Security Practices: Blocklist vs Allowlist
Today we are going to discuss a little bit about the security practice. We will cover the blacklist and whitelist in this post. Okay, Let’s get into it.
When implementing a mechanism that needs to discard some elements or reject the requests depending on input or action, people always consider adopting blocklist at first. With blocklist, we can filter out the elements that we don’t allow based on a list of elements. It allows people to specify a list of elements that they think are unsafe. Based on this list, the application is able to filter out the rejected elements and protect the application in some sense.
With the blocklist mechanism, everything sounds right. We are able to reject elements based on our predefined list. But what if you forget to add one of the cases on the list?
Let’s take SQL Injection as an example, assume you are building a blocklist to filter out some keywords to secure your application like whitespace, single quote, select, from, etc.
Now, it seems these rules are quite solid and the application is quite secure after implementing these rules. But, do you know whitespace can be replaced with /**/
? With this replacement, the attacker is able to break one of the rules to bypass the whitespace. Also, the select
keyword can have different variations like sElect, SELECT, sELeCt
, etc., if you forget to add all the variations to the list, the attacker can simply break the rules as well.
Side Topic
From the example above, we learned that it is hard to come up with all the combinations for a blocklist. So the allowlist comes, it provides a cautious approach for us to allow only our trusted input.
With allowlist, instead of creating a list to reject some elements, we create a list to allow the elements that are existing in the list only. Assume we only allow English characters and a few special characters like underscore, exclamation mark, and full stop, we can build an allowlist that contains only these characters and check whether the data has followed the rules or not. When implementing this mechanism, the data rules are more strict and we don’t need to be scared about missing something.
In conclusion, when choosing blocklist or allowlist, you should think about your actual scenario carefully and choose the suitable approach for your scenario after reviewing your system requirement.
Share your thought
If you want to limit the application access to a small group of users, which approach will you use? Blocklist or Allowlist?