetercarter. It was very helpful and I appreciate it.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: "Accept Known Good" and potential attacks
If you can apply white-list filtering on input, then it may only have a flaw when the previously good has now become bad (e.g., one day web browsers allow tags like #strong#, just a silly example), or the "known good" was not understood correctly by the developer and was actually "bad".
White-listing applies to sanitizing and validation. So, in situations like encoding, encryption, escaping, etc., white-listing does not apply.
White-listing applies to sanitizing and validation. So, in situations like encoding, encryption, escaping, etc., white-listing does not apply.