1
SDEV 460 – Homework 4
Input Validation and Business Logic Security Controls
Overview:
This homework will demonstrate your knowledge of testing security controls aligned with Input
validation and business logic. You will also use the recommended OWASP testing guide reporting format
to report your test findings.
Assignment: Total 100 points
Using the readings from weeks 7 and 8 as a baseline provide the following test and analysis descriptions
or discussion:
1. Testing for Reflected Cross site scripting (OTG-INPVAL-001)
The OWASP site list multiple approaches and examples for blackbox testing reflected XSS
vulnerabilities. In your own words, describe Reflected Cross Site scripting. Then, List and
describe 4 different examples that could be used for testing. Be sure to conduct additional
research for each example to provide your own unique test example. This most likely means you
will need to conduct some research on Javascript to make sure your syntax is correct.
2. Testing for Stored Cross site scripting (OTG-INPVAL-002)
The OWASP site list multiple approaches and examples for blackbox testing Stored XSS
vulnerabilities. In your own words, describe Stored Cross Site scripting. Then, List and describe 2
different examples that could be used for testing. Be sure to conduct additional research for
each example to provide your own unique test example. This most likely means you will need to
conduct some research on Javascript to make sure your syntax is correct.
3. Testing for SQL Injection (OTG-INPVAL-005)
SQL Injection remains a problem in applications yet could easily fixed. The following SQL
statement is in an HTML form as code with the $ variables directly input from the user.
SELECT * FROM Students WHERE EMPLID='$EMPLID' AND EMAIL='$email'
Would a form or application that includes this code be susceptible to SQL Injection? Why?
What specific tests would you perform to determine if the applications was vulnerable?
How would you fix this problem? Be specific be providing the exact code in a Language of your choice.
(e.g. Java, PHP, Python …)
4. Test business logic data validation (OTG-BUSLOGIC-001)
While reviewing some Java code, an analysis provided the following code snippets that contain
logic errors. For each example, describe the issue and provide code that would fix the logical
error:
a.
2
int x;
x = x + 1;
System.out.println("X = " + x);
b.
for (i=1; i<=5; i++) ; {
System.out.println("Number is " + i);
}
c.
if ( z > d) ; {
System.out.println("Z is bigger");
}
d.
String m1="one";
String m2="two";
if(m1 == m2) {
System.out.println(“M1 is equal to M2”);
}
e. The formula for the area of a trapezoid is:
A = (b1+b2)/2 * h
The following Java code is the implementation. Fix the logical error
double area;
double base1 = 2.3;
double base2 = 4.8;
double height = 12.5;
area = base1 + base2/2.0 * ...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
1 SDEV 460 – Homework 4 Input Validation and Busine
1. 1
SDEV 460 – Homework 4
Input Validation and Business Logic Security Controls
Overview:
This homework will demonstrate your knowledge of testing
security controls aligned with Input
validation and business logic. You will also use the
recommended OWASP testing guide reporting format
to report your test findings.
Assignment: Total 100 points
Using the readings from weeks 7 and 8 as a baseline provide the
following test and analysis descriptions
or discussion:
1. Testing for Reflected Cross site scripting (OTG-INPVAL-
001)
blackbox testing reflected XSS
vulnerabilities. In your own words, describe Reflected Cross
Site scripting. Then, List and
2. describe 4 different examples that could be used for testing. Be
sure to conduct additional
research for each example to provide your own unique test
example. This most likely means you
will need to conduct some research on Javascript to make sure
your syntax is correct.
2. Testing for Stored Cross site scripting (OTG-INPVAL-002)
blackbox testing Stored XSS
vulnerabilities. In your own words, describe Stored Cross Site
scripting. Then, List and describe 2
different examples that could be used for testing. Be sure to
conduct additional research for
each example to provide your own unique test example. This
most likely means you will need to
conduct some research on Javascript to make sure your syntax is
correct.
3. Testing for SQL Injection (OTG-INPVAL-005)
easily fixed. The following SQL
statement is in an HTML form as code with the $ variables
directly input from the user.
3. SELECT * FROM Students WHERE EMPLID='$EMPLID' AND
EMAIL='$email'
Would a form or application that includes this code be
susceptible to SQL Injection? Why?
What specific tests would you perform to determine if the
applications was vulnerable?
How would you fix this problem? Be specific be providing the
exact code in a Language of your choice.
