Chapter X Handling Input. VALIDATE! Validate all input Validate input from ALL sources Establish trust boundaries: store validated and unvalidated data.

Slides:



Advertisements
Similar presentations
S ECURE P ROGRAMMING 5. H ANDLING I NPUT (P ART 1) Chih Hung Wang Reference: 1. B. Chess and J. West, Secure Programming with Static Analysis, Addison-Wesley,
Advertisements

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
1 Introduction to Computers and Programming Quick Review What is a Function? A module of code that performs a specific job.
Fundamentals, Design, and Implementation, 9/e Chapter 7 Using SQL in Applications.
Attribute databases. GIS Definition Diagram Output Query Results.
1 Chapter 2 Reviewing Tables and Queries. 2 Chapter Objectives Identify the steps required to develop an Access application Specify the characteristics.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Troy Eversen | 19 May 2015 Data Integrity Workshop.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
DAY 15: ACCESS CHAPTER 2 Larry Reaves October 7,
Chapter Oracle Server An Oracle Server consists of an Oracle database (stored data, control and log files.) The Server will support SQL to define.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
 A databases is a collection of data organized to make it easy to search and easy to retrieve in a useful, usable form.
Database Architecture Introduction to Databases. The Nature of Data Un-structured Semi-structured Structured.
Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 4: Active Directory Architecture.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 23 How Web Host Servers Work.
Security Testing Case Study 360logica Software Testing Services.
Microsoft Access 2013 Design and Create Tables to Store Data Chapter 2.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
11 Using ADO.NET II Textbook Chapter Getting Started Last class we started a simple example of using ADO.NET operations to access the Addresses.
Triggers and Stored Procedures in DB 1. Objectives Learn what triggers and stored procedures are Learn the benefits of using them Learn how DB2 implements.
11 3 / 12 CHAPTER Databases MIS105 Lec15 Irfan Ahmed Ilyas.
Accessing Your MySQL Database from the Web with PHP (Ch 11) 1.
CpSc 462/662: Database Management Systems (DBMS) (TEXNH Approach) Stored Procedure James Wang.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Chapter 15 Introduction to PL/SQL. Chapter Objectives  Explain the benefits of using PL/SQL blocks versus several SQL statements  Identify the sections.
Database Fundamental & Design by A.Surasit Samaisut Copyrights : All Rights Reserved.
1 Web Servers (Chapter 21 – Pages( ) Outline 21.1 Introduction 21.2 HTTP Request Types 21.3 System Architecture.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
JDBC CS 260 Database Systems. Overview  Introduction  JDBC driver types  Eclipse project setup  Programming with JDBC  Prepared statements  SQL.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
CS 111 – Nov. 8 Databases Database Management Systems (DBMS) Structured Query Language (SQL) Commitment –Please review sections 9.1 – 9.2.
CHAPTER 5 MANAGING USER ACCOUNTS & GROUPS. User Accounts Windows 95, 98 & Me do not need a user account like Windows XP Professional to access computer.
SQL Injection Anthony Brown March 4, 2008 IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions.
Network Security Philadelphia UniversitylAhmad Al-Ghoul Module 7 Module 7 Data Base Security  MModified by :Ahmad Al Ghoul  PPhiladelphia.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Chapter 5 Arrays Copyright © 2016 Pearson, Inc. All rights reserved.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
SQL Triggers, Functions & Stored Procedures Programming Operations.
FUNCTIONS (C) KHAERONI, M.SI. OBJECTIVE After this topic, students will be able to understand basic concept of user defined function in C++ to declare.
Microsoft Access 2016 Design and Create Tables to Store Data
Chapter VII: Arrays.
SQL Injection.
Database System Implementation CSE 507
COMP 430 Intro. to Database Systems
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Chapter 7: Identifying Advanced Attacks
Protecting Memory What is there to protect in memory?
SQL and SQL*Plus Interaction
SQL Injection.
Microsoft Access 2013 Design and Create Tables to Store Data
SQL Injection Attacks Many web servers have backing databases
Design and Create Tables to Store Data Chapter 2
Kristina Dourmashkin Eurostat Unit E4
Chapter 5 Handling Input.
Kristina Dourmashkin Eurostat Unit E4
Chapter 7 Using SQL in Applications
Chapter 7 Using SQL in Applications
CS5123 Software Validation and Quality Assurance
Presentation transcript:

Chapter X Handling Input

VALIDATE! Validate all input Validate input from ALL sources Establish trust boundaries: store validated and unvalidated data separately to ensure that validation is always performed.

How to validate Use strong validation Avoid blacklisting Don't mistake validation for usability with validation for security. Reject bad data. Make good input validation the default. Use abstraction. Always check input length. Bound numeric input. (Above and below).

What to validate VALIDATE ALL INPUT Examples: Command line parameters, config files, data retrieved from a database, environment variables, Network services, registry values, system properties, temporary files, etc. Attack surface of an application (places where it accepts input) = set of function calls that are invoked externally or provide external data. Examples: cin, int main(args...)‏ Two kinds of validation:  Syntax checking  Semantic Checking

Some bad examples.htaccess file in Apache (page 123)‏ --delimiter parameter (page 124)‏

Database Queries Hard to check accuracy of database data. However sanity checks are a definite must:  If the output is expected to be unique, check for only one row of data.  Check the format of the data returned from the database: bad data could be the result of a misformed query or worse!  Other, ad-hoc checks could be made.

Network Services DO NOT TRUST DNS NAMES DO NOT TRUST IP ADDRESSES DNS CACHE POISONING has happened and will happen again. Problem can happen for both outgoing and ingoing communications. Cautionary tales: Apple OS X (page 129) Sony Rootkit eraser

Establish Trust Boundaries Beware of mixing validated and unvalidated data; very easy to do sometimes.  For example, sometimes all the data has to be read before it can be validated  For example, a complex data structure is read and is hard to validate.

How to Validate Check input length (min and max)‏ Bound numeric values (min and max)‏ Whitelist: have a list of acceptable inputs to check against. Indirect Selection: index into a list of acceptable inputs. Whitelist: check the format (e.g. Phone numbers) Use regex? Avoid blacklisting. Beware of doubledecoding. Don't mistake usability for security. Reject bad data. Create a security-enhanced input API.  Consistent – maintainable – constant – omnipresent

Metacharacter Vulnerabilities Metacharacters (' ;.. / \ && \n...) are very dangerous. Use parameterized commands. Example: instead of SQL(...) use Select(,, ) for Select * FROM WHERE = ' ' Beware of  Path manipulation  Command separation/injection  Log Forging

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.