Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Published byCamron Johns Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation."— Presentation transcript:

1 Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP AppSec June 2004 NYC http://www.owasp.org Input Validation Jeff Williams, OWASP Chair CEO, Aspect Security jeff.williams@aspectsecurity.comeff.williams@aspectsecurity.com 410-707-1487

2 OWASP AppSec 2004 2 It’s All Jon Postel’s Fault  “TCP implementations will follow a general principle of robustness: be conservative in what you do, be liberal in what you accept from others.” -- Jon Postel, RFC 793, Sept. 1981

3 OWASP AppSec 2004 3 “Sender Validates” Mindset  Assume that data is valid  Or only check a few pathological cases  Common problems with this approach  Buffer overflows  Forced browsing  Cookie poisoning  SQL injection  Command injection  Format string

4 OWASP AppSec 2004 4 Common Validation Approaches  Deep Packet Inspection  Web Application Firewall  Server Plugin  J2EE Filter  Validation Component  Validation Pattern in Code  Validate Everywhere Completely outside application Completely within application

5 OWASP AppSec 2004 5 Confusing Terms  Filter  Often used synonymously with “Validate,” but implies stripping out something bad.  Blacklist  Validation done against a list of known bad patterns in the input. Generally considered bad practice.  Whitelist  Validation done against a list of known good patterns in the input. Generally considered good practice.

6 OWASP AppSec 2004 6 Architecture  Needs  Nonbypassable control point  Access to the “rules”  Access to any required contextual information  Requirements  Positive security model (deny all)  Easy to maintain for developers

7 OWASP AppSec 2004 7 “Boundary Validation”  Validate at reasonable system boundaries  Between client and business logic  Between business logic and database (e.g.)  Between application and major libraries  Between major subsystems within an application  A better “principle of robustness”  Modified Postel’s Law…  “…be liberal in what you accept from others, then validate the hell out of it.”

8 OWASP AppSec 2004 8 What Are the “Rules”?  Examples:  What punctuation is allowed in a textbox?  What is the zipcode format?  What are the header rules? Cookies?  What are all the possible responses to an error?  How can we detect an attack in progress?  Extra, Missing, Duplicate, and Malformed

9 OWASP AppSec 2004 9 What “Actions” Can You Take?  log "Extra cookie detected, value = $value."  message "Extra cookie detected."  invalidate  delete  sanitize  replace "new_value"  email jeff.williams@owasp.org "Extra cookie detected"  errorpage "Extra cookie detected"  redirect error.jsp?message="Extra cookie detected"  sleep 2000  shutdown

10 OWASP AppSec 2004 10 What “Severity” Applies?  Some errors are “fatal”  Almost certainly an attack  Stop validating, invalidate session (go away)  You can “continue” after some errors  Sanitize, use default, log  Continue validating  Some conditions you just want to “ignore”  Unexpected header

11 OWASP AppSec 2004 11 How to Capture a Rule JSESSIONID cookie ^[A-F0-9]{32}$ fatal invalidate log verbose "Cookie tampering detected." continue log "Cookie missing." redirect “/login”

12 OWASP AppSec 2004 12 How to Assemble a Ruleset Validation rules for the login form /login true …

13 OWASP AppSec 2004 13 How To Review Code for Validation  Trace the “taint” from all calls used to get input  HttpServletRequest.getParameter()  HttpServletRequest.getCookies()  HttpServletRequest.getHeader()  Etc…  Bad Patterns  Input -> Output == cross-site scripting  Input -> System == command injection  Input -> Query == SQL injection  Input -> Fixed buffer or format string == overflow  Input -> Integer == overflow

14 OWASP AppSec 2004 14 Validation Checklist  Is your validation centralized?  Is your validation mandatory?  Do you canonicalize before validating?  Are you validating URL params, cookies, and other headers  NOT just forms? (Struts fails this)  Do you catch extra, missing, and duplicate input?  NOT just corrupt input?  Do you have options for handling validation problems?  Can you detect an attack based on repeated failed input validation?  Is what you log different than what you show the user?  Do your requirements specify all the stuff above?  Do your requirements or detailed design docs specify all the validation rules?  Does you use HTML Entity encoding (e.g. <) on output?

15 OWASP AppSec 2004 15 Simple Audit Exercise public class HelloWorld extends HttpServlet { public void doGet( HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); PrintWriter out = response.getWriter(); out.println(" "); out.println(" Hello World "); out.println(" "); out.println("Hello, " + request.getParameter("name")); out.println(" "); }

16 OWASP AppSec 2004 16 Harder Audit Exercise public class DamagedStrutsForm extends ActionForm { public void doForm( HttpServletRequest request) { UserBean u = session.getUserBean(); u.setName(request.getParameter("name")); u.setFavoriteColor(request.getParameter("color")); } public boolean validate( HttpServletRequest request) { try { if ( request.getParameter("Name").indexOf("<script") != -1 ) { logger.log("Script detected" ); return false; } } catch( Exception e ) {} return true; }

17 OWASP AppSec 2004 17 Haystack Full of Needles  Validation is incredibly important  Difficult to get correct  Spend some time designing your approach  Consider participating in or sponsoring the OWASP Stinger project

Download ppt "Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation."

Similar presentations

Chapter 6 Server-side Programming: Java Servlets

Chapter 6 Server-side Programming: Java Servlets
OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
JLab Lattice Portal – Data Grid Web Service Ying Chen, Chip Watson Thomas Jefferson National Accelerator Facility.

JLab Lattice Portal – Data Grid Web Service Ying Chen, Chip Watson Thomas Jefferson National Accelerator Facility.
Apache Tomcat as a container for Servlets and JSP

Apache Tomcat as a container for Servlets and JSP
 2002 Prentice Hall. All rights reserved. Chapter 9: Servlets Outline 9.1 Introduction 9.2 Servlet Overview and Architecture 9.2.1 Interface Servlet and.

 2002 Prentice Hall. All rights reserved. Chapter 9: Servlets Outline 9.1 Introduction 9.2 Servlet Overview and Architecture Interface Servlet and.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Servlets Compiled by Dr. Billy B. L. Lim. Servlets Servlets are Java programs which are invoked to service client requests on a Web server. Servlets extend.

Servlets Compiled by Dr. Billy B. L. Lim. Servlets Servlets are Java programs which are invoked to service client requests on a Web server. Servlets extend.
A Servlet’s Job Read explicit data sent by client (form data) Read implicit data sent by client (request headers) Generate the results Send the explicit.

A Servlet’s Job Read explicit data sent by client (form data) Read implicit data sent by client (request headers) Generate the results Send the explicit.
Java Servlets and JSP.

Java Servlets and JSP.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Struts 2.0 an Overview ( )

Struts 2.0 an Overview ( )
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization.

Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization.

Similar presentations

Ads by Google