Presentation is loading. Please wait.

Presentation is loading. Please wait.

Input Data Validation for Web Applications

Published byElke Stieber Modified over 5 years ago

Similar presentations

Presentation on theme: "Input Data Validation for Web Applications"— Presentation transcript:

1 Input Data Validation for Web Applications
Jeff Offutt SWE 432 Design and Implementation of Software for the Web

2 Topics Introduction Input Data Validation Exception Handling
Conclusions 16 July 2019 © Offutt

3 Deciding if input values can be processed by the software
Validating Inputs Input Validation Deciding if input values can be processed by the software Before starting to process inputs, wisely written programs check that the inputs are valid How should a program recognize invalid inputs ? What should a program do with invalid inputs ? It is easy to write input validators – but also easy to make mistakes ! 16 July 2019 © Offutt

4 Representing Input Domains
Goal domains are often irregular Goal domain for credit cards† First digit is the Major Industry Identifier First 6 digits and length specify the issuer Final digit is a “check digit” Other digits identify a specific account Common specified domain First digit is in { 3, 4, 5, 6 } (travel and banking) Length is between 13 and 16 Common implemented domain All digits are numeric All digits are numeric † More details are on : 16 July 2019 © Offutt

5 Representing Input Domains
Desired inputs (goal domain) Described inputs (specified domain) This region is a rich source of software errors … … and security vulnerabilities !!! Accepted inputs (implemented domain) 16 July 2019 © Offutt

6 Users Can Bypass Client Validation
Client-side HTML and Javascript can impose constraint enforcement JS checks on input values HTML restrictions such as maxLength Implicit restrictions such as dropdown menus and radio boxes Users can violate constraints (accidentally and intentionally): When automating Turning JS off To attack your software 16 July 2019 © Offutt

7 Example User Name: Age: Version to purchase: Small $150 Medium $250
Large $500 16 July 2019 © Offutt

8 Client Side Checking 500 User Name: Alan<Turing Age:
Username should be plain text only. Age should be between 18 and 150. Invalid data, please correct … User Name: Alan<Turing 500 Age: Version to purchase: Small $150 Medium $250 Large $500 16 July 2019 © Offutt

9 Abbreviated HTML Constraints <FORM >
<INPUT Type=“text” Name=“username” Size=20> <INPUT Type=“text” Name=“age” Size=3 Maxlength=3> <P> Version to purchase: <INPUT Type=“radio” Name=“version” Value=“150” Checked> <INPUT Type=“radio” Name=“version” Value=“250”> <INPUT Type=“radio” Name=“version” Value=“500”> <INPUT Type="submit" onClick="return checkInfo(this.form)"> <INPUT Type=“hidden” isLoggedIn=“no”> </FORM> Constraints 16 July 2019 © Offutt

10 Saved & Modified HTML 25 yes <FORM >
<INPUT Type=“text” Name=“username” Size=20> <INPUT Type=“text” Name=“age” Size=3 Maxlength=3> <P> Version to purchase: <INPUT Type=“radio” Name=“version” Value=“150”> <INPUT Type=“radio” Name=“version” Value=“250”> <INPUT Type=“radio” Name=“version” Value=“500” Checked> <INPUT Type=“submit” onClick=“return checkInfo (this.form)”> <INPUT Type=“hidden” isLoggedIn= “no” > </FORM> Allows an input with arbitrary age, no checking, cost=$25 … ‘<‘ can crash an XML parser Text fields can have SQL statements 25 yes 16 July 2019 © Offutt

11 SQL Injection User Name: turing ’ OR ‘1’=‘1 Password: enigma
Original SQL: SELECT username FROM adminuser WHERE username=‘turing’ AND password =‘enigma’ “injected” SQL: SELECT username FROM adminuser WHERE username=‘turing’ OR ‘1’ = ‘1’ AND password =‘enigma’ OR ‘1’ = ‘1’ 16 July 2019 © Offutt

12 Apply input validation to all inputs
Do not trust users !!! Apply input validation to all inputs 16 July 2019 © Offutt

13 Topics Introduction Input Data Validation Exception Handling
Conclusions 16 July 2019 © Offutt

14 Managing Exceptions Language exception handling features allow programmers to separate functional logic from error condition handling try { A computation that can produce exception } catch (BadException e) { log it and recover Java compiler verifies exceptions handled in program Some languages do not support this Checked exceptions force engineers to handle errors 16 July 2019 © Offutt

15 Catch Low—If You Can Recover
Have a sensible recovery strategy FileNotFoundException : Ask user for another file name System.OutOfMemoryException : Probably kill the process Catching “low” means you have more information to recover with But do not catch just to catch If you don’t know what to do with the exception, let somebody else take it What does the user need to know ? Make sure you catch all exceptions at the top level 16 July 2019 © Offutt

