struts validation framework part 2
DESCRIPTION
null Bangalore January 2014 MeetTRANSCRIPT
Disclaimer
opinions expressed here are my own and are a result of the way in which my mind interprets a particular situation or concept.
Courtesy
Google for Images….
Slide share for Slides…
Wikipedia for text…
Struts validation frameworkWEB Application Security
Structure
what why how - MVC ?Concept and OriginExecution Process
what why how - Web framework?Features
what why how Validation framework?
Attacker’s – why should I care..Applications are getting smarter
Applications are getting tougher Old strategy may not work..
Strategy – outside inn to inside out Understanding of internals
Defenders how to write/suggest defensive programming
1979
Formulated by Norwegian computer scientist Trygve Reenskaugfor Graphic User Interphase (GUI) software design, the MVC architecture was one of the primary outcomes of GUI development.
Fist Prototype of a Computer Mouse
Early Apple GUIIntroduction of graphic
“views” in computing
SOFTWARE EVOLUTION
Software Architecture Pattern
Separates representation of information from user interaction.
Promotes:
• Code Reusability• Separation of Concerns
Separation of Concerns
• Shortens development
• Code Libraries
• Design Patterns
• Frameworks
Code Reusability
• Improves code clarity and organization
• Helps troubleshooting by isolating issues
• Allows for multiple teams to develop simultaneously
Application A Application B
Big Picture
Design Patterns
MVC
Frameworks
Struts
Validation Framework
Spring
Validation Framework
With framework
• XSS
• SQL injection
• Command Injection
• Xml injection
Without framework
Opportunity to attack
Types of MVC Frameworks
ASP.NET
PHP (Zend, Symfony, CakePHP, CodeIgniter)
Javascript ( Backbone.js, Ember.js, JavascriptMVC)
Java (Struts, Spring, Expresso, Stripes, JSF, Tapestry, Wicket…)ASP.NET 4.0 Framework
MVC Execution Process
Controller – Mediates input and commands for the model or view
Model – Application data, business rules, logic, and functions.
View – Output and representation of data
Advantages MVC
• Easier to Manage Complexity• Does not use view state or server based forms• Rich Routing Structure• Support for Test-Driven Development• Supports Large Teams Well
Data-validation Framework
Inputs Filters
• Headers
• Input form fields– Text, button, select, ratio, hidden, Browse
• URL
• Session / Cookie
Output filter
• Response object
• Automatic HTML entity encoding (spring)
Validation Strategy• Centralize the data flow : Struts-config.xml
– List the address of the input form
• Control each piece of field(data) :Validation form
– List each Include all input fields
• Assign validation logic to each field:Validation.xml
– For each field, specify one or more validation rules
• Define validation logic : Validation-rules.xml
– Max length, min length, knowngood validation
• Bind each field to a Regular expression
Max length
Min Length
Knowngood
Max length
Min Length
Known good
Web App with out framework
Max length
Min Length
Knowngood
Sturts-config.x
ml
Validation.xml
^[0-9a-zA-Z]*$
0123456789abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
null123
‘--1
Abx12p
@!#$%
null123
Abx12p
null123
Abx12p
Max length
Min Length
Knowngood
Web App with out framework
Sturts-config.xml
Chars Encoding
< <
> >
& &
null<xyz>123&
null<xyz>123&
Regex^[a-z0-9_-]{3,15}$
Characters alloweda to z (only small case)
Numbers allowed0 1 2 3 4 5 6 7 8 9
Special Chars allowedUnderscore and Hyphen
Max length 15
Min length 3
End..
Slides --- will be uploaded to null site and slide share…
Need hands on…Scream for a bachaav session…
I am open to take a session…