The document discusses various topics related to web application security including: 1. It provides an overview of the model-view-controller (MVC) architecture and how it separates representation of information from user interaction to promote code reusability and separation of concerns. 2. It discusses how validation frameworks like Struts help secure applications by centralizing data flow and controlling/validating each input field through configuration files and validation rules. 3. Attackers have more opportunities to exploit applications without frameworks, while frameworks help defend against common vulnerabilities like XSS and SQL injection through input filtering and output encoding.

1. Disclaimer
opinions expressed here are my own and are a result of the way in
which my mind interprets a particular situation or concept.

2. Courtesy
Google for Images….
Slide share for Slides…
Wikipedia for text…

3. Struts validation framework
WEB Application Security

4. Structure
what why how -
MVC ?
Concept and Origin
Execution Process
what why how - Web
framework?
Features
what why how
Validation framework?

5. Attacker’s – why should I care..
Applications are getting smarter
Applications are getting tougher
Old strategy may not work..
Strategy – outside inn to inside out
Understanding of internals
Defenders
how to write/suggest defensive programming

6. SOFTWARE EVOLUTION
Fist Prototype of a Computer Mouse
1979
Introduction of graphic
“views” in computing
Early Apple GUI
Formulated by Norwegian computer scientist Trygve Reenskaug
for Graphic User Interphase (GUI) software design, the MVC architecture was one of
the primary outcomes of GUI development.

7. Software Architecture Pattern
Separates representation of information from user interaction.
Promotes:
• Code Reusability
• Separation of Concerns

8. Code Reusability
Separation of Concerns
• Shortens development
• Improves code clarity and
organization
• Code Libraries
• Design Patterns
• Frameworks
• Helps troubleshooting by
isolating issues
• Allows for multiple teams to
develop simultaneously

9. Big Picture
Design
Patterns
MVC
Frameworks
Struts
Validation
Framework
Spring
Validation
Framework

10. Opportunity to attack
Without framework
With framework
• XSS
• XSS
• SQL injection
• SQL injection
• Command Injection
• Command Injection
• Xml injection
• Xml injection

11. Types of MVC Frameworks
ASP.NET
PHP (Zend, Symfony, CakePHP, CodeIgniter)
Javascript ( Backbone.js, Ember.js, JavascriptMVC)
Java (Struts, Spring, Expresso, Stripes, JSF, Tapestry, Wicket…)
ASP.NET 4.0 Framework

12. Controller – Mediates input
and commands for the model or
view
Model – Application data,
business rules, logic, and
functions.
View – Output and
representation of data
MVC Execution Process

13. Advantages MVC
•
•
•
•
•
Easier to Manage Complexity
Does not use view state or server based forms
Rich Routing Structure
Support for Test-Driven Development
Supports Large Teams Well

14. Data-validation Framework

15. Inputs Filters
• Headers
• Input form fields
– Text, button, select, ratio, hidden, Browse
• URL
• Session / Cookie

16. Output filter
• Response object
• Automatic HTML entity encoding (spring)

17. Validation Strategy
• Centralize the data flow : Struts-config.xml
– List the address of the input form
• Control each piece of field(data) :Validation form
– List each Include all input fields
• Assign validation logic to each field:Validation.xml
– For each field, specify one or more validation rules
• Define validation logic : Validation-rules.xml
– Max length, min length, knowngood validation
• Bind each field to a Regular expression

18. Regex
^[a-z0-9_-]{3,15}$
Characters allowed
a to z (only small case)
Numbers allowed
0123456789
Special Chars allowed
Underscore and Hyphen
Max length
15
Min length
3

19. End..
Slides --- will be uploaded to null site and slide share…
Need hands on…
Scream for a bachaav session…
I am open to take a session…