issuhub.com

CEH

(Jeff_L) #1

Exploring the Client-Server Relationship 317


Input Validation


Input validation is a mechanism used to verify information as it is entered into an
application. Essentially, a user entering data into a form or website will have few if
any restrictions placed on them when they enter data. When data is accepted without
restriction, mistakes both intentional and unintentional are entered into the system and
can lead to problems later on. However, with a mechanism for validating input in place it is
possible to thwart these problems, which include:


■ Database manipulation


■ Database corruption


■ Buffer overflows


■ Inconsistent data


A lack of input validation can allow advanced attacks such as SQL

injections to occur.

A good example of input validation, or rather the lack of it, is a box on a form where
a zip code is to be entered, but in reality it will accept any data. In some cases, taking
the wrong data will simply mean that the information may be unusable to the owner of the
site, but it could cause the site to crash or mishandle the information to reveal information
onscreen.


Cross-Site Scripting (XSS)


Another type of attack against a web server is the cross-site scripting (XSS) attack. It relies
on a variation of the input validation attack, but the target is different because the goal is
to go after a user instead of the application or data. An example of an XSS uses scripting
methods to execute a Trojan with a target’s web browser; this would be made possible
through the use of scripting languages such as JavaScript or VBScript. By careful analysis,
an attacker can look for ways to inject malicious code into web pages in order to gain
information from session information on the browser, to elevated access, to content in the
browser.
The following steps reveal XSS in action:



  1. The attacker discovers that a website suffers from an XSS scripting defect.

  2. An attacker sends an e-mail stating that the victim has just been awarded a prize and
    should collect it by clicking a link in the e-mail:
    The link in the email goes to http://www.badsite.com/default.asp?name=.

  3. When the link is clicked, the website displays the message “Welcome Back!” with a
    prompt to enter the name.

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2025. All rights reserved.