Fuzzing Fuzzing techniques can be useful for detecting input validation errors.
When unexpected inputs are provided to the software, the software should not crash or otherwise become unstable, and it should generate application-controlled error messages.
While this code checks to make sure the user cannot specify large, positive integers and consume too much memory, it does not check for negative values supplied by the user.As a result, an attacker can perform a resource consumption (CWE-400) attack against this program by specifying two, large negative values that will not overflow, resulting in a very large memory allocation (CWE-789) and possibly a system crash.Phases: Architecture and Design; Implementation Strategy: Identify and Reduce Attack Surface Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application.Remember that such inputs may be obtained indirectly through API calls.Notice that even if the programmer were to defend the $birthday variable by restricting input to integers and dashes, it would still be possible for an attacker to provide a string of the form: If this data were used in a SQL statement, it would treat the remainder of the statement as a comment.
The comment could disable other security-related logic in the statement.
This example attempts to build a list from a user-specified value, and even checks to ensure a non-negative value is supplied.
If, however, a 0 value is provided, the code will build an array of size 0 and then try to store a new Widget in the first location, causing an exception to be thrown.
In this case, encoding combined with input validation would be a more useful protection mechanism.
Furthermore, an XSS (CWE-79) attack or SQL injection (CWE-89) are just a few of the potential consequences when input validation is not used.
This allows the analyst to focus on areas of the software in which input validation does not appear to be present.