Input Data Validation for Web Applications

Slides:

Advertisements

Similar presentations

Welcome to eDMR This PowerPoint presentation is designed to show eDMR users how to login and begin using the eDMR system.

Advertisements

An Introduction to Java Programming and Object- Oriented Application Development Chapter 8 Exceptions and Assertions.

Introduction to Software Testing Chapter 5.5 Input Space Grammars Paul Ammann & Jeff Offutt

Introduction to Software Testing Chapter 9.5 Input Space Grammars Paul Ammann & Jeff Offutt

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

Creating Web Page Forms. Objectives Describe how Web forms can interact with a server-based program Insert a form into a Web page Create and format a.

Exceptions in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.

Database Management Systems (DBMS)

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.

4-Sep-15 HTML Forms Mrs. Goins Web Design Class. Parts of a Web Form A Form is an area that can contain Form Control/Elements. Each piece of information.

XP Tutorial 6New Perspectives on Creating Web Pages with HTML, XHTML, and XML 1 Creating Web Page Forms Designing a Product Registration Form Tutorial.

Introduction to Software Testing Chapter 5.5 Input Space Grammars Paul Ammann & Jeff Offutt

June 14, 2001Exception Handling in Java1 Richard S. Huntrods June 14, 2001 University of Calgary.

CIS 270—Application Development II Chapter 13—Exception Handling.

Overview of Previous Lesson(s) Over View  ASP.NET Pages  Modular in nature and divided into the core sections  Page directives  Code Section  Page.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

XP Tutorial 10New Perspectives on Creating Web Pages with HTML, XHTML, and XML 1 Working with JavaScript Creating a Programmable Web Page for North Pole.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.

SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.

PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.

Design Principles and Common Security Related Programming Problems

Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.

Text INTRODUCTION TO ASP.NET. InterComm Campaign Guidelines CONFIDENTIAL Simply Server side language Simplified page development model Modular, well-factored,

Lecture10 Exception Handling Jaeki Song. Introduction Categories of errors –Compilation error The rules of language have not been followed –Runtime error.

Exceptions in OO Programming Introduction Errors Exceptions in Java Handling exceptions The Try-Catch-Finally mechanism Example code Exception propagation.

Lec.11 (Chapter 11) Exception Jiang (Jen) ZHENG July 13 th, 2005.

Eighth Lecture Exception Handling in Java

ASP.NET Programming with C# and SQL Server First Edition

IS1500: Introduction to Web Development

Module: Software Engineering of Web Applications

Java Exceptions a quick review….

Bypass Testing of Web Applications

Introduction to Information Security

CMPE 280 Web UI Design and Development August 29 Class Meeting

Web Development Web Servers.

Paul Ammann & Jeff Offutt

CS1101: Programming Methodology Recitation 7 – Exceptions

Web Programming– UFCFB Lecture 17

MIS Professor Sandvig MIS 324 Professor Sandvig

Introduction to Web Applications

Design and Maintenance of Web Applications in J2EE

Advanced Java Programming

Paul Ammann & Jeff Offutt

Introduction to Software Testing Chapter 5.2 Program-based Grammars

Exceptions Problems in a Java program may cause exceptions or errors representing unusual or invalid processing. An exception is an object that defines.

CSC 143 Error Handling Kinds of errors: invalid input vs programming bugs How to handle: Bugs: use assert to trap during testing Bad data: should never.

Exception Handling and Reading / Writing Files

JavaScript Form Validation

Paul Ammann & Jeff Offutt

CSE 143 Java Exceptions 1/18/2019.

Exception Handling Imran Rashid CTO at ManiWeber Technologies.

Norman 7 B: Improving Data Entry

Norman 7 A: User-Centered Design

Java Exceptions Dan Fleck CS211.

An Introduction to JavaScript

SWE 619 Last modified Fall 2007 Saket Kaushik, Paul Ammann

User-Centered Design Data Entry CS 4640 Programming Languages for Web Applications [The Design of Everyday Things, Don Norman, Ch 7]

Java Basics Exception Handling.

Error Handling in Java Servlets

Testing & Security Dr. X.

CMSC 202 Exceptions.

Exception Handling.

Exceptions and networking

Unit 5 Create Forms.

User-Centered Design Data Entry CS 4640 Programming Languages for Web Applications [The Design of Everyday Things, Don Norman, Ch 7]

Presentation transcript:

Input Data Validation for Web Applications Jeff Offutt https://www.cs.gmu.edu/~offutt/ SWE 432 Design and Implementation of Software for the Web

Topics Introduction Input Data Validation Exception Handling Conclusions 16 July 2019 © Offutt

Deciding if input values can be processed by the software Validating Inputs Input Validation Deciding if input values can be processed by the software Before starting to process inputs, wisely written programs check that the inputs are valid How should a program recognize invalid inputs ? What should a program do with invalid inputs ? It is easy to write input validators – but also easy to make mistakes ! 16 July 2019 © Offutt

Representing Input Domains Goal domains are often irregular Goal domain for credit cards† First digit is the Major Industry Identifier First 6 digits and length specify the issuer Final digit is a “check digit” Other digits identify a specific account Common specified domain First digit is in { 3, 4, 5, 6 } (travel and banking) Length is between 13 and 16 Common implemented domain All digits are numeric All digits are numeric † More details are on : http://www.merriampark.com/anatomycc.htm 16 July 2019 © Offutt

