Uploaded byguest032fe5
593 views

WhiteList Checker: An Eclipse Plugin to Improve Application Security

1) WhiteList Checker is an Eclipse plugin that aims to improve application security by helping developers perform proper input validation. 2) It identifies untrusted input sources like user-submitted parameters and interactively notifies developers to insert validation code using predefined validation rules. 3) These rules include syntactic rules using regular expressions to validate inputs like emails and filenames, as well as semantic rules that are type-specific like restricting files to a certain directory.

Embed presentation

Downloaded 13 times
WhiteList Checker: An Eclipse Plugin to Improve Application Security Bill Chu, Jing Xie, Will Stranathan University of North Carolina at Charlotte
Motivation  Lack of proper input validation is a cause of many software vulnerabilities  XSS, SQL injection, File inclusion, Log forging, Path Manipulation etc.  White list vs. Black list validation  White list input validation is not easy to do, even for common input types (e.g. names)  Support for input validation can be baked into IDE
WhiteList Checker • Identify untrusted input String username = request.getParameter(“username”); • Interactively notify developer (similar to syntax String username = request.getParameter(“username”); try{ Validation.validate(username, “safe_text”); error) }catch(InputValidationException e) { username = “safe text”; } • Present choice of input types • Insert validation code
Trust boundary definition  API calls  HttpServletRequest.getParameter()  Parameters / variables  main (String[] args)
Input validation rules  WhiteList Checker is initialized with a set of regular expressions developed by OWASP for input validation  Syntactic rules  Regular expressions  e.g. email, full path file name  Semantic rules  Specific to input type  e.g. files under /usr/billchu  User defined rules
Building a data dictionary  Identify all input times and where they are input to the application  Answer queries:  How many places in this application we accept credit card numbers from the user?  Does this application accept sensitive information from the customer?
Generate customized rules for static analysis  Fortify Example  Generate rules that removes taints to reduce false positives
Future work  Dataflow analysis for input of composite type  Implement semantic validation rules  Dynamic languages  Evaluation including user studies

More Related Content

PPTX
Validate your entities with symfony validator and entity validation api
byRaffaele Chiocca
 
PPTX
Mule soft meetup_4_mty_online_oct_2020
byVeyra Celina
 
PPT
JetBrains ReSharper
byDennis Loktionov
 
PPTX
Unique Features of SQL Injection in PHP Assignment
byLesa Cote
 
PPTX
Resharper - Next Steps
byTimmy Kokke
 
PPTX
Furore devdays2017 tdd-2-advanced
byDevDays
 
PDF
Type Checking in Javascript with Flow
byYos Riady
 
PPTX
JetBrains ReSharper
bySorin Oboroceanu
 
Validate your entities with symfony validator and entity validation api
byRaffaele Chiocca
 
Mule soft meetup_4_mty_online_oct_2020
byVeyra Celina
 
JetBrains ReSharper
byDennis Loktionov
 
Unique Features of SQL Injection in PHP Assignment
byLesa Cote
 
Resharper - Next Steps
byTimmy Kokke
 
Furore devdays2017 tdd-2-advanced
byDevDays
 
Type Checking in Javascript with Flow
byYos Riady
 
JetBrains ReSharper
bySorin Oboroceanu
 

What's hot

PPTX
Static analysis for security
byFadi Abdulwahab
 
PPTX
Crafting Software with Illegal States Unrepresentable
byScott Nimrod
 
PPTX
Module 9 : using reference type variables
byPrem Kumar Badri
 
PPTX
Introduction to Core Java Programming
byRaveendra R
 
PDF
S5-Authorization
byzakieh alizadeh
 
PPTX
Security for developers
byAbdelrhman Shawky
 
PPTX
Microsoft Fakes, Unit Testing the (almost) Untestable Code
byAleksandar Bozinovski
 
PDF
Executable specifications for xtext
bymeysholdt
 
PPTX
Code quality
byHussain Mansoor
 
Static analysis for security
byFadi Abdulwahab
 
Crafting Software with Illegal States Unrepresentable
byScott Nimrod
 
Module 9 : using reference type variables
byPrem Kumar Badri
 
Introduction to Core Java Programming
byRaveendra R
 
S5-Authorization
byzakieh alizadeh
 
Security for developers
byAbdelrhman Shawky
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
byAleksandar Bozinovski
 
Executable specifications for xtext
bymeysholdt
 
Code quality
byHussain Mansoor
 

Similar to WhiteList Checker: An Eclipse Plugin to Improve Application Security

PPTX
Secure coding - Balgan - Tiago Henriques
byTiago Henriques
 
PPTX
Ebu class edgescan-2017
byEoin Keary
 
PDF
An Introduction to Secure Application Development
byChristopher Frenz
 
PPT
Code review for secure web applications
bysilviad74
 
PDF
Validating and Sanitizing User Data
byzakieh alizadeh
 
PPTX
Code Review Cybersecurity: Comprehensive Guide to Secure Code Evaluation & B...
byhamdi71
 
PPTX
Core defense mechanisms against security attacks on web applications
byKaran Nagrecha
 
PPTX
07 application security fundamentals - part 2 - security mechanisms - data ...
byappsec
 
PPTX
Writing secure code
byMadhura P M
 
PDF
WhiteList Checker: An Eclipse Plugin to Improve Application Security
byguest56b7565
 
