10.2. Filtering and blocking incoming requests

You shouldn’t always trust user input. You have to filter every incoming request to make sure it’s legitimate and that it doesn’t aim to alter your flow. A thing as simple as using incorrect parameter values can force application behavior. By changing a parameter value to one not in the acceptable range, for example, an attacker can disclose information, bypassing some security checks.

Another attack type consists of passing an arbitrary value to gain access to protected information. Sometimes when designing an application, developers choose a globally unique identifier (GUID) as the format for the content key. Part of the reason for this choice is to protect themselves from this kind of attack: developers tend to think that a GUID is less spoofable than an integer. The truth is that this isn’t a secure feature; it’s like hiding your head in the sand.