{"id":5902,"date":"2023-02-28T22:00:00","date_gmt":"2023-02-28T22:00:00","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/2012\/10\/26\/prevent-web-attacks-using-input-sanitization\/"},"modified":"2023-07-14T13:28:11","modified_gmt":"2023-07-14T13:28:11","slug":"prevent-web-attacks-using-input-sanitization","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/","title":{"rendered":"How to Use Input Sanitization to Prevent Web Attacks"},"content":{"rendered":"<p>Despite all of our investments in security tools, the codebase can be the weakest link for any organization&#8217;s cybersecurity. Sanitizing and validating inputs is usually the first layer of defense.<\/p>\n<p>Attackers have been using classic flaws for years with a pretty high success rate. While advanced threat actors have more sophisticated approaches such as adversarial machine learning, advanced <a href=\"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/\" rel=\"noopener\">obfuscation<\/a>, and <a href=\"https:\/\/www.esecurityplanet.com\/threats\/zero-day-threat\/\" rel=\"noopener\">zero-day exploits<\/a>, classic attack techniques such as <a href=\"https:\/\/www.esecurityplanet.com\/threats\/how-to-prevent-sql-injection-attacks\/\" rel=\"noopener\">SQL injection<\/a>, cross-site scripting (<a href=\"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-xss-attacks\/\" rel=\"noopener\">XSS<\/a>), remote file inclusion (<a href=\"https:\/\/www.esecurityplanet.com\/endpoint\/how-to-prevent-remote-file-inclusion-rfi-attacks\/\" rel=\"noopener\">RFI<\/a>) and <a href=\"https:\/\/www.esecurityplanet.com\/threats\/common-it-security-vulnerabilities-how-to-prevent-them\/\" rel=\"noopener\">directory traversal<\/a> are still the most common attacks.<\/p>\n<p>These techniques are often the first step on the way to privilege escalation and lateral movements. That&#8217;s why developers must sanitize and validate data correctly before processing transactions or saving any entry in a database.<\/p>\n<p>Here we&#8217;ll focus on sanitizing and validating inputs, but other elements such as a server&#8217;s configurations must also be taken into account to properly secure forms.<\/p>\n<p><strong>See the <a href=\"https:\/\/www.esecurityplanet.com\/products\/top-web-application-firewall-waf-vendors\/\" rel=\"noopener\">Top Web Application Firewall (WAF) Solutions<\/a><\/strong><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_68_1 ez-toc-wrap-left counter-flat ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-66d6e0554bde7\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"ez-toc-cssicon\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #ffffff;color:#ffffff\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #ffffff;color:#ffffff\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-66d6e0554bde7\"  aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/#What-is-the-Difference-Between-Sanitizing-and-Validating-Input\" title=\"What is the Difference Between Sanitizing and Validating Input?\">What is the Difference Between Sanitizing and Validating Input?<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/#Why-You-Should-Use-Input-Sanitization-and-Validation\" title=\"Why You Should Use Input Sanitization and Validation\">Why You Should Use Input Sanitization and Validation<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/#When-Not-to-Use-Sanitization\" title=\"When Not to Use Sanitization\">When Not to Use Sanitization<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/#Best-Practices-Sanitizing-Inputs-Validation-Strict-Mode\" title=\"Best Practices: Sanitizing Inputs, Validation, Strict Mode\">Best Practices: Sanitizing Inputs, Validation, Strict Mode<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/#Bottom-Line-Sanitize-Validate-and-Escape-Late\" title=\"Bottom Line: Sanitize, Validate, and Escape Late\">Bottom Line: Sanitize, Validate, and Escape Late<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"What-is-the-Difference-Between-Sanitizing-and-Validating-Input\"><\/span>What is the Difference Between Sanitizing and Validating Input?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Validation checks whether an input \u2014 say on a web form \u2014 complies with specific policies and constraints (for example, single quotation marks). For example, consider the following input:<\/p>\n<p><code>&lt;input id=\"num\" name=\"num\" type=\"number\" \/&gt;<br \/>\n<\/code><br \/>\nIf there&#8217;s no validation, nothing prevents an attacker from exploiting the form by entering unexpected inputs instead of an expected number. He or she could also try to execute code directly if submitted forms are stored in a database, which is pretty common.<\/p>\n<p>To prevent such a bad situation, developers must add a validation step where the data is inspected before proceeding. For example, using a popular language like PHP, you can check the data type, the length, and many other criteria.