So when I hear someone say “Input Validation” I know they don’t know what they are talking about. You know why? Input validation means all of JACK SHIT when it comes to fixing vulnerabilities.

Whitelisting. Now that means something.

Removing special characters. That means something.

Verifying the length of a buffer. That means something.

Input Validation? That means what exactly?

It even annoys me more when people say that’s the solutions to XSS or SQLi. Not only is it wrong, it’s fucking stupid. Lets say I need to enter the name Bob O’toole into the database. How the fuck do I input validate that? Because a single quote is essentially a SQL Injection.

Even worse is when people say to protect XSS, you need to input valid. Where did you get that? Check out the Owasp cheat sheet for XSS, input validation isn’t mentioned. So where the fuck does it come from?

https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

It even bothers me more when people say they are “experts” in OWASP yet they didn’t even bother to read the cheat sheet.

So if you are a security professional, eliminate “input validation” from your vocabulary. It’s like saying you need to refill your blinker fluid in your car.

/Rant

Share This Discussion

Leave a Comment

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.