(e.g. Java, PHP, Python …)
4. Test business logic data validation (OTG-BUSLOGIC-001)
code, an analysis provided the
following code snippets that contain
logic errors. For each example, describe the issue and provide
code that would fix the logical
error:
a.
2
int x;
x = x + 1;
System.out.println("X = " + x);
4. b.
for (i=1; i<=5; i++) ; {
System.out.println("Number is " + i);
}
c.
if ( z > d) ; {
System.out.println("Z is bigger");
}
d.
String m1="one";
String m2="two";
if(m1 == m2) {
System.out.println(“M1 is equal to M2”);
}
e. The formula for the area of a trapezoid is:
A = (b1+b2)/2 * h
The following Java code is the implementation. Fix the logical
error
5. double area;
double base1 = 2.3;
double base2 = 4.8;
double height = 12.5;
area = base1 + base2/2.0 * height;
Demonstrate your fixed code work as anticipated with a couple
different test
cases.
5. Test integrity checks (OTG-BUSLOGIC-003)
related to OTG-BUSLOGIC-003. In
your own words describe and provide 2 unique examples of
integrity checks. For your
examples, provide specific testing methods for each case.
6. Test defenses against Circumvention of Work Flows (OTG-
BUSLOGIC-006)
3
6. rors
related to OTG-BUSLOGIC-006. In
your own words describe and provide 2 unique examples of
circumvention of work flow. For
your examples, provide specific testing methods for each case.
You should document the results for the tests and your
comments, and recommendations for improved
security for each security control tested in a word or PDF
document. Discuss any issues found and
possible mitigations.
Deliverables:
You should submit your document by the due date. Your
document should be well-organized, include all
references used and contain minimal spelling and grammar
errors.
Grading Rubric:
Attribute Meets
Reflected Cross site
scripting
10 points
Describes Reflected Cross Site scripting. Then, Lists and
describes 4 different
examples that could be used for testing. Conducts additional
7. research for each
example to provide your own unique test example.
Stored Cross site
scripting
10 points
Describes Stored Cross Site scripting. Then, Lists and describes
2 different
examples that could be used for testing. Conducts additional
research for each
example to provide your own unique test example.
SQL Injection 25 points
Answers: would a form or application that includes this code be
susceptible to
SQL Injection? Why?
Answers: What specific tests would you perform to determine if
the
applications was vulnerable?
Answers: How would you fix this problem? Provides the exact
code in a
Language of your choice.
Business logic data
validation
15 points
For each example, describes the issue and provides code that
would fix the
logical error.
Integrity checks 10 points
Conducts research on Business Logic errors related to OTG-
BUSLOGIC-003. In
your own words describes and provides 2 unique examples of
8. integrity checks.
Provides specific testing methods for each case.
Defenses against
workflow
intervention
10 points
Conducts research on Business Logic errors related to OTG-
BUSLOGIC-006. In
your own words describes and provides 2 unique examples of
circumvention
of work flow. Provides specific testing methods for each case.
Documentation
and Submission
20 points
Your document should be well-organized, include all references
used and
contain minimal spelling and grammar errors.
9. A 75-Year-Old Adult Case Study
Name
School
Class
Professor
Date
A 75-Year-Old Adult Case Study
In this case presented, a 75-year-old male patient presented to
the office with a chronic hacking dry cough that had been
present for three months and had not improved with over-the-
counter antitussives and allergy drugs. Diabetes, hypertension,
environmental allergies, and a colonoscopy with polypectomy
six years ago are among the medical and surgical conditions
that the patient has had in the past. The patient stated he had
been prescribed lisinopril six months prior. In addition, the
patient has reported he has been taking loratadine 10 mg daily,
an over-the-counter allergy medication for several years,
metformin XR 500 mg daily, and aspirin 81 mg once daily. His
blood pressure is currently 145/70, and except for slight
neuropathy caused by persistent diabetes mellitus, the physical
10. examination is normal. After reviewing the patients’ history and
current physical exam, it is evident that patient may be
experiencing an angiotensin-converting enzyme inhibitor
(ACEI)-induced cough. According to Yılmaz (2019), when
taking an ACE inhibitor, a dry, tickly cough is the most
prevalent side effect. Around 10% of people using ACE
inhibitors are likely to develop a cough. Cough reflexes are
heightened when ACE is inhibited. An accumulation of kinins,
substance P, and prostaglandins may result from the impairment
of kininase II activity, which may then lead to a cough.
