SlideShare a Scribd company logo

WhiteList Checker: An Eclipse Plugin to Improve Application Security

G
guest032fe5

1) WhiteList Checker is an Eclipse plugin that aims to improve application security by helping developers perform proper input validation. 2) It identifies untrusted input sources like user-submitted parameters and interactively notifies developers to insert validation code using predefined validation rules. 3) These rules include syntactic rules using regular expressions to validate inputs like emails and filenames, as well as semantic rules that are type-specific like restricting files to a certain directory.

Technology
1 of 11
Download to read offline
WhiteList Checker: An Eclipse Plugin to Improve Application Security Bill Chu, Jing Xie, Will Stranathan University of North Carolina at Charlotte
Motivation  Lack of proper input validation is a cause of many software vulnerabilities  XSS, SQL injection, File inclusion, Log forging, Path Manipulation etc.  White list vs. Black list validation  White list input validation is not easy to do, even for common input types (e.g. names)  Support for input validation can be baked into IDE
WhiteList Checker • Identify untrusted input String username = request.getParameter(“username”); • Interactively notify developer (similar to syntax String username = request.getParameter(“username”); try{ Validation.validate(username, “safe_text”); error) }catch(InputValidationException e) { username = “safe text”; } • Present choice of input types • Insert validation code
Trust boundary definition  API calls  HttpServletRequest.getParameter()  Parameters / variables  main (String[] args)
Input validation rules  WhiteList Checker is initialized with a set of regular expressions developed by OWASP for input validation  Syntactic rules  Regular expressions  e.g. email, full path file name  Semantic rules  Specific to input type  e.g. files under /usr/billchu  User defined rules
Building a data dictionary  Identify all input times and where they are input to the application  Answer queries:  How many places in this application we accept credit card numbers from the user?  Does this application accept sensitive information from the customer?
Generate customized rules for static analysis  Fortify Example  Generate rules that removes taints to reduce false positives
Future work  Dataflow analysis for input of composite type  Implement semantic validation rules  Dynamic languages  Evaluation including user studies

Recommended

Unique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP AssignmentUnique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP AssignmentLesa Cote
 
Resharper - Next Steps
Resharper - Next StepsResharper - Next Steps
Resharper - Next StepsTimmy Kokke
 
Furore devdays2017 tdd-2-advanced
Furore devdays2017 tdd-2-advancedFurore devdays2017 tdd-2-advanced
Furore devdays2017 tdd-2-advancedDevDays
 
Type Checking in Javascript with Flow
Type Checking in Javascript with FlowType Checking in Javascript with Flow
Type Checking in Javascript with FlowYos Riady
 
Validate your entities with symfony validator and entity validation api
Validate your entities with symfony validator and entity validation apiValidate your entities with symfony validator and entity validation api
Validate your entities with symfony validator and entity validation apiRaffaele Chiocca
 
JetBrains ReSharper
JetBrains ReSharperJetBrains ReSharper
JetBrains ReSharperDennis Loktionov
 
JetBrains ReSharper
JetBrains ReSharperJetBrains ReSharper
JetBrains ReSharperSorin Oboroceanu
 
Mule soft meetup_4_mty_online_oct_2020
Mule soft meetup_4_mty_online_oct_2020Mule soft meetup_4_mty_online_oct_2020
Mule soft meetup_4_mty_online_oct_2020Veyra Celina
 

Recommended

Unique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP AssignmentUnique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP AssignmentLesa Cote
 
Resharper - Next Steps
Resharper - Next StepsResharper - Next Steps
Resharper - Next StepsTimmy Kokke
 
Furore devdays2017 tdd-2-advanced
Furore devdays2017 tdd-2-advancedFurore devdays2017 tdd-2-advanced
Furore devdays2017 tdd-2-advancedDevDays
 
Type Checking in Javascript with Flow
Type Checking in Javascript with FlowType Checking in Javascript with Flow
Type Checking in Javascript with FlowYos Riady
 
Validate your entities with symfony validator and entity validation api
Validate your entities with symfony validator and entity validation apiValidate your entities with symfony validator and entity validation api
Validate your entities with symfony validator and entity validation apiRaffaele Chiocca
 
JetBrains ReSharper
JetBrains ReSharperJetBrains ReSharper
JetBrains ReSharperDennis Loktionov
 
JetBrains ReSharper
JetBrains ReSharperJetBrains ReSharper
JetBrains ReSharperSorin Oboroceanu
 
Mule soft meetup_4_mty_online_oct_2020
Mule soft meetup_4_mty_online_oct_2020Mule soft meetup_4_mty_online_oct_2020
Mule soft meetup_4_mty_online_oct_2020Veyra Celina
 
ReSharper Presentation for NUGs
ReSharper Presentation for NUGsReSharper Presentation for NUGs
ReSharper Presentation for NUGsDmitri Nesteruk
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeAleksandar Bozinovski
 
