Downloaded 61 times
![1 - Girdi Denetimi
7
public boolean validateUsername(String username) {
String usernamePattern = "^[a-zA-Z0-9]{6,12}$";
if (username == null) {
return false;
}
Pattern p = Pattern.compile(usernamePattern);
Matcher m = p.matcher(username);
if (!m.matches()) {
return false;
}
return true;
}
if (!validateUsername(username)) {
//uygun olmayan kullanıcı adı
}](https://image.slidesharecdn.com/securesolutiontop10-150421135835-conversion-gate02/85/Bunyamin-Demir-10-Adimda-Yazilim-Guvenligi-7-320.jpg)
![ESAPI ile Girdi Denetimi
8
Validator.Username=^[a-zA-Z0-9]{6,12}$
String username = request.getParameter("username");
boolean booluser = ESAPI.validator().isValidInput("User name", username, "Username",
12, false);
if (!booluser) {
// uygun olmayan kullanıcı adı
}](https://image.slidesharecdn.com/securesolutiontop10-150421135835-conversion-gate02/85/Bunyamin-Demir-10-Adimda-Yazilim-Guvenligi-8-320.jpg)
Uploaded byCypSec - Siber Güvenlik Konferansı
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
The document provides an overview of 10 steps for software security according to OWASP-Turkey. It introduces the author Bünyamin Demir and his background and experience in application security. It then discusses key aspects of OWASP and provides code examples for implementing input validation, sanitization, secure cookies, session management, CAPTCHA, path canonicalization, HTTPS, CSRF tokens, and prepared statements.
More Related Content
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
- 1.
- 2. Bünyamin Demir (@bunyamindemir ) – Lisans Kocaeli Üni. Matematik Bölümü – Yüksek Lisans Kocaeli Üni Fen-Bilimleri, Tez; Oracle Veritabanı Güvenliği – Uygulama Geliştirici – OWASP Türkiye Bölüm Lideri – Sızma Testleri Uzmanı • Web, Mobil, Network, SCADA, Wireless, Sosyal Mühendislik, ATM, DoS/DDoS ve Yük testi • Kaynak kod analizi – Eğitmen • Web/Mobil Uygulama Güvenlik Denetimi • Güvenli Kod Geliştirme • Veritabanı Güvenliği 2
- 3.
- 4. 4 Why is OWASPSpecial?
- 5. • OWASP Top10 • OWASP Zed Attack Proxy (ZAP) • OpenSAMM • Cheat Sheets • ESAPI • ASVS • Testing Guide • Development Guide 5 OWASP Projects
- 6.
- 7. 1 - GirdiDenetimi 7 public boolean validateUsername(String username) { String usernamePattern = "^[a-zA-Z0-9]{6,12}$"; if (username == null) { return false; } Pattern p = Pattern.compile(usernamePattern); Matcher m = p.matcher(username); if (!m.matches()) { return false; } return true; } if (!validateUsername(username)) { //uygun olmayan kullanıcı adı }
- 8. ESAPI ile GirdiDenetimi 8 Validator.Username=^[a-zA-Z0-9]{6,12}$ String username = request.getParameter("username"); boolean booluser = ESAPI.validator().isValidInput("User name", username, "Username", 12, false); if (!booluser) { // uygun olmayan kullanıcı adı }
- 9. 2-Sanitization 9 String safeMarkup =ESAPI.validator().getValidSafeHTML( "Rich Text", richTextInput, 2500, true ); <% String address = "Sumbul mah.,<script>alert(1);</script> kartal sk., manolya sitesi, bahar apart., D/Blok, No:5"; String safeAddressText = ESAPI.validator().getValidSafeHTML("Address Text", address, 200, true); %> <div><%= safeAddressText %></div> <div>Sumbul mah., kartal sk., manolya sitesi, bahar apart., D/Blok, No:5</div>
- 10. 3 – HttpOnlyCookie 10 Set-cookie: JSESSIONID=p9JtQGHSrTQTzfK8912y72VTv2y4Jyr5zTbV1h1Mc7Lmf4fMg1ly; Domain=www.site.com; Path=/; Secure; HttpOnly
- 11. 4 – SecureCookie 11 Set-Cookie: JSESSIONID=p9JtQGHSrTQTzfK8912y7Mg1ly; Domain=www.site.com; Path=/; Secure; HttpOnly
- 12. 5 – OturumAnahtarı 12 ESAPI.httpUtilities().changeSessionIdentifier(); Users user = new LoginDAO().login(username, password); if (user.isAuthenticated()) { currentSession = request.getSession(true); currentSession.invalidate(); HttpSession newSession = request.getSession(true); } else { request.setAttribute("loginerr", "username or password is invalid"); request.getRequestDispatcher("login.jsp").forward(request, response); }
- 13. 6 – GüvenliChaptcha 13
- 14.
- 15. 8 – HTTPS 15 Kimlikdoğrulama işlevi barındıran uygulamaların güvenli kanallar ile iletişim sağlıyor olması gerekir.
- 16. 9 – FormToken 16 <form name="comment" action="product_comment.jsp?pid=53" method="POST"> Comment: <input type="text" name="comment"/> <input type="submit" value="Submit"/> <input type="hidden" name="CSRFToken” value="30Dfd45645Ddssdf4567fdfdgAA..."> </form>
- 17. 10 – PreparedStatement 17 ... String className = request.getParameter("class"); String query = "SELECT * FROM students WHERE class = '" + className + "'"; ResultSet rs = stmt.execute(query); ... ... String className = request.getParameter("class"); PreparedStatement psmt = conn.prepareStatement("SELECT * FROM students WHERE class=?"); psmt.setString(1, className); ResultSet rs = psmt.executeQuery(); ...
- 18.
Editor's Notes
- #5 Why is OWASP Special? Over 43,000 community members worldwide, in over 100 countries Rapid growth over the 12+ years since OWASP’s inception. Demonstrative of our growth as an organization is our revenue which is comes primarily from global conferences such as this as well as memberships. In the last year our revenue grew from just under a million dollars in 2012 to an estimated 1.8 million for the current year. Different from other organizations and conferences because The community Incubator for Ideas and OWASP Projects – Open Source Documentation, Tools, Code Libraries