Skip to main content
Version: 2.2

Input Validation Security Feature

Overview

HTTP input validation is performed to ensure only properly formed data enters the workflow in a server, preventing malformed data from persisting in the database and exploiting the weaknesses of various downstream components. Input validation should be completed as early as possible in the data flow, preferably as soon as the data is received from the external party.

Input validation vulnerabilities are covered by CWE-20.

The Input Validation security feature is enabled using the ARMR http rule, and can be used to ensure that various HTTP request components adhere to predefined, expected formats.

It is recommended that HTTP input validation is not used as the primary method of preventing attacks such as XSS and SQL Injection. However, if implemented properly, it can significantly contribute to reducing the impact of such attacks.

Given (Condition)

To enable the input validation security feature using the ARMR http rule the user specifies the request declaration.

requestThis determines the HTTP endpoints for which protection is enabled. An optional key value pair can be supplied to this declaration where the key is paths and the value can be one of the following (indicating specifically targeted HTTP endpoints) :-- a quoted string

  • a list of one or more quoted-stringsIf no value is specified then protection will be applied to all HTTP endpoints by default.If a string value is specified then it must:- not be empty

  • be a valid relative URI |

When (Event)

validateTwo separate key-value pairs are required for this declaration to switch on input validation protection. Valid values for the first key include:- parameterscookiesheadersValid values for the second key include:- is
headers* The headers key is used to enable input validation of HTTP request headers.

  • The value of the headers key defines the names of one or more HTTP request headers whose values must be validated.

  • Empty header names are not allowed. | | | parameters | - The parameters key is used to enable input validation of HTTP request parameters.

  • The value of the parameters key defines the names of one or more HTTP request parameters whose values must be validated.

  • Empty parameter names are not allowed | | | cookies | * The cookies key is used to enable input validation of HTTP request cookies.

  • The value of the cookies key defines the names of one or more HTTP request cookies whose values must be validated.

  • Empty cookie names are not allowed | | | is | - The is key indicates the values that are permitted, or the validation rules that must be adhered to, for the given validation target.

  • Possible values for the is key are:

    • integer

    • integer-positive

    • integer-unsigned

    • alphanumeric

    • sql-no-single-quotes

    • sql-no-double-quotes

    • html-no-single-quotes

    • html-no-double-quotes

    • html-attribute-unquoted

    • html-text

  • Alternatively, the user may specify a valid regular expression (according to the platform's regular expression syntax)

  • In addition, the value can be a list comprised of more than one of any of the above types |

Then (Action)

protectHTTP targets that fail validation are stripped from the request. If configured, a log message is generated with details of the event.
detectMonitoring mode: the application behaves as normal.A log message is generated with details of the HTTP request target that fails validation.A log message must be specified with this action.
allowCan be used to allow specific HTTP request targets that adhere to a particular format that is a subset of a format already covered by an ARMR http rule for the same target in protect mode.

Examples

The following example shows how the user may configure the HTTP Input Validation feature to validate the HTTP request parameter “number”. The mod ensures that this value is an integer and therefore does not contain any unexpected characters. Protection is enabled for the specific page “index.jsp”.

app("HTTP Input Validation mod"):
  requires(version: ARMR/2.2)
  http("HTTP single parameter validation"):
    request(paths: "/webapp/index.jsp")
    validate(parameters: ["number"], is: [integer])
    protect(message: "number parameter was not an integer", severity: 5)
  endhttp
endapp

Logging

A log entry similar to the following is generated when the above ARMR http rule identifies an unexpected value for the given HTTP target:

<12>1 2020-07-07T15:37:28.122+01:00 l-qa02 java 6312 - - CEF:0|ARMR:HTTP Input Validation mod|HTTP Input Validation mod|2.2|HTTP single parameter validation|Execute Rule|Medium|rt=Jul 07 2020 15:37:28.122 +0100 dvchost=l-qa02 procid=6312 outcome=success act=protect msg=number parameter was not an integer parameters=number validationRule=integer value=<script>alert(1)</script> uri-path=/webapp/index.jsp remote-address=127.0.0.1 session-id=6DBB96A42D02A68D0EA9DA93AE735190