<\/p>\n<p>Sanitizing consists of removing any unsafe characters from user inputs, and validating will check to see if the data is in the expected format and type. Sanitizing modifies the input to ensure it\u2019s in a valid format for display, or before insertion in a database.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Why-You-Should-Use-Input-Sanitization-and-Validation\"><\/span>Why You Should Use Input Sanitization and Validation<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The most common techniques used against weak inputs are probably cross-site scripting (XSS) attacks, which involves attackers injecting malicious scripts into otherwise trustworthy websites.<\/p>\n<p>Some XSS attacks are more obvious than others, which means that even if you take the time to sanitize and validate your inputs, a skilled attacker might still find a way to inject malicious code under specific conditions.<\/p>\n<p>A classic attack demo consists of injecting the following script in a weak input, where the placeholder &#8216;XSS&#8217; is arbitrary JavaScript:<\/p>\n<p><code><span style=\"font-weight: 400;\">&lt;script&gt;alert('XSS')&lt;\/script&gt;<\/span><br \/>\n<\/code><br \/>\nIf the content of the input is displayed on the page (or elsewhere), the attacker can execute arbitrary JavaScript on the targeted website. The typical case is a vulnerable search input that displays the search term on the page:<\/p>\n<p><code>https:\/\/mysite.com\/?s=&lt;script&gt;alert('XSS')&lt;\/script&gt;<br \/>\n<\/code><br \/>\nIt gets worse if the malicious entry is stored in the database. The demo code might look fun to play with, but in real-world conditions attackers can do a lot of things with JavaScript, sometimes even steal cookies.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"When-Not-to-Use-Sanitization\"><\/span>When Not to Use Sanitization<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The biggest problem with sanitization is the false impression of <a href=\"https:\/\/www.esecurityplanet.com\/networks\/network-security\/\">security<\/a> it might give. Stripping unwanted chars and HTML tags is only one layer of checking. It&#8217;s often poorly executed and removes too much information like legitimate quotes and special chars while it does not cover all angles of attack. You cannot apply generic rules blindly.<\/p>\n<p>The context is the key, which includes the programming languages in use. More on this later, but it\u2019s important to follow a principle called &#8220;escape late&#8221; (for example, just before output) because you know the exact context where the data is used.<\/p>\n<p>In my experience, the trickiest situations are when you need to allow raw inputs and other permissive configurations. In such cases, it becomes very hard to sanitize data correctly, and you have to maintain a custom whitelist of allowed characters or manually blacklist some malicious patterns.<\/p>\n<p>It&#8217;s recommended to use robust libraries and frameworks instead.<\/p>\n<p>More generally, developers must not hesitate to return errors on bad inputs instead of resorting to guessing or fixing, which is prone to errors and flaws.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Best-Practices-Sanitizing-Inputs-Validation-Strict-Mode\"><\/span>Best Practices: Sanitizing Inputs, Validation, Strict Mode<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>There are some principles and best practices that dev teams can follow for the best possible results. We&#8217;ll cover the broad categories, along with specifics to watch for.<\/p>\n<h3>Don&#8217;t Trust User Inputs<\/h3>\n<p>Some websites don&#8217;t bother checking user inputs, which exposes the application to the maximum level of danger. Fortunately, that&#8217;s getting rarer thanks to security awareness and code analysis. However, incomplete sanitization is not a great solution either.<\/p>\n<p>Here are a few of the possible attack paths you need to think about.<\/p>\n<h4>GET requests<\/h4>\n<p>If developers don&#8217;t sanitize strings correctly, attackers can take advantage of XSS flaws such as:<\/p>\n<p><code>https:\/\/mysite.com\/?s=&lt;script&gt;console.log('you are in trouble!');&lt;\/script&gt;<\/code><\/p>\n<p>Classic cybersecurity awareness usually highlights the above example with a simple console.log or even an alert. However, it shows that anyone can execute arbitrary JavaScript on your page by simply sending a shortened version of the malformed URL to unsuspecting victims.<\/p>\n<p>Some XSS flaws can even be persistent (stored in the database, for example), which removes the hassle from attackers of making the victim click on something by automatically serving malicious <a href=\"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-use-payloads-to-take-over-your-machine\/\" rel=\"noopener\">payloads<\/a> to the website\u2019s users.