Update Input_Validation_Cheat_Sheet.md (#1540)

* Update Input_Validation_Cheat_Sheet.md add that denylist is recommended but only as supplementary defense and not primary * Update cheatsheets/Input_Validation_Cheat_Sheet.md Co-authored-by: Shlomo Zalman Heigh <shlomozalmanheigh@gmail.com> --------- Co-authored-by: mackowski <35339942+mackowski@users.noreply.github.com> Co-authored-by: Shlomo Zalman Heigh <shlomozalmanheigh@gmail.com>
OWASP · Nov 22, 2024 · 32a639d · 32a639d
1 parent df72556
commit 32a639d
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/cheatsheets/Input_Validation_Cheat_Sheet.md b/cheatsheets/Input_Validation_Cheat_Sheet.md
@@ -31,13 +31,16 @@ Input validation can be implemented using any programming technique that allows
 - Minimum and maximum value range check for numerical parameters and dates, minimum and maximum length check for strings.
 - Array of allowed values for small sets of string parameters (e.g. days of week).
 - Regular expressions for any other structured data covering the whole input string `(^...$)` and **not** using "any character" wildcard (such as `.` or `\S`)
+- Denylisting known dangerous patterns can be used as an additional layer of defense, but it should supplement - not replace - allowlisting, to help catch some commonly observed attacks or patterns without relying on it as the main validation method.
 
 ### Allowlist vs Denylist
 
 It is a common mistake to use denylist validation in order to try to detect possibly dangerous characters and patterns like the apostrophe `'` character, the string `1=1`, or the `<script>` tag, but this is a massively flawed approach as it is trivial for an attacker to bypass such filters.
 
 Plus, such filters frequently prevent authorized input, like `O'Brian`, where the `'` character is fully legitimate. For more information on XSS filter evasion please see [this wiki page](https://owasp.org/www-community/xss-filter-evasion-cheatsheet).
 
+While denylisting can be useful as an additional layer of defense to catch some common malicious patterns, it should not be relied upon as the primary method. Allowlisting remains the more robust and secure approach for preventing potentially harmful input.
+
 Allowlist validation is appropriate for all input fields provided by the user. allowlist validation involves defining exactly what IS authorized, and by definition, everything else is not authorized.
 
 If it's well structured data, like dates, social security numbers, zip codes, email addresses, etc. then the developer should be able to define a very strong validation pattern, usually based on regular expressions, for validating such input.