Providers should be aware that dry cough is the most prevalent
side effect of ACE inhibitors, and that this symptom might
occur months or even a year after starting treatment.
The medulla mediates coughing as a reflex response; however,
coughing can be controlled voluntarily. The nasopharynx,
larynx, ear, bronchi, and trachea all have mucosal neural
receptors that can be stimulated to create a cough (Cash et al.,
2021). Any patient who comes in with a cough as their primary
complaint should have a thorough medical history taken and a
focused physical examination performed.
Scope/Evidence
Questions a Nurse Practitioner should ask a patient who
presents to the clinic with a chief complaint of a cough include:
Can you tell me when the cough started? Did it occur
gradually, or it appear suddenly? Has the cough gotten any
worse, better or has it had no change since it began? Is the
cough worse at night or during the day? Do you have any
aggravating factors that could make the cough worse? (Cash et
al., 2021).
Can you describe the severity and duration of the cough? Is the
cough causing incontinence or fainting? When did it begin?
(Cash et al., 2021).
Can you describe the cough, is it dry crackles? Is it a wet or a
dry cough? Is it productive? Is it wheezy? Brassy? Whether or
not the patient says it's mucoid or bloody, the healthcare
provider should inquire. It is important to include additional
11. information, such as the odor, color and consistency of mucus
or sputum (Cash et al., 2021). Bronchogenic carcinoma should
be considered if a patient has a persistent or alternating cough
that is also accompanied by weight loss. A dry, irritative cough
is a strong indicator of a viral respiratory illness (Cash et al.,
2021).
Ask the patient about what helps or worsens the cough.
Exposure to cold, Tb exposure, irritants in the environment, or
allergies might aggravate asthmatic coughs (Cash et al., 2021).
Ask the patient if they smoke or have been exposed to any
secondhand smoking. If they have a history of smoking inquire
about the duration, and amount. If exposed to second hand
smoke ask about duration, amount, and quality of the person's
exposure to secondhand smoking (Cash et al., 2021).
The patient's occupation and job history should be asked about
during the interview (Cash et al., 2021).
Ask the patient if the cough has ever been aggravated after
eating if the patient has had a feeling of choking or nasal
blockage (Cash et al., 2021).
Question the patient about family history associated with
respiratory disorders such as asthma and cystic fibrosis (Cash et
al., 2021).
Discuss with the patient any health issue that could require
further investigation, medical history such as asthma, chronic
obstructive pulmonary disease, and high blood pressure (Cash et
al., 2021).
Lastly ask the patient about current medications both prescr ibed
and over the counter should be reviewed with the patient,
because some medications such as ACE inhibitors, can cause a
dry cough (Cash et al., 2021).
Physical Examination
An adult with a chronic cough needs a proper physical
examination that begins by doing vital signs, then examination
of the ear, nose, throat, respiratory, and cardiovascular systems.
Conducting a proper physical exam is necessary for a patient
12. who complains of coughing and other respiratory issues. As a
Nurse Practitioner, I would focus on examining the patient’s
nasal passage, throat, sinuses, and neck veins, looking for
specific signs of respiratory difficulties such as the use of
accessory respiratory muscles, cyanosis and clubbing of the
fingers I would also perform pulmonary and cardiac
auscultation; chest precussion should be performed; assessing
lung sounds and heart sounds checking for any gallops, rubs or
murmurs (Cash et al.,2021).
Etiology of Patients Cough
According to Yılmaz 2019, cough is one of the most common
side effects of taking angiotensin-converting enzyme inhibitors
(ACEIs). Studies have shown numerous current evidence about
how and why coughs happen when people take ACEIs. It also
suggests a practical way to deal with coughs for the best
cardiovascular (CV) risk reduction. Dry cough is more common
in people who take ACEIs than in people who don't. A cough is
thought to come from several different things, but the use of
ACEIs is the most common one. (Yılmaz, 2019).
ACEIs are frequently associated with adverse symptoms such as
low blood pressure, hyperkalemia, dizziness, and headache, as
well as a chronic dry cough. After stopping ACEIs, a tickling
feeling in the throat disappears. Patients on ACEIs experienced
a dry cough at a rate of 1.5–11%, according to one study
(Yılmaz, 2019). Many ACEI studies have been hampered by
small sample sizes and lack of long-term follow-up, which has
resulted in considerable disparities in reported incidences of
cough, which in turn has contributed to the discrepancies
(Sanchis-Gomar et al., 2020). Cough incidence varies among
ACEIs, and only a few ACEIs have real time clinical practice
data to back up findings from randomized trials, further
complicating matters. The basic causes of the ACEI-induced
cough are a lot of different things. People who take ACEIs have
a cough because of angioedema and bradykinin buildup.