<\/p>\n<h4>Cookies<\/h4>\n<p>Websites often use HTTP cookies for session management, customization, and tracking. For example, developers can log in users, remember their preferences, and analyze their behaviors.<\/p>\n<p>The server generates a cookie, or an approximate piece of data, and sends it to the browser to save it for later uses. As a result, stealing cookies allows attackers to be able to impersonate the victims by providing them with immediate access to the targeted accounts without login.<\/p>\n<p>Moreover, hackers don&#8217;t have to compromise the victim&#8217;s computer. Because HTTP cookies are sent along with each request, attackers can intercept those requests to steal data during man-in-the-middle (MITM) attacks, for example.<\/p>\n<p>A more sophisticated approach can use an XSS attack to insert malicious code into the targeted website to ultimately copy users\u2019 cookies and perform harmful actions in their name.<\/p>\n<p>While Google plans to phase out cookies in its Chrome browser next year, it&#8217;s still important to develop best practices for cybersecurity. For example, as of 2022, SSL (Secure Sockets Layer) is no longer an optional layer. However, if the code sends non-SSL requests, cookies will be sent in plain text, so make sure you are using SSL everywhere.<\/p>\n<p>Another good practice is to always use the httpOnly attribute to prevent hijacking with JavaScript. The SameSite attribute is also recommended for developers.<\/p>\n<p>While cookies are convenient for both users and developers, modern authentication and APIs allow better approaches. As storing data in client-side databases allows for many safety and privacy vulnerabilities, it&#8217;s better to implement other more secure practices instead.<\/p>\n<h4>POST requests<\/h4>\n<p>POST requests are server-side requests, so they do not expose data in the URL, for example, when you upload an image on your online account or when you submit a contact form, such as:<\/p>\n<pre>&lt;form action=\"https:\/\/my-website.com\/contact\" method=\"POST\"&gt;<\/pre>\n<p>A common misconception is that POST requests are more secure than GET requests. However, at most, POST requests are security through obscurity. While it is better to use POST requests for user modifications, it\u2019s not great for security-related purposes, and it won&#8217;t harden security magically.<\/p>\n<p>One very simple way to sanitize POST data from inputs in PHP could be through the commands:<\/p>\n<pre>filter_var($_POST['message'], FILTER_SANITIZE_STRING);\n\nfilter_var('bobby.fisher@chess.com', FILTER_VALIDATE_EMAIL)\n<\/pre>\n<p>Another good practice in PHP is to use <a href=\"https:\/\/www.php.net\/manual\/ru\/function.htmlentities.php\" target=\"_blank\" rel=\"noopener\">htmlentities()<\/a> to escape any unwanted HTML character in a string.<\/p>\n<p>As with cookies, always use SSL to encrypt data, so only TCP\/IP information will be left unencrypted.<\/p>\n<h4>Directory traversal<\/h4>\n<p>If the codebase includes an image tag such as<\/p>\n<pre><code>&lt;img src=\"\/getImages?filename=image12.png\" \/&gt;\n<\/code><\/pre>\n<p>then hackers may try using<\/p>\n<pre>https:\/\/yourwebsite.com\/getImages?filename=..\/..\/..\/etc\/passwd\n<\/pre>\n<p>to gain access to users&#8217; information.<\/p>\n<p>However, if your server is configured correctly, such attempts to disclose confidential information will be blocked. You should also consider filtering user inputs and ensuring that only the expected formats and data types are transmitted.<\/p>\n<p><strong>Also read:<\/strong> <a href=\"https:\/\/www.esecurityplanet.com\/applications\/top-code-debugging-and-code-security-tools\/\" rel=\"noopener\"><strong>Top Code Debugging and Code Security Tools<\/strong><\/a><\/p>\n<h3>Don&#8217;t Trust Client-Side Validation<\/h3>\n<p>A common misconception, especially for beginners, is to rely on HTML and JavaScript only to validate forms data. While HTML allows defining patterns and required fields, such as setting a character limit or requiring specific fields to be filled, there is no HTML attribute or JavaScript code that can&#8217;t be modified on the client side.<\/p>\n<p>Hackers might also submit the form using cURL or any HTTP client, so the client side is absolutely not a secure layer to validate forms.<\/p>\n<h3>Enable Strict Mode<\/h3>\n<p>Whenever you can, enable strict mode, whether it\u2019s PHP, JavaScript or SQL, or any other language. However, as strict mode prevents lots of convenient syntaxes, it might be difficult to enable if you have a significant technical debt and legacy.<\/p>\n<p>On the other hand, if you don&#8217;t code in strict mode, the engine starts making guesses and can even modify values automatically to make the code work. This opens up vulnerabilities hackers can utilize to inject malicious commands.