Struts validation framework Part 2


Published on

null Bangalore January 2014 Meet

Published in: Technology, Education
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Struts validation framework Part 2

  1. 1. Disclaimer opinions expressed here are my own and are a result of the way in which my mind interprets a particular situation or concept.
  2. 2. Courtesy Google for Images…. Slide share for Slides… Wikipedia for text…
  3. 3. Struts validation framework WEB Application Security
  4. 4. Structure what why how - MVC ? Concept and Origin Execution Process what why how - Web framework? Features what why how Validation framework?
  5. 5. Attacker’s – why should I care.. Applications are getting smarter Applications are getting tougher Old strategy may not work.. Strategy – outside inn to inside out Understanding of internals Defenders how to write/suggest defensive programming
  6. 6. SOFTWARE EVOLUTION Fist Prototype of a Computer Mouse 1979 Introduction of graphic “views” in computing Early Apple GUI Formulated by Norwegian computer scientist Trygve Reenskaug for Graphic User Interphase (GUI) software design, the MVC architecture was one of the primary outcomes of GUI development.
  7. 7. Software Architecture Pattern Separates representation of information from user interaction. Promotes: • Code Reusability • Separation of Concerns
  8. 8. Code Reusability Separation of Concerns • Shortens development • Improves code clarity and organization • Code Libraries • Design Patterns • Frameworks • Helps troubleshooting by isolating issues • Allows for multiple teams to develop simultaneously
  9. 9. Big Picture Design Patterns MVC Frameworks Struts Validation Framework Spring Validation Framework
  10. 10. Opportunity to attack Without framework • XSS • SQL injection • Command Injection • Xml injection With framework
  11. 11. Types of MVC Frameworks ASP.NET PHP (Zend, Symfony, CakePHP, CodeIgniter) Javascript ( Backbone.js, Ember.js, JavascriptMVC) Java (Struts, Spring, Expresso, Stripes, JSF, Tapestry, Wicket…) ASP.NET 4.0 Framework
  12. 12. Controller – Mediates input and commands for the model or view Model – Application data, business rules, logic, and functions. View – Output and representation of data MVC Execution Process
  13. 13. Advantages MVC • • • • • Easier to Manage Complexity Does not use view state or server based forms Rich Routing Structure Support for Test-Driven Development Supports Large Teams Well
  14. 14. Data-validation Framework
  15. 15. Inputs Filters • Headers • Input form fields – Text, button, select, ratio, hidden, Browse • URL • Session / Cookie
  16. 16. Output filter • Response object • Automatic HTML entity encoding (spring)
  17. 17. Validation Strategy • Centralize the data flow : Struts-config.xml – List the address of the input form • Control each piece of field(data) :Validation form – List each Include all input fields • Assign validation logic to each field:Validation.xml – For each field, specify one or more validation rules • Define validation logic : Validation-rules.xml – Max length, min length, knowngood validation • Bind each field to a Regular expression
  18. 18. Web App with out framework Max length Min Length Knowngood Max length Min Length Known good
  19. 19. null123 ‘--1 Abx12p @!#$% Sturtsconfig.x ml Max length Validati on.xml Min Length Knowngood Max length Min Length Knowngood ^[0-9a-zA-Z]*$ null123 Abx12p null123 Abx12p 0123456789 abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ
  20. 20. Web App with out framework
  21. 21. Sturtsconfig.xml null&lt;xyz&gt;123&amp; Chars < null<xyz>123& Encoding &lt; > &gt; & &amp;
  22. 22. Regex ^[a-z0-9_-]{3,15}$ Characters allowed a to z (only small case) Numbers allowed 0123456789 Special Chars allowed Underscore and Hyphen Max length 15 Min length 3
  23. 23. End.. Slides --- will be uploaded to null site and slide share… Need hands on… Scream for a bachaav session… I am open to take a session…