Representing Input Domains Desired inputs (goal domain) Described inputs (specified domain) This region is a rich source of software errors … … and security vulnerabilities !!! Accepted inputs (implemented domain) 16 July 2019 © Offutt

Users Can Bypass Client Validation Client-side HTML and Javascript can impose constraint enforcement JS checks on input values HTML restrictions such as maxLength Implicit restrictions such as dropdown menus and radio boxes Users can violate constraints (accidentally and intentionally): When automating Turning JS off To attack your software 16 July 2019 © Offutt

Example User Name: Age: Version to purchase: Small $150 Medium $250 Large $500 16 July 2019 © Offutt

Client Side Checking 500 User Name: Alan<Turing Age: Username should be plain text only. Age should be between 18 and 150. Invalid data, please correct … User Name: Alan<Turing 500 Age: Version to purchase: Small $150 Medium $250 Large $500 16 July 2019 © Offutt

Abbreviated HTML Constraints <FORM > <INPUT Type=“text” Name=“username” Size=20> <INPUT Type=“text” Name=“age” Size=3 Maxlength=3> <P> Version to purchase: … <INPUT Type=“radio” Name=“version” Value=“150” Checked> <INPUT Type=“radio” Name=“version” Value=“250”> <INPUT Type=“radio” Name=“version” Value=“500”> <INPUT Type="submit" onClick="return checkInfo(this.form)"> <INPUT Type=“hidden” isLoggedIn=“no”> </FORM> Constraints 16 July 2019 © Offutt

Saved & Modified HTML 25 yes <FORM > <INPUT Type=“text” Name=“username” Size=20> <INPUT Type=“text” Name=“age” Size=3 Maxlength=3> <P> Version to purchase: … <INPUT Type=“radio” Name=“version” Value=“150”> <INPUT Type=“radio” Name=“version” Value=“250”> <INPUT Type=“radio” Name=“version” Value=“500” Checked> <INPUT Type=“submit” onClick=“return checkInfo (this.form)”> <INPUT Type=“hidden” isLoggedIn= “no” > </FORM> Allows an input with arbitrary age, no checking, cost=$25 … ‘<‘ can crash an XML parser Text fields can have SQL statements 25 yes 16 July 2019 © Offutt

SQL Injection User Name: turing ’ OR ‘1’=‘1 Password: enigma Original SQL: SELECT username FROM adminuser WHERE username=‘turing’ AND password =‘enigma’ “injected” SQL: SELECT username FROM adminuser WHERE username=‘turing’ OR ‘1’ = ‘1’ AND password =‘enigma’ OR ‘1’ = ‘1’ 16 July 2019 © Offutt

Apply input validation to all inputs Do not trust users !!! Apply input validation to all inputs 16 July 2019 © Offutt

Topics Introduction Input Data Validation Exception Handling Conclusions 16 July 2019 © Offutt

Managing Exceptions Language exception handling features allow programmers to separate functional logic from error condition handling try { A computation that can produce exception } catch (BadException e) { log it and recover Java compiler verifies exceptions handled in program Some languages do not support this Checked exceptions force engineers to handle errors 16 July 2019 © Offutt

Catch Low—If You Can Recover Have a sensible recovery strategy FileNotFoundException : Ask user for another file name System.OutOfMemoryException : Probably kill the process Catching “low” means you have more information to recover with But do not catch just to catch If you don’t know what to do with the exception, let somebody else take it What does the user need to know ? Make sure you catch all exceptions at the top level 16 July 2019 © Offutt

Hide Exception Data From Users Application: photosprintshopWeb Error: java.lang.IllegalStateException exception Reason: java.lang.IllegalStateException: An Exception occurred while generating the Exception page 'WOExceptionPage'. This is most likely due to an error in WOExceptionPage itself. Below are the logs of first the Exception in WOExceptionPage, second the Exception in Application that triggered everything. com.webobjects.foundation.NSForwardException [com.webobjects.jdbcadaptor.JDBCAdaptorException] dateInformation of type java.lang.String is not a valid Date type. You must use java.sql.Timestamp, java.sql.Date, or java.sql.Time: <Session> failed instantiation. Exception raised : com.webobjects.jdbcadaptor.JDBCAdaptorException: dateInformation of type java.lang.String is not a valid Date type. You must use java.sql.Timestamp, java.sql.Date, or java.sql.Time: com.webobjects.jdbcadaptor.JDBCAdaptorException: dateInformation of type java.lang.String is not a valid Date type. You must use java.sql.Timestamp, java.sql.Date, or java.sql.Time Original Exception: com.webobjects.jdbcadaptor.JDBCAdaptorException: dateInformation of type java.lang.String is not a valid Date type. You must use java.sql.Timestamp, java.sql.Date, or java.sql.Time 16 July 2019 © Offutt

List Thrown Exceptions Explicitly Lazy approach : throws Exception Engineering approach : throws IOException, SQLException, IllegalAccessException This is about communication The caller (clients) must know what they need to catch Be careful with finally Returning from a finally block means NO exceptions will propagate to the parent 16 July 2019 © Offutt

Always Log Exceptions They usually indicate an error in the program or an error by the user “Errors” by users could be attacks Errors by users could highlight usability flaws An exception can be made if the exception handling is part of normal processing Some teachers encourage this, some discourage it 16 July 2019 © Offutt

Topics Introduction Input Data Validation Exception Handling Conclusions 16 July 2019 © Offutt

Summary Don’t trust users Don’t bother users 16 July 2019 © Offutt