<\/p>\n<p>For example, in 2015, Andrew Nacin, a major contributor to WordPress, <a href=\"https:\/\/www.youtube.com\/watch?v=yQaRUEwEKxE\" target=\"_blank\" rel=\"noopener\">explained<\/a> how a critical security bug could have been avoided just by enabling strict mode in SQL. He demonstrated how hackers could exploit a critical vulnerability by using four-byte characters to force MySQL truncation and then inject malicious code in the database.<\/p>\n<p>While a simple solution to prevent such an attack would be to execute the command <code>SET SESSION sql_mode = \"STRICT_ALL_TABLES\"<\/code> it is impossible to enable this without breaking all websites powered by WordPress.<\/p>\n<h3>Consult the OWASP Web Testing Guide<\/h3>\n<p>OWASP, the Open Web Application Security Project, maintains a comprehensive documentation called the Web Security Testing Guide (WTSG) that includes <a href=\"https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/README\" target=\"_blank\" rel=\"noopener\">input validation<\/a>.<\/p>\n<p>This guide offers information on how to test various injections and other sneaky attacks on inputs. The content is frequently updated, and there are detailed explanations for various scenarios.<\/p>\n<p>For example, you can check out their page on <a href=\"https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/02-Testing_for_Stored_Cross_Site_Scripting\" target=\"_blank\" rel=\"noopener\">Testing for Stored Cross Site Scripting<\/a> to learn how persistent XSS works and how to reproduce the exploit.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-21637\" src=\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2012\/10\/XSS-example.jpg\" alt=\"XSS example\" width=\"726\" height=\"184\" srcset=\"https:\/\/assets.esecurityplanet.com\/uploads\/2012\/10\/XSS-example.jpg 726w, https:\/\/assets.esecurityplanet.com\/uploads\/2012\/10\/XSS-example-300x76.jpg 300w, https:\/\/assets.esecurityplanet.com\/uploads\/2012\/10\/XSS-example-150x38.jpg 150w, https:\/\/assets.esecurityplanet.com\/uploads\/2012\/10\/XSS-example-696x176.jpg 696w\" sizes=\"(max-width: 726px) 100vw, 726px\" \/><\/p>\n<p><strong>Also read:<\/strong> <strong><a href=\"https:\/\/www.esecurityplanet.com\/applications\/owasp-list-gets-a-new-top-vulnerability\/\" rel=\"noopener\">OWASP Names a New Top Vulnerability for First Time in Years<\/a><\/strong><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Bottom-Line-Sanitize-Validate-and-Escape-Late\"><\/span>Bottom Line: Sanitize, Validate, and Escape Late<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Sanitizing and validating inputs is a mandatory dev practice but you cannot apply a generic solution to all entries. You have to consider the specific contexts to be able to block injections. Moreover, don&#8217;t store anything in the database without validating it, but also escape values before displaying them, as some injections can poison database records.<\/p>\n<p>Another essential practice is to escape data as late as possible, preferably just before display. This way, you perfectly know the final context and there&#8217;s no way to leave data unescaped.<\/p>\n<p>Lastly, spend time on fine-tuning static code analysis. This process can tend to generate a lot of false positives, such as XSS flaws that can&#8217;t be exploited; however, every single HTML attribute and tag that gets its value dynamically should be escaped.<\/p>\n<p>While hackers won&#8217;t be able to exploit all tags to grab sensitive data or trick logged in users, you should still incorporate static analysis to prevent as many vulnerabilities as possible.<\/p>\n<p><strong>Read next:<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/www.esecurityplanet.com\/applications\/software-supply-chain-security-guidance-for-developers\/\"><strong>Software Supply Chain Security Guidance for Developers<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/www.esecurityplanet.com\/products\/devsecops-tools\/\"><strong>Best DevSecOps Tools<\/strong><\/a><\/li>\n<\/ul>\n\n\n<div id=\"ta-campaign-widget-66d6e055499a1-popup-wrapper\" class=\"ta-campaign-widget__popup-wrapper\">\n    \n<div\n    style=\"\n        --ta-campaign-plugin-primary: #3545ed;\n        --ta-campaign-plugin-button-text: #fff;\n        --ta-campaign-plugin-button-hover-background: #3231b4;\n        --ta-campaign-plugin-button-hover-text: #fff;\n        --ta-campaign-plugin-button-toggle-background: #3231b4;\n        --ta-campaign-plugin-button-toggle-text: #3231B4;\n    \"\n    data-ajax-url=\"https:\/\/www.esecurityplanet.com\/wp\/wp-admin\/admin-ajax.php\">\n    <div\n        id=\"ta-campaign-widget-66d6e055499a1\"\n        class=\"ta-campaign-widget ta-campaign-widget--popup\"\n        data-campaign-fields='{\"properties\":{\"campaign_type\":\"popup\",\"campaign_category\":false,\"sailthru_list\":[\"cybersecurity-insider\"],\"popup_type\":\"exit_intent\",\"appearance\":{\"colors\":{\"primary_color\":\"#3545ed\",\"button\":{\"button_text_color\":\"#fff\",\"hover\":{\"button_hover_background_color\":\"#3231b4\",\"button_hover_text_color\":\"#fff\"},\"toggle\":{\"button_toggle_background_color\":\"#3231b4\",\"button_toggle_text_color\":\"#3231B4\"}}},\"custom_scss\":\"\"},\"behavior\":{\"opt_in_enabled\":true},\"language\":{\"tagline\":\"Get the Free Cybersecurity Newsletter\",\"subtagline\":\"\",\"content\":\"Strengthen your organization&#39;s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday\",\"email_placeholder\":\"Work Email Address\",\"opt_in\":\"By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.