Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Question on input validation
From: Noah Gray (ngraylightport.com)
Date: Tue Sep 23 2003 - 13:43:18 CDT
Would it be considered any less secure to, rather than validate input parameter types, instead synchronous-key-hash the parameters and compare the hash on the receiving side?
FormA Gets/Posts to FormB with the following parameters:
Using the Input and Authorization checking, one must check the types (string/int, not null, greater than 0, etc). Additionally, one must validate the users permission to the Authorized resource, as well as their permission to execute the specified permission.
However, using a synch-key hash, such as HMAC-SHA1, I could simply pass a third parameter, ParmHash, that the receiving script could also generate and compare using a shared key. Doing this, I needn't worry about the user's permission to do anything that is signed from my calling script, nor about the input's validity. I can save a round-trip to the database to do any permission lookup, thus making the application more efficient. The only issue is that links or form posts must be pre-generated by the server, and clearly this would not be possible in every situation.
The question is, how, if at all, might this be a bad idea?
ngray at lightport.com