Introduction to Core Java Programming
Introduction to Core Java ProgrammingIntroduction to Core Java Programming
Introduction to Core Java ProgrammingRaveendra R
 
Code quality
Code qualityCode quality
Code qualityHussain Mansoor
 
Executable specifications for xtext
Executable specifications for xtextExecutable specifications for xtext
Executable specifications for xtextmeysholdt
 
Security for developers
Security for developersSecurity for developers
Security for developersAbdelrhman Shawky
 
Static analysis for security
Static analysis for securityStatic analysis for security
Static analysis for securityFadi Abdulwahab
 
Module 9 : using reference type variables
Module 9 : using reference type variablesModule 9 : using reference type variables
Module 9 : using reference type variablesPrem Kumar Badri
 
S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorizationzakieh alizadeh
 
Crafting Software with Illegal States Unrepresentable
Crafting Software with Illegal States UnrepresentableCrafting Software with Illegal States Unrepresentable
Crafting Software with Illegal States UnrepresentableScott Nimrod
 
WhiteList Checker: An Eclipse Plugin to Improve Application Security
WhiteList Checker: An Eclipse Plugin to Improve Application SecurityWhiteList Checker: An Eclipse Plugin to Improve Application Security
WhiteList Checker: An Eclipse Plugin to Improve Application Securityguest56b7565
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Defending against Injections
Defending against InjectionsDefending against Injections
Defending against InjectionsBlueinfy Solutions
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesTiago Henriques
 
Secure Dot Net Programming
Secure Dot Net ProgrammingSecure Dot Net Programming
Secure Dot Net ProgrammingAdam Getchell
 
Ebu class edgescan-2017
Ebu class edgescan-2017Ebu class edgescan-2017
Ebu class edgescan-2017Eoin Keary
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 
FORENSIC PRESTTN
FORENSIC PRESTTNFORENSIC PRESTTN
FORENSIC PRESTTNRufa'i Mustapha
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Greg Sohl
 
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...GeeksLab Odessa
 
Input validation errors
Input validation errorsInput validation errors
Input validation errorsmanoharparakh
 
Session3 data-validation
Session3 data-validationSession3 data-validation
Session3 data-validationzakieh alizadeh
 

More Related Content

What's hot

ReSharper Presentation for NUGs
ReSharper Presentation for NUGsReSharper Presentation for NUGs
ReSharper Presentation for NUGsDmitri Nesteruk
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeAleksandar Bozinovski
 
Introduction to Core Java Programming
Introduction to Core Java ProgrammingIntroduction to Core Java Programming
Introduction to Core Java ProgrammingRaveendra R
 
Executable specifications for xtext
Executable specifications for xtextExecutable specifications for xtext
Executable specifications for xtextmeysholdt
 
Static analysis for security
Static analysis for securityStatic analysis for security
Static analysis for securityFadi Abdulwahab
 
Module 9 : using reference type variables
Module 9 : using reference type variablesModule 9 : using reference type variables
Module 9 : using reference type variablesPrem Kumar Badri
 
Crafting Software with Illegal States Unrepresentable
Crafting Software with Illegal States UnrepresentableCrafting Software with Illegal States Unrepresentable
Crafting Software with Illegal States UnrepresentableScott Nimrod
 

What's hot (10)

ReSharper Presentation for NUGs
ReSharper Presentation for NUGsReSharper Presentation for NUGs
ReSharper Presentation for NUGs
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable Code
 
Introduction to Core Java Programming
Introduction to Core Java ProgrammingIntroduction to Core Java Programming
Introduction to Core Java Programming
 
Code quality
Code qualityCode quality
Code quality
 
Executable specifications for xtext
Executable specifications for xtextExecutable specifications for xtext
Executable specifications for xtext
 
Security for developers
Security for developersSecurity for developers
Security for developers
 
Static analysis for security
Static analysis for securityStatic analysis for security
Static analysis for security
 
Module 9 : using reference type variables
Module 9 : using reference type variablesModule 9 : using reference type variables
Module 9 : using reference type variables
 
S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorization
 
Crafting Software with Illegal States Unrepresentable
Crafting Software with Illegal States UnrepresentableCrafting Software with Illegal States Unrepresentable
Crafting Software with Illegal States Unrepresentable
 

Similar to WhiteList Checker: An Eclipse Plugin to Improve Application Security

WhiteList Checker: An Eclipse Plugin to Improve Application Security
WhiteList Checker: An Eclipse Plugin to Improve Application SecurityWhiteList Checker: An Eclipse Plugin to Improve Application Security
WhiteList Checker: An Eclipse Plugin to Improve Application Securityguest56b7565
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesTiago Henriques
 
Secure Dot Net Programming
Secure Dot Net ProgrammingSecure Dot Net Programming
Secure Dot Net ProgrammingAdam Getchell
 