\",\"subscribe_button\":\"Subscribe\"}},\"identifier\":\"66d6e055499a1\",\"campaign_id\":26045,\"campaign_type\":\"popup\",\"popup_type\":\"exit_intent\",\"newsletters\":[\"cybersecurity-insider\"],\"behavior\":{\"opt_in_enabled\":true},\"appearance\":{\"colors\":{\"primary\":\"#3545ed\",\"button\":{\"text\":\"#fff\",\"hover\":{\"background\":\"#3231b4\",\"text\":\"#fff\"},\"toggle\":{\"background\":\"#3231b4\",\"text\":\"#3231B4\"}}},\"custom_css\":\"\"},\"language\":{\"tagline\":\"Get the Free Cybersecurity Newsletter\",\"subtagline\":\"\",\"content\":\"Strengthen your organization&#39;s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday\",\"email_placeholder\":\"Work Email Address\",\"opt_in\":\"By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.\",\"subscribe_button\":\"Subscribe\"}}'>\n\n                <div class=\"ta-campaign-widget__exit\">\n            <svg class=\"w-8\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" viewBox=\"0 0 24 24\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\">\n                <path stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M6 18L18 6M6 6l12 12\"><\/path>\n            <\/svg>\n        <\/div>\n        \n        <div class=\"ta-campaign-widget__wrapper\">\n            <div class=\"ta-campaign-widget__header mb-6\">\n                                <h3 class=\"ta-campaign-widget__tagline\">\n                    Get the Free Cybersecurity Newsletter                <\/h3>\n                \n                \n                                <p class=\"ta-campaign-widget__content mt-6\">\n                    Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday                <\/p>\n                            <\/div>\n\n            <form class=\"ta-campaign-widget__form\">\n                <div class=\"ta-campaign-widget__input mb-4\"  data-field=\"email\">\n                    <label\n                        class=\"sr-only\"\n                        for=\"email-66d6e055499a1\">\n                        Email Address\n                    <\/label>\n                    <input\n                        class=\"ta-campaign-widget__input__text\"\n                        placeholder=\"Work Email Address\"\n                        id=\"email-66d6e055499a1\"\n                        name=\"email\"\n                        type=\"email\">\n                <\/div>\n\n                                <div class=\"ta-campaign-widget__checkbox mb-4\" data-field=\"opt_in\">\n                    <div class=\"flex items-start\">\n                        <input\n                            id=\"opt-in-66d6e055499a1\"\n                            class=\"ta-campaign-widget__checkbox__input mr-2\"\n                            name=\"opt-in\"\n                            type=\"checkbox\"\/>\n                        <label\n                            class=\"ta-campaign-widget__checkbox__label\"\n                            for=\"opt-in-66d6e055499a1\">\n                            By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.                        <\/label>\n                    <\/div>\n                <\/div>\n                \n                <button class=\"ta-campaign-widget__button\" type=\"submit\" >\n                    Subscribe                <\/button>\n            <\/form>\n        <\/div>\n    <\/div>\n<\/div>\n\n<style>\n<\/style><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Despite all of our investments in security tools, the codebase can be the weakest link for any organization&#8217;s cybersecurity. Sanitizing and validating inputs is usually the first layer of defense. Attackers have been using classic flaws for years with a pretty high success rate. While advanced threat actors have more sophisticated approaches such as adversarial [&hellip;]<\/p>\n","protected":false},"author":267,"featured_media":21637,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_gazelle_contributing_experts":"","footnotes":""},"categories":[22,19],"tags":[5277],"b2b_audience":[25],"b2b_industry":[],"b2b_product":[377,392],"class_list":["post-5902","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-applications","category-endpoint","tag-web-security","b2b_audience-audience","b2b_product-gateway-and-network-security","b2b_product-web-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to Use Input Sanitization to Prevent Web Attacks<\/title>\n<meta name=\"description\" content=\"Input sanitization is an important security measure that can protect your website against attacks. Learn more now.