Security+ SY0-501 Domain 3 Architecture and Design: A look into Proper Input Validation

By Guy Nguyen-Phuoc on March 3, 2021

(By: Guy Nguyen-Phuoc on March 3, 2021)

Introduction

The best way to stop a disaster is to prepare for it and cyber disasters are no different. Architecture and design, defined by the SY0-501 as, “the practice of checking data for validity before using it”. The act of input validation helps prevent an attacker from sending malicious code that an application will use by either sanitizing the input to remove the malicious code or rejecting the input. Improper input handling is one of the most common security issues, in this paper we will take a look at one of the many possible ways to validate user inputs.

Test environment

This paper will be using ubuntu 20.04 LTS in Oracle VirtualBox 6.0.14, using python 2.7.18 and vim.

The code

An intern was writing a new piece of code to be implemented into our website. The code is a guessing game where the user guesses a random number to win a prize. Unfortunately, the intern hadn’t thought about user sanitation when he wrote his code, let us see if we can fix it and explore how user sanitation is very important! The code as follows:

 

In python 2, the “input” function is equivalent to “eval(raw_input(prompt))” and is the main source of our security problems (excluding python2). Let us explore some of these security issues.

Using variables directly

Because input is evaluating any data being used, you can pass variables used in the program to it. See below we we use “secret_number” as the input:

 

Interesting, we managed to pass the variable “secret_number” directly causing us to win the game! While the intern is talking with HR about how he lost the company money, we can see two more examples of exploiting “input”.

Calling functions() directly

We will be adding a new function called, “super_secret_function”, it will never be runned by the program but with our friend the “input” function we can get around that.

 

When prompted enter, “super_secret_function()” and receive a timeless password.

 

From this you have seen direct variable and function passing, but we have one more nefarious input to try.

Command injection

For this part we need to set up a dummy file, run (in the same directory as test.py): touch delete_me.txt. Shown below.

 

Now, when prompted, enter in (in quotes): ‘os.system(“rm delete_me.txt”)’. Shown below.

 

Wow! Powerful stuff! This was an example of command-line injection and is one of the main things to look out for when sanitizing user input. You do not want to give a malicious actor admin rights from improper user validation! Recipe for a bad day.

Now let us look at one way of fixing this.

Input Sanitation

To remedy python’s “input” function, we can use “raw_input” instead. Which takes the input and converts it into a string, from there we can convert it into any type after that. Below is the first remedy.

 

Now to try it out!

 

It works! However, we have a new problem now, a ValueError has been thrown. This is due to the program expecting an integer but instead it received a string! Let us fix that with an try and except.

 

Now we can try inputting strings again to see what happens.

 

Awesome we fixed the problem!

Conclusion

We have seen how dangerous user input can be and how to fix one particular instance. Proper input validation should always be done in projects to avoid disastrous situations.

References