PDF
Protecting web apps
byOmkar Parab
 
PPSX
Session3 data-validation
byzakieh alizadeh
 
PDF
Session3 data-validation-sql injection
byzakieh alizadeh
 
PPT
香港六合彩
bybaoyin
 
PDF
Coding Security: Code Mania 101
byNarudom Roongsiriwong, CISSP
 
PDF
Secure code
byddeogun
 
PPTX
The path of secure software by Katy Anton
byDevSecCon
 
PDF
A Validation Model of Data Input for Web Services
byRafael Brinhosa
 
PDF
2 Roads to Redemption - Thoughts on XSS and SQLIA
byguestfdcb8a
 
KEY
Manage Your Data In A B-Boy Stance
byJohn Anderson
 
Secure coding - Balgan - Tiago Henriques
byTiago Henriques
 
Ebu class edgescan-2017
byEoin Keary
 
An Introduction to Secure Application Development
byChristopher Frenz
 
Code review for secure web applications
bysilviad74
 
Validating and Sanitizing User Data
byzakieh alizadeh
 
Code Review Cybersecurity: Comprehensive Guide to Secure Code Evaluation & B...
byhamdi71
 
Core defense mechanisms against security attacks on web applications
byKaran Nagrecha
 
07 application security fundamentals - part 2 - security mechanisms - data ...
byappsec
 
Writing secure code
byMadhura P M
 
WhiteList Checker: An Eclipse Plugin to Improve Application Security
byguest56b7565
 
Protecting web apps
byOmkar Parab
 
Session3 data-validation
byzakieh alizadeh
 
Session3 data-validation-sql injection
byzakieh alizadeh
 
香港六合彩
bybaoyin
 
Coding Security: Code Mania 101
byNarudom Roongsiriwong, CISSP
 
Secure code
byddeogun
 
The path of secure software by Katy Anton
byDevSecCon
 
A Validation Model of Data Input for Web Services
byRafael Brinhosa
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
byguestfdcb8a
 
Manage Your Data In A B-Boy Stance
byJohn Anderson
 

Recently uploaded

PDF
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
PDF
How Application Performance Monitoring Tools Are Used in Performance Testing
byhenrycavill30521
 
PDF
AI Driven & AI Native Development AI native development
byZainKarim7
 
PDF
Video Infrastructure_ Streaming Architecture and Delivery Systems.pdf
byTenbyte Limited
 
PDF
Top Benefits of Using KVM VPS Hosting for Growing Businesses
byEthernet Servers
 
PDF
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 
PPTX
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
PPTX
Cybersecurity Basics: Understanding Threats, Protection Methods, and Safe Dig...
byDhruvManiar3
 
PPTX
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
PDF
Xemelgo - RFID Industry Predictions for 2026
byRich Rogers
 
PPTX
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
PDF
कम्प्यूटर.pdf for all computer examination
bynm92169694
 
PDF
Azure Identity, Governance, and Monitoring solutions
byVICTOR MAESTRE RAMIREZ
 
PPTX
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
PPTX
Search Engine Responses to Conspiratorial Search Practices AANZCA 2025 Presen...
bykkasianenko
 
PDF
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
PDF
The Future of AI-Powered Fashion Design 10 Top Generators for 2026
bymockitseo
 
PDF
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
PDF
Small Business Automation: A Comprehensive Cost and ROI Guide
byAmelia Swank
 
PDF
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
How Application Performance Monitoring Tools Are Used in Performance Testing
byhenrycavill30521
 
AI Driven & AI Native Development AI native development
byZainKarim7
 
Video Infrastructure_ Streaming Architecture and Delivery Systems.pdf
byTenbyte Limited
 
Top Benefits of Using KVM VPS Hosting for Growing Businesses
byEthernet Servers
 
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
Cybersecurity Basics: Understanding Threats, Protection Methods, and Safe Dig...
byDhruvManiar3
 
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
Xemelgo - RFID Industry Predictions for 2026
byRich Rogers
 
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
कम्प्यूटर.pdf for all computer examination
bynm92169694
 
Azure Identity, Governance, and Monitoring solutions
byVICTOR MAESTRE RAMIREZ
 
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
Search Engine Responses to Conspiratorial Search Practices AANZCA 2025 Presen...
bykkasianenko
 
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
The Future of AI-Powered Fashion Design 10 Top Generators for 2026
bymockitseo
 
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
Small Business Automation: A Comprehensive Cost and ROI Guide
byAmelia Swank
 
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 

WhiteList Checker: An Eclipse Plugin to Improve Application Security

  • 1.
    WhiteList Checker: AnEclipse Plugin to Improve Application Security Bill Chu, Jing Xie, Will Stranathan University of North Carolina at Charlotte
  • 2.
    Motivation  Lack of proper input validation is a cause of many software vulnerabilities  XSS, SQL injection, File inclusion, Log forging, Path Manipulation etc.  White list vs. Black list validation  White list input validation is not easy to do, even for common input types (e.g. names)  Support for input validation can be baked into IDE
  • 3.
    WhiteList Checker • Identifyuntrusted input String username = request.getParameter(“username”); • Interactively notify developer (similar to syntax String username = request.getParameter(“username”); try{ Validation.validate(username, “safe_text”); error) }catch(InputValidationException e) { username = “safe text”; } • Present choice of input types • Insert validation code
  • 7.
    Trust boundary definition  API calls  HttpServletRequest.getParameter()  Parameters / variables  main (String[] args)
  • 8.
    Input validation rules  WhiteList Checker is initialized with a set of regular expressions developed by OWASP for input validation  Syntactic rules  Regular expressions  e.g. email, full path file name  Semantic rules  Specific to input type  e.g. files under /usr/billchu  User defined rules
  • 9.
    Building a datadictionary  Identify all input times and where they are input to the application  Answer queries:  How many places in this application we accept credit card numbers from the user?  Does this application accept sensitive information from the customer?
  • 10.
    Generate customized rulesfor static analysis  Fortify Example  Generate rules that removes taints to reduce false positives
  • 11.
    Future work  Dataflow analysis for input of composite type  Implement semantic validation rules  Dynamic languages  Evaluation including user studies