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to Use Input Sanitization to Prevent Web Attacks\" \/>\n<meta property=\"og:description\" content=\"Input sanitization is an important security measure that can protect your website against attacks. Learn more now.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/\" \/>\n<meta property=\"og:site_name\" content=\"eSecurity Planet\" \/>\n<meta property=\"article:published_time\" content=\"2023-02-28T22:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-07-14T13:28:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/assets.esecurityplanet.com\/uploads\/2012\/10\/XSS-example.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"726\" \/>\n\t<meta property=\"og:image:height\" content=\"184\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Julien Maury\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@eSecurityPlanet\" \/>\n<meta name=\"twitter:site\" content=\"@eSecurityPlanet\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Julien Maury\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/\"},\"author\":{\"name\":\"Julien Maury\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/4723f5dca54d7ee1d8111912ac8b1d4a\"},\"headline\":\"How to Use Input Sanitization to Prevent Web Attacks\",\"datePublished\":\"2023-02-28T22:00:00+00:00\",\"dateModified\":\"2023-07-14T13:28:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/\"},\"wordCount\":1867,\"publisher\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2012\/10\/XSS-example.jpg\",\"keywords\":[\"Web security\"],\"articleSection\":[\"Applications\",\"Endpoint\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/\",\"url\":\"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/\",\"name\":\"How to Use Input Sanitization to Prevent Web Attacks\",\"isPartOf\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2012\/10\/XSS-example.jpg\",\"datePublished\":\"2023-02-28T22:00:00+00:00\",\"dateModified\":\"2023-07-14T13:28:11+00:00\",\"description\":\"Input sanitization is an important security measure that can protect your website against attacks. Learn more now.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/#primaryimage\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2012\/10\/XSS-example.jpg\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2012\/10\/XSS-example.jpg\",\"width\":726,\"height\":184,\"caption\":\"XSS example\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.esecurityplanet.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to Use Input Sanitization to Prevent Web Attacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#website\",\"url\":\"https:\/\/www.esecurityplanet.com\/\",\"name\":\"eSecurity Planet\",\"description\":\"Industry-leading guidance and analysis for how to keep your business secure.\",\"publisher\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.esecurityplanet.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\",\"name\":\"eSecurityPlanet\",\"url\":\"https:\/\/www.esecurityplanet.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png\",\"width\":1134,\"height\":375,\"caption\":\"eSecurityPlanet\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/eSecurityPlanet\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/4723f5dca54d7ee1d8111912ac8b1d4a\",\"name\":\"Julien Maury\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/02\/JulienMaury-AvatarImg-150x150.webp\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/02\/JulienMaury-AvatarImg-150x150.webp\",\"caption\":\"Julien Maury\"},\"description\":\"eSecurity Planet contributor Julien Maury writes about penetration testing, code security, open source security and more. He is a backend developer, a mentor and a technical writer who enjoys sharing his knowledge and learning new concepts.\",\"url\":\"https:\/\/www.esecurityplanet.com\/author\/jmaury\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to Use Input Sanitization to Prevent Web Attacks","description":"Input sanitization is an important security measure that can protect your website against attacks. Learn more now.