Further examples

The following mod ensures the HTTP request cookie named “loginId” is a positive integer. This applies to the “index.jsp” page of the application only.

app("HTTP Input Validation mod 2"):
  requires(version: ARMR/2.2)
  http("HTTP cookie validation"):
    request(paths: "/webapp/index.jsp")
    validate(cookies: ["loginId"], is: [integer-positive])
    protect(message: "loginId cookie was not a positive integer", severity: 5)
  endhttp
endapp

The following mod ensures the HTTP request parameters “firstname” and “lastname” both adhere to the given regular expression. This applies to the “index.jsp” page of the application only.

app("HTTP Input Validation mod 3"):
  requires(version: ARMR/2.2)
  http("HTTP multiple parameter validation"):
    request(paths: "/webapp/index.jsp")
    validate(parameters: ["firstname", "lastname"], is: ["[a-z]+"])
    protect(message: "unexpected characters found in name parameters", severity: 5)
  endhttp
endapp

The following mod ensures the HTTP request parameter “price” is a positive integer. This applies to all HTTP endpoints.

app("HTTP Input Validation mod 4"):
  requires(version: ARMR/2.2)
  http("HTTP single parameter validation for all HTTP requests"):
    request()
    validate(parameters: ["price"], is: [integer-positive])
    protect(message: "invalid value for price HTTP parameter", severity: 7)
  endhttp
endapp

The following mod ensures the HTTP request cookie “name” is html that does not contain either single or double quote characters. This applies to the two pages of the application “testPageA.jsp“ and “testPageB.jsp“.

app("HTTP Input Validation mod 5"):
  requires(version: ARMR/2.2)
  http("HTTP single cookie with multiple validation rules"):
    request(paths: ["/webapp/testPageA.jsp", "/webapp/testPageB.jsp"])
    validate(cookies: ["name"], is: [html-no-single-quotes, html-no-double-quotes])
    protect(message: "invalid value for name HTTP cookie", severity: High)
  endhttp
endapp

The following mod ensures the HTTP request header “someHeader” is a valid html text. This applies to all HTTP endpoints.

app("HTTP Input Validation mod 6"):
  requires(version: ARMR/2.2)
  http("HTTP single header validation for all HTTP requests"):
    request()
    validate(headers: ["someHeader"], is: [html-text])
    protect(message: "invalid value for someHeader HTTP request header", severity: 7)
  endhttp
endapp

The following mod will detect occurrences of both of the HTTP request parameters “items” and “total” that contain either single or double-quote characters. This applies to all HTTP endpoints.

app("HTTP Input Validation mod 7"):
  requires(version: ARMR/2.2)
  http("Monitoring mode - multiple parameters with multiple validation rules"):
    request()
    validate(parameters: ["items", "total"], is: [sql-no-single-quotes, sql-no-double-quotes])
    detect(message: "Invalid value for HTTP parameter", severity: 7)
  endhttp
endapp

The following mod ensures the HTTP request parameter “items” is an integer. This applies to all HTTP endpoints. An empty string is given as the message parameter therefore a default log message will be generated.

app("HTTP Input Validation mod 8"):
  requires(version: ARMR/2.2)
  http("HTTP single parameter validation for all HTTP requests - default log message"):
    request()
    validate(parameters: ["items"], is: [integer])
    protect(message: "", severity: 7)
  endhttp
endapp

The following mod ensures the HTTP request header “someHeader” does not contain any double-quote characters. This applies to all HTTP endpoints. Logging is switched off by the omission of the log message parameter.

app("HTTP Input Validation mod 9"):
  requires(version: ARMR/2.2)
  http("HTTP single header validation for all HTTP requests - no log message"):
    request()
    validate(headers: ["someHeader"], is: [html-no-double-quotes])
    protect(severity: 4)
  endhttp
endapp