Struts validation framework Part 2

  • 2,953 views
Uploaded on

null Bangalore January 2014 Meet

null Bangalore January 2014 Meet

More in: Technology , Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,953
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
9
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Disclaimer opinions expressed here are my own and are a result of the way in which my mind interprets a particular situation or concept.
  • 2. Courtesy Google for Images…. Slide share for Slides… Wikipedia for text…
  • 3. Struts validation framework WEB Application Security
  • 4. Structure what why how - MVC ? Concept and Origin Execution Process what why how - Web framework? Features what why how Validation framework?
  • 5. Attacker’s – why should I care.. Applications are getting smarter Applications are getting tougher Old strategy may not work.. Strategy – outside inn to inside out Understanding of internals Defenders how to write/suggest defensive programming
  • 6. SOFTWARE EVOLUTION Fist Prototype of a Computer Mouse 1979 Introduction of graphic “views” in computing Early Apple GUI Formulated by Norwegian computer scientist Trygve Reenskaug for Graphic User Interphase (GUI) software design, the MVC architecture was one of the primary outcomes of GUI development.
  • 7. Software Architecture Pattern Separates representation of information from user interaction. Promotes: • Code Reusability • Separation of Concerns
  • 8. Code Reusability Separation of Concerns • Shortens development • Improves code clarity and organization • Code Libraries • Design Patterns • Frameworks • Helps troubleshooting by isolating issues • Allows for multiple teams to develop simultaneously
  • 9. Big Picture Design Patterns MVC Frameworks Struts Validation Framework Spring Validation Framework
  • 10. Opportunity to attack Without framework • XSS • SQL injection • Command Injection • Xml injection With framework
  • 11. Types of MVC Frameworks ASP.NET PHP (Zend, Symfony, CakePHP, CodeIgniter) Javascript ( Backbone.js, Ember.js, JavascriptMVC) Java (Struts, Spring, Expresso, Stripes, JSF, Tapestry, Wicket…) ASP.NET 4.0 Framework
  • 12. Controller – Mediates input and commands for the model or view Model – Application data, business rules, logic, and functions. View – Output and representation of data MVC Execution Process
  • 13. Advantages MVC • • • • • Easier to Manage Complexity Does not use view state or server based forms Rich Routing Structure Support for Test-Driven Development Supports Large Teams Well
  • 14. Data-validation Framework
  • 15. Inputs Filters • Headers • Input form fields – Text, button, select, ratio, hidden, Browse • URL • Session / Cookie
  • 16. Output filter • Response object • Automatic HTML entity encoding (spring)
  • 17. Validation Strategy • Centralize the data flow : Struts-config.xml – List the address of the input form • Control each piece of field(data) :Validation form – List each Include all input fields • Assign validation logic to each field:Validation.xml – For each field, specify one or more validation rules • Define validation logic : Validation-rules.xml – Max length, min length, knowngood validation • Bind each field to a Regular expression
  • 18. Web App with out framework Max length Min Length Knowngood Max length Min Length Known good
  • 19. null123 ‘--1 Abx12p @!#$% Sturtsconfig.x ml Max length Validati on.xml Min Length Knowngood Max length Min Length Knowngood ^[0-9a-zA-Z]*$ null123 Abx12p null123 Abx12p 0123456789 abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
  • 20. Web App with out framework
  • 21. Sturtsconfig.xml null&lt;xyz&gt;123&amp; Chars < null<xyz>123& Encoding &lt; > &gt; & &amp;
  • 22. Regex ^[a-z0-9_-]{3,15}$ Characters allowed a to z (only small case) Numbers allowed 0123456789 Special Chars allowed Underscore and Hyphen Max length 15 Min length 3
  • 23. End.. Slides --- will be uploaded to null site and slide share… Need hands on… Scream for a bachaav session… I am open to take a session…