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/","og_locale":"en_US","og_type":"article","og_title":"How to Use Input Sanitization to Prevent Web Attacks","og_description":"Input sanitization is an important security measure that can protect your website against attacks. Learn more now.","og_url":"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/","og_site_name":"eSecurity Planet","article_published_time":"2023-02-28T22:00:00+00:00","article_modified_time":"2023-07-14T13:28:11+00:00","og_image":[{"width":726,"height":184,"url":"https:\/\/assets.esecurityplanet.com\/uploads\/2012\/10\/XSS-example.jpg","type":"image\/jpeg"}],"author":"Julien Maury","twitter_card":"summary_large_image","twitter_creator":"@eSecurityPlanet","twitter_site":"@eSecurityPlanet","twitter_misc":{"Written by":"Julien Maury","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/#article","isPartOf":{"@id":"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/"},"author":{"name":"Julien Maury","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/4723f5dca54d7ee1d8111912ac8b1d4a"},"headline":"How to Use Input Sanitization to Prevent Web Attacks","datePublished":"2023-02-28T22:00:00+00:00","dateModified":"2023-07-14T13:28:11+00:00","mainEntityOfPage":{"@id":"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/"},"wordCount":1867,"publisher":{"@id":"https:\/\/www.esecurityplanet.com\/#organization"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/#primaryimage"},"thumbnailUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2012\/10\/XSS-example.jpg","keywords":["Web security"],"articleSection":["Applications","Endpoint"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/","url":"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/","name":"How to Use Input Sanitization to Prevent Web Attacks","isPartOf":{"@id":"https:\/\/www.esecurityplanet.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/#primaryimage"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/#primaryimage"},"thumbnailUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2012\/10\/XSS-example.jpg","datePublished":"2023-02-28T22:00:00+00:00","dateModified":"2023-07-14T13:28:11+00:00","description":"Input sanitization is an important security measure that can protect your website against attacks. Learn more now.","breadcrumb":{"@id":"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/#primaryimage","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2012\/10\/XSS-example.jpg","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2012\/10\/XSS-example.jpg","width":726,"height":184,"caption":"XSS example"},{"@type":"BreadcrumbList","@id":"https:\/\/www.esecurityplanet.com\/endpoint\/prevent-web-attacks-using-input-sanitization\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.esecurityplanet.com\/"},{"@type":"ListItem","position":2,"name":"How to Use Input Sanitization to Prevent Web Attacks"}]},{"@type":"WebSite","@id":"https:\/\/www.esecurityplanet.com\/#website","url":"https:\/\/www.esecurityplanet.com\/","name":"eSecurity Planet","description":"Industry-leading guidance and analysis for how to keep your business secure.","publisher":{"@id":"https:\/\/www.esecurityplanet.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.esecurityplanet.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.esecurityplanet.com\/#organization","name":"eSecurityPlanet","url":"https:\/\/www.esecurityplanet.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png","width":1134,"height":375,"caption":"eSecurityPlanet"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/eSecurityPlanet"]},{"@type":"Person","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/4723f5dca54d7ee1d8111912ac8b1d4a","name":"Julien Maury","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/image\/","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/02\/JulienMaury-AvatarImg-150x150.webp","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/02\/JulienMaury-AvatarImg-150x150.webp","caption":"Julien Maury"},"description":"eSecurity Planet contributor Julien Maury writes about penetration testing, code security, open source security and more. He is a backend developer, a mentor and a technical writer who enjoys sharing his knowledge and learning new concepts.","url":"https:\/\/www.esecurityplanet.com\/author\/jmaury\/"}]}},"_links":{"self":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/5902"}],"collection":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/users\/267"}],"replies":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/comments?post=5902"}],"version-history":[{"count":1,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/5902\/revisions"}],"predecessor-version":[{"id":31093,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/5902\/revisions\/31093"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/media\/21637"}],"wp:attachment":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/media?parent=5902"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/categories?post=5902"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/tags?post=5902"},{"taxonomy":"b2b_audience","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_audience?post=5902"},{"taxonomy":"b2b_industry","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_industry?post=5902"},{"taxonomy":"b2b_product","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_product?post=5902"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}