16 Hide Exception Data From Users
Application: photosprintshopWeb Error: java.lang.IllegalStateException exception Reason: java.lang.IllegalStateException: An Exception occurred while generating the Exception page 'WOExceptionPage'. This is most likely due to an error in WOExceptionPage itself. Below are the logs of first the Exception in WOExceptionPage, second the Exception in Application that triggered everything. com.webobjects.foundation.NSForwardException [com.webobjects.jdbcadaptor.JDBCAdaptorException] dateInformation of type java.lang.String is not a valid Date type. You must use java.sql.Timestamp, java.sql.Date, or java.sql.Time: <Session> failed instantiation. Exception raised : com.webobjects.jdbcadaptor.JDBCAdaptorException: dateInformation of type java.lang.String is not a valid Date type. You must use java.sql.Timestamp, java.sql.Date, or java.sql.Time: com.webobjects.jdbcadaptor.JDBCAdaptorException: dateInformation of type java.lang.String is not a valid Date type. You must use java.sql.Timestamp, java.sql.Date, or java.sql.Time Original Exception: com.webobjects.jdbcadaptor.JDBCAdaptorException: dateInformation of type java.lang.String is not a valid Date type. You must use java.sql.Timestamp, java.sql.Date, or java.sql.Time 16 July 2019 © Offutt

17 List Thrown Exceptions Explicitly
Lazy approach : throws Exception Engineering approach : throws IOException, SQLException, IllegalAccessException This is about communication The caller (clients) must know what they need to catch Be careful with finally Returning from a finally block means NO exceptions will propagate to the parent 16 July 2019 © Offutt

18 Always Log Exceptions They usually indicate an error in the program or an error by the user “Errors” by users could be attacks Errors by users could highlight usability flaws An exception can be made if the exception handling is part of normal processing Some teachers encourage this, some discourage it 16 July 2019 © Offutt

19 Topics Introduction Input Data Validation Exception Handling
Conclusions 16 July 2019 © Offutt

20 Summary Don’t trust users Don’t bother users 16 July 2019 © Offutt

Download ppt "Input Data Validation for Web Applications"

Similar presentations

Welcome to eDMR This PowerPoint presentation is designed to show eDMR users how to login and begin using the eDMR system.

Welcome to eDMR This PowerPoint presentation is designed to show eDMR users how to login and begin using the eDMR system.
An Introduction to Java Programming and Object- Oriented Application Development Chapter 8 Exceptions and Assertions.

An Introduction to Java Programming and Object- Oriented Application Development Chapter 8 Exceptions and Assertions.
Introduction to Software Testing Chapter 5.5 Input Space Grammars Paul Ammann & Jeff Offutt www.introsoftwaretesting.com.

Introduction to Software Testing Chapter 5.5 Input Space Grammars Paul Ammann & Jeff Offutt
Introduction to Software Testing Chapter 9.5 Input Space Grammars Paul Ammann & Jeff Offutt

Introduction to Software Testing Chapter 9.5 Input Space Grammars Paul Ammann & Jeff Offutt
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Creating Web Page Forms. Objectives Describe how Web forms can interact with a server-based program Insert a form into a Web page Create and format a.

Creating Web Page Forms. Objectives Describe how Web forms can interact with a server-based program Insert a form into a Web page Create and format a.
Exceptions in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.

Exceptions in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
Database Management Systems (DBMS)

Database Management Systems (DBMS)
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.

1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.
4-Sep-15 HTML Forms Mrs. Goins Web Design Class. Parts of a Web Form A Form is an area that can contain Form Control/Elements. Each piece of information.

4-Sep-15 HTML Forms Mrs. Goins Web Design Class. Parts of a Web Form A Form is an area that can contain Form Control/Elements. Each piece of information.
XP Tutorial 6New Perspectives on Creating Web Pages with HTML, XHTML, and XML 1 Creating Web Page Forms Designing a Product Registration Form Tutorial.

XP Tutorial 6New Perspectives on Creating Web Pages with HTML, XHTML, and XML 1 Creating Web Page Forms Designing a Product Registration Form Tutorial.
Introduction to Software Testing Chapter 5.5 Input Space Grammars Paul Ammann & Jeff Offutt www.introsoftwaretesting.com.

Introduction to Software Testing Chapter 5.5 Input Space Grammars Paul Ammann & Jeff Offutt
June 14, 2001Exception Handling in Java1 Richard S. Huntrods June 14, 2001 University of Calgary.

June 14, 2001Exception Handling in Java1 Richard S. Huntrods June 14, 2001 University of Calgary.
CIS 270—Application Development II Chapter 13—Exception Handling.

CIS 270—Application Development II Chapter 13—Exception Handling.
Overview of Previous Lesson(s) Over View  ASP.NET Pages  Modular in nature and divided into the core sections  Page directives  Code Section  Page.

Overview of Previous Lesson(s) Over View  ASP.NET Pages  Modular in nature and divided into the core sections  Page directives  Code Section  Page.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
XP Tutorial 10New Perspectives on Creating Web Pages with HTML, XHTML, and XML 1 Working with JavaScript Creating a Programmable Web Page for North Pole.

XP Tutorial 10New Perspectives on Creating Web Pages with HTML, XHTML, and XML 1 Working with JavaScript Creating a Programmable Web Page for North Pole.

Similar presentations

Ads by Google