Disclaimer
opinions expressed here are my own and are a result of the way in
which my mind interprets a particular situati...
Courtesy
Google for Images….
Slide share for Slides…
Wikipedia for text…
Struts validation framework
WEB Application Security
Structure
what why how -

MVC ?

Concept and Origin
Execution Process

what why how - Web

framework?

Features

what why ...
Attacker’s – why should I care..
Applications are getting smarter
Applications are getting tougher
Old strategy may not wo...
SOFTWARE EVOLUTION

Fist Prototype of a Computer Mouse

1979

Introduction of graphic
“views” in computing

Early Apple GU...
Software Architecture Pattern

Separates representation of information from user interaction.
Promotes:

• Code Reusabilit...
Code Reusability

Separation of Concerns

• Shortens development

• Improves code clarity and
organization

• Code Librari...
Big Picture
Design
Patterns
MVC

Frameworks

Struts

Validation
Framework

Spring

Validation
Framework
Opportunity to attack
Without framework

• XSS
• SQL injection

• Command Injection
• Xml injection

With framework
Types of MVC Frameworks
ASP.NET

PHP (Zend, Symfony, CakePHP, CodeIgniter)
Javascript ( Backbone.js, Ember.js, JavascriptM...
Controller – Mediates input
and commands for the model or
view

Model – Application
data, business rules, logic, and
funct...
Advantages MVC
•
•
•
•
•

Easier to Manage Complexity
Does not use view state or server based forms
Rich Routing Structure...
Data-validation Framework
Inputs Filters
• Headers
• Input form fields
– Text, button, select, ratio, hidden, Browse

• URL
• Session / Cookie
Output filter
• Response object
• Automatic HTML entity encoding (spring)
Validation Strategy
• Centralize the data flow : Struts-config.xml
– List the address of the input form

• Control each pi...
Web App with out
framework

Max length
Min Length
Knowngood

Max length
Min Length
Known good
null123

‘--1
Abx12p
@!#$%
Sturtsconfig.x
ml

Max length
Validati
on.xml

Min Length
Knowngood
Max length
Min Length
Known...
Web App with out
framework
Sturtsconfig.xml

null<xyz>123&

Chars
<

null<xyz>123&

Encoding
&lt;

>

&gt;

&

&amp;
Regex
^[a-z0-9_-]{3,15}$

Characters allowed
a to z (only small case)
Numbers allowed
0123456789

Special Chars allowed
Un...
End..
Slides --- will be uploaded to null site and slide share…
Need hands on…
Scream for a bachaav session…
I am open to ...
Upcoming SlideShare
Loading in...5
×

Struts validation framework Part 2

3,074

Published on

null Bangalore January 2014 Meet

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,074
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Struts validation framework Part 2

  1. 1. Disclaimer opinions expressed here are my own and are a result of the way in which my mind interprets a particular situation or concept.
  2. 2. Courtesy Google for Images…. Slide share for Slides… Wikipedia for text…
  3. 3. Struts validation framework WEB Application Security
  4. 4. Structure what why how - MVC ? Concept and Origin Execution Process what why how - Web framework? Features what why how Validation framework?
  5. 5. Attacker’s – why should I care.. Applications are getting smarter Applications are getting tougher Old strategy may not work.. Strategy – outside inn to inside out Understanding of internals Defenders how to write/suggest defensive programming
  6. 6. SOFTWARE EVOLUTION Fist Prototype of a Computer Mouse 1979 Introduction of graphic “views” in computing Early Apple GUI Formulated by Norwegian computer scientist Trygve Reenskaug for Graphic User Interphase (GUI) software design, the MVC architecture was one of the primary outcomes of GUI development.
  7. 7. Software Architecture Pattern Separates representation of information from user interaction. Promotes: • Code Reusability • Separation of Concerns
  8. 8. Code Reusability Separation of Concerns • Shortens development • Improves code clarity and organization • Code Libraries • Design Patterns • Frameworks • Helps troubleshooting by isolating issues • Allows for multiple teams to develop simultaneously
  9. 9. Big Picture Design Patterns MVC Frameworks Struts Validation Framework Spring Validation Framework
  10. 10. Opportunity to attack Without framework • XSS • SQL injection • Command Injection • Xml injection With framework
  11. 11. Types of MVC Frameworks ASP.NET PHP (Zend, Symfony, CakePHP, CodeIgniter) Javascript ( Backbone.js, Ember.js, JavascriptMVC) Java (Struts, Spring, Expresso, Stripes, JSF, Tapestry, Wicket…) ASP.NET 4.0 Framework
  12. 12. Controller – Mediates input and commands for the model or view Model – Application data, business rules, logic, and functions. View – Output and representation of data MVC Execution Process
  13. 13. Advantages MVC • • • • • Easier to Manage Complexity Does not use view state or server based forms Rich Routing Structure Support for Test-Driven Development Supports Large Teams Well
  14. 14. Data-validation Framework
  15. 15. Inputs Filters • Headers • Input form fields – Text, button, select, ratio, hidden, Browse • URL • Session / Cookie
  16. 16. Output filter • Response object • Automatic HTML entity encoding (spring)
  17. 17. Validation Strategy • Centralize the data flow : Struts-config.xml – List the address of the input form • Control each piece of field(data) :Validation form – List each Include all input fields • Assign validation logic to each field:Validation.xml – For each field, specify one or more validation rules • Define validation logic : Validation-rules.xml – Max length, min length, knowngood validation • Bind each field to a Regular expression
  18. 18. Web App with out framework Max length Min Length Knowngood Max length Min Length Known good
  19. 19. null123 ‘--1 Abx12p @!#$% Sturtsconfig.x ml Max length Validati on.xml Min Length Knowngood Max length Min Length Knowngood ^[0-9a-zA-Z]*$ null123 Abx12p null123 Abx12p 0123456789 abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
  20. 20. Web App with out framework
  21. 21. Sturtsconfig.xml null&lt;xyz&gt;123&amp; Chars < null<xyz>123& Encoding &lt; > &gt; & &amp;
  22. 22. Regex ^[a-z0-9_-]{3,15}$ Characters allowed a to z (only small case) Numbers allowed 0123456789 Special Chars allowed Underscore and Hyphen Max length 15 Min length 3
  23. 23. End.. Slides --- will be uploaded to null site and slide share… Need hands on… Scream for a bachaav session… I am open to take a session…
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×