Input Validation and Input Sanitization for Web Applications

Sammanfattning: The rise of web-based applications is rapidly increasing with time and demand. As more and more web applications are being developed, so are the threats against these web applications' user-base. Input-basedattacks against web applications are becoming more common. A new task is in the hands of the developers, namely input handling. The security ofweb applications is now more relevant than ever before. This thesis investigates different methods used to build web applications that can prevent malicious input, specifically the infamous XSS attack. The methods covered in this thesis are using built-inimplementations from frameworks for client-side development and popular developer-made libraries for server-side.This thesis also collects real-life regular expressions from web applications used for input handling. These regular expressions have been evaluated with the Black Ostrich security scanner to determine whether a web application's given regular expression is safe enough to withstand malicious input. The results indicate that the applications built can never fully trust the client-side for input handling for web application development.There should always be server-side handling the input. Developers should always avoid rendering user input to the DOM unless the input has passed several layers of input handling. The thesis provides a script used to collect roughly 12000000 HTML documents, and from these documents, it gathered approximately 79000 regular expressions. These were the regular expressions that were evaluated on their safety, using the Black Ostrich security scanner.Roughly 13700 of them were deemed by the security scanner to be unsafe, indicating that nearly one-fifth of all regular expressions found fromthe parsed data set could be bypassed with an XSS-type string.