|
|
|
|
|
|
Blacklists and Whitelists:
How do they work?
by Alex
|
|
|
|
|
|
|
Hey,
Alex here.
Blacklists and whitelists are two complementary validation techniques.
They are widely implemented in all those situations where security is important, including web applications.
You can implement blacklists and whitelists in a similar way.
However, they have opposite usage cases and you must know which one to use.
Also, there's quite a difference in the security they provide.
So, let's look at blacklists and whitelists and let's find out which one is more secure.
|
|
|
|
|
How blacklists and whitelists work.
A blacklist is a list of invalid values that cannot be accepted.
For example, when you register a new account, you can use a blacklist to prevent specific
usernames from being used, like "admin" or "root".
Here's how it works:
$namesBlacklist = ['admin', 'root', 'system'];
$username = $_POST['username'];
if (in_array($username, $namesBlacklist)) {
echo 'Sorry, you cannot use this username.';
}
There are plenty of blacklist examples.
For example, when you are validating an input string like an email address or a password, you can use a blacklist of invalid characters that cannot be included.
You can
also create a dynamic blacklist.
Dynamic blacklists are not hard-coded (like the $namesBlacklist variable in the previous example). Instead, they are created on the fly.
For example, when you register a new account, the new username must not be already in use.
Therefore, the current list of registered usernames is a dynamic blacklist, which is created in real time.
Whitelists are the complementary of blacklists.
A whitelist is a list of values that can be accepted.
For example, let's say that you have a HTML page with a SELECT input:
<select name="myselect">
<option value="first option">First option</option>
<option value="second option">Second option</option>
</select>
You know that the "myselect" request value can only accept "first option" and "second option" as values.
Therefore, you can use a whitelist containing those values and check the request value against it:
$whitelist = ['first option', 'second option'];
$value = $_POST['myselect'];
if
(!in_array($value, $whitelist)) {
echo 'Invalid value!';
}
This is the most important difference between blacklists and whitelists:
- When using a blacklist, you accept all values except those in the blacklist.
- When using a
whitelist, you reject all values except those in the whitelist.
This difference is the key to understanding which technique is the most secure.
|
|
|
|
|
Security comparison.
Both blacklists and whitelists are part of the variable validation process.
More precisely, they are part of what I call the filtering step in my security course.
Blacklists act as filters that filter out all the values in the list.
They are essential in some cases, but it's important to remember that they always work in addiction to other validation steps.
For example, let's take the usernames blacklist we saw before.
To validate the username input value, applying the blacklist is not enough.
You must also check the username's length, make sure it is not empty, and check that it contains valid characters.
Whitelists, on the other hand, offer the maximum level of validation security.
In fact, whitelist-based filters are so secure that they alone are enough to fully validate a variable.
You can think of the validation process as a reception check: people arrive and you must check if they are allowed in.
- Using a blacklist is like having a list of unwanted people, but everybody else can enter.
- Using a whitelist is like having an invitation list: only those on the list can enter, everybody else cannot.
Using a whitelist makes it near impossible to accept an invalid value, because you already know the exact list of all the values that
will be accepted.
|
|
|
|
|
When to use blacklists and whitelists?
So, whitelists are very secure, but unfortunately you can't always use them.
Here is the thing:
You can use a whitelist only when there is a finite and known list of possible values.
In other words, to use a whitelist you must know all the possible values upfront, and the number of those values must be limited.
This is the case of the SELECT option values: you know all the values upfront, and they are limited (there are only 2).
However, you cannot have a list of all possible email addresses, usernames, file names and so on.
In all these cases, using a whitelist is not possible.
Blacklists do not offer the same level of security as whitelists, but you can use them much more often.
In fact, you can define a blacklist for almost any variable you need to validate.
For example:
- a list of invalid usernames;
- a list of invalid characters;
- a list of invalid file extensions;
- ...and so on.
Let me know if you want more examples or if you have any questions.
And if you are interested in learning more about web security, you can take a look at my professional course.
|
|
|
|
|
That's all for today.
Now send me a reply with your questions and let me know what you think. I would love to hear from
you.
Until next time,
Alex
|
|
|
|
|
|
|
|
|
|
|
Premium products to improve your skills
|
|
|
|
|
|
|
PHP Security Mastery
How do you write PHP code that is always secure from attacks?
In this course you will learn the defense techniques that really work, leaving nothing to chance.
It's your chance to boost your programming skills and to increase your
possibilities as a developer.
Take a look and see for yourself.
|
|
|
|
|
|
|
|
|
|
|
You are receiving this newsletter because you
subscribed to Alex Web Develop.
If you unsubscribe, you will not get any more emails from me.
Alessandro Castellano, P.IVA (VAT ID): 07012140484, via Luigi Morandi 32, 50141 Firenze FI, Italy
|
|
|
|
|