Ebu class edgescan-2017
Ebu class edgescan-2017Ebu class edgescan-2017
Ebu class edgescan-2017Eoin Keary
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Greg Sohl
 
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...GeeksLab Odessa
 
Input validation errors
Input validation errorsInput validation errors
Input validation errorsmanoharparakh
 
Session3 data-validation
Session3 data-validationSession3 data-validation
Session3 data-validationzakieh alizadeh
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Yuji Kosuga
 
Protecting web apps
Protecting web appsProtecting web apps
Protecting web appsOmkar Parab
 
Web Application Penetration Testing Checklist.pdf
Web Application Penetration Testing Checklist.pdfWeb Application Penetration Testing Checklist.pdf
Web Application Penetration Testing Checklist.pdfInfosec train
 
Web Application Penetration Testing Checklist.pdf
Web Application Penetration Testing Checklist.pdfWeb Application Penetration Testing Checklist.pdf
Web Application Penetration Testing Checklist.pdfinfosecTrain
 
Web Application Penetration Testing Checklist
Web Application Penetration Testing ChecklistWeb Application Penetration Testing Checklist
Web Application Penetration Testing Checklistpriyanshamadhwal2
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injectionzakieh alizadeh
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 

Similar to WhiteList Checker: An Eclipse Plugin to Improve Application Security (20)

WhiteList Checker: An Eclipse Plugin to Improve Application Security
WhiteList Checker: An Eclipse Plugin to Improve Application SecurityWhiteList Checker: An Eclipse Plugin to Improve Application Security
WhiteList Checker: An Eclipse Plugin to Improve Application Security
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Defending against Injections
Defending against InjectionsDefending against Injections
Defending against Injections
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago Henriques
 
Secure Dot Net Programming
Secure Dot Net ProgrammingSecure Dot Net Programming
Secure Dot Net Programming
 
Ebu class edgescan-2017
Ebu class edgescan-2017Ebu class edgescan-2017
Ebu class edgescan-2017
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 
FORENSIC PRESTTN
FORENSIC PRESTTNFORENSIC PRESTTN
FORENSIC PRESTTN
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...
 
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
 
Input validation errors
Input validation errorsInput validation errors
Input validation errors
 
Session3 data-validation
Session3 data-validationSession3 data-validation
Session3 data-validation
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
 
Protecting web apps
Protecting web appsProtecting web apps
Protecting web apps
 
Web Application Penetration Testing Checklist.pdf
Web Application Penetration Testing Checklist.pdfWeb Application Penetration Testing Checklist.pdf
Web Application Penetration Testing Checklist.pdf
 
Web Application Penetration Testing Checklist.pdf
Web Application Penetration Testing Checklist.pdfWeb Application Penetration Testing Checklist.pdf
Web Application Penetration Testing Checklist.pdf
 
Web Application Penetration Testing Checklist
Web Application Penetration Testing ChecklistWeb Application Penetration Testing Checklist
Web Application Penetration Testing Checklist
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injection
 
ieee
ieeeieee
ieee
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 

Recently uploaded (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 

WhiteList Checker: An Eclipse Plugin to Improve Application Security

  • 1. WhiteList Checker: An Eclipse Plugin to Improve Application Security Bill Chu, Jing Xie, Will Stranathan University of North Carolina at Charlotte
  • 2. Motivation  Lack of proper input validation is a cause of many software vulnerabilities  XSS, SQL injection, File inclusion, Log forging, Path Manipulation etc.  White list vs. Black list validation  White list input validation is not easy to do, even for common input types (e.g. names)  Support for input validation can be baked into IDE
  • 3. WhiteList Checker • Identify untrusted input String username = request.getParameter(“username”); • Interactively notify developer (similar to syntax String username = request.getParameter(“username”); try{ Validation.validate(username, “safe_text”); error) }catch(InputValidationException e) { username = “safe text”; } • Present choice of input types • Insert validation code
  • 4.
  • 5.
  • 6.
  • 7. Trust boundary definition  API calls  HttpServletRequest.getParameter()  Parameters / variables  main (String[] args)
  • 8. Input validation rules  WhiteList Checker is initialized with a set of regular expressions developed by OWASP for input validation  Syntactic rules  Regular expressions  e.g. email, full path file name  Semantic rules  Specific to input type  e.g. files under /usr/billchu  User defined rules
  • 9. Building a data dictionary  Identify all input times and where they are input to the application  Answer queries:  How many places in this application we accept credit card numbers from the user?  Does this application accept sensitive information from the customer?
  • 10. Generate customized rules for static analysis  Fortify Example  Generate rules that removes taints to reduce false positives
  • 11. Future work  Dataflow analysis for input of composite type  Implement semantic validation rules  Dynamic languages  Evaluation including user studies