Ask HN: How do I properly detect and exclude malicious user input?
We're just launching a new data store that will be populated with various kinds of user activity. How do I make sure that the data submitted to the datastore by the client, which is a browser in this use case, is not malicious?
Should I provide a nonce to the client and then validate that nonce when the data is submitted? If so, how should I implement this nonce function? Where can I find a peer reviewed nonce function implementation?
I think that determining malicious activity in general is a hard problem, and would involve detecting things such as:
rate of data submission normal-ness of behavior adherence to expected data structure
I expect that I will have to implement 1-3 on my own, but if I’m going to use a nonce I’d prefer not to roll my own.
Is a nonce worthwhile? If I’m just serving a nonce to a browser, that only requires that any malicious actor make HTTP requests and execute javascript, (as is possible with http://phantomjs.org/) extract the nonce, and then make a malicious request.
I’m out of my depth here, and would love some advice!
No comments yet.