(Sanchis-Gomar et al., 2020).
Diagnosis to consider for patient with a chronic cough
13. Various respiratory and non-respiratory conditions can lead to a
persistent cough. some diagnosis for cough includes infections
of the upper respiratory tract with viruses, postnasal drip
syndrome, gastro-esophageal reflux disease, cough variant
asthma, bronchitis with eosinophilia, tumors of the mediastinum
and the lung, interstitial fibrosis early in the course of the
disease and the use of an ACEI are all common causes of
chronic cough (Mahasur, 2017). Psychogenic and idiopathic
cough are also common causes of chronic cough. Almost 50%
percent of patients who come to a specialized clinic wi th a
cough, the cause of the cough is unknown (Mahasur, 2017).
Diagnostic testing to consider for patient with a persistent
cough
Determining the root cause of a chronic cough might be
difficult because individuals generally have more than one
cause for their cough. As a result, a wide variety of tests are
employed to pinpoint the root of the problem. Diagnostic testing
should be based not only on the chronic cough, but also on the
other presenting symptoms. To identify if an infection is present
and causing the cough, lab testing might be used to diagnose
patient’s condition. These lab test includes a CBC with
differential, and a lung function test. The pulmonary lung
function tests will tell your provider how well your lungs are
functioning (Mahasur, 2017). A spirometry or a methacholine
challenge test can also be done, these monitor your inhalation
and exhalation patterns. Aside from spirometry, other lung
function tests include lung volume testing, gas diffusion
investigations, and the six-minute walk test (Mahasur, 2017).
Lastly, X-rays, CT and MRI scans, ultrasound, and nuclear
testing are all examples of imaging diagnostic testing which are
used to diagnose a chronic cough. X-rays reveal lung disease
and cancer as the causes of chronic cough, such as a build-up of
fluids in the areas that aid breathing. You can get further
information about breathing-related areas by using various
imaging examinations (Mahasur, 2017).
According to Mahasur 2017, patients’ insurance companies
14. should be considered before placing an order diagnostic testing.
It is essential to make sure that patients’ insurance can cover
these diagnostic procedures due to the expense of the testing.
Therefore, it is beneficial to perform a careful analysis of the
information gathered during a patient's medical history and
physical examination to ensure proper testing is ordered.
Treatment and Education of Patient with a Chronic Cough
According to the 75-year-old man’s detailed description of his
cough, it is fair to say the use of ACE inhibitors should be
deemed entirely or largely responsible for the patient's
persistent cough, regardless of how long it has been since the
ACE inhibitor therapy was started or when the cough first
appeared. Some medications have been proven to reduce the
effects of ACE inhibitor-induced cough, even though
withdrawal of therapy is the only uniformly effective treatment
(Silver & Weinberger, 2021).
According to Silver &Weinberger, 2021 a recommended
approach is to stop the medication for a short period of time and
then restart it once the coughing discontinues. Studies have also
show that when medication was administered at night, coughing
was a minor complication. Additionally, it is vital to design
strategies to keep the ACE inhibitor treatment going, if
possible, using these techniques. In the event of recurrent,
distressing symptoms, and after all other plausible reasons of
cough have been ruled out, switching to angiotensin receptor
blockers should be advised.
References
Kaplan A. G. (2019). Chronic Cough in Adults: Make the
Diagnosis and Make a Difference. Pulmonary therapy, 5(1), 11–
21. https://doi.org/10.1007/s41030-019-0089-7
Mahashur A. (2017). Chronic dry cough: Diagnostic and
management approaches. Lung India : official organ of Indian
Chest Society, 32(1), 44–49. https://doi.org/10.4103/0970-
2113.148450
Silvestri, R. C., & Weinberger, S. E. (2021). Patient education:
15. Chronic cough in adults (Beyond
the Basics). UpToDate.
https://www.uptodate.com/contents/chronic-cough-in-adults-
beyond-the-basics.
Yılmaz İ. (2019). Angiotensin-Converting Enzyme Inhibitors
Induce Cough. Turkish thoracic journal, 20(1), 36–42.
https://doi.org/10.5152/TurkThoracJ.2018.18014