View
3.738
Download
1
Category
Tags:
Preview:
Citation preview
Disclaimer
opinions expressed here are my own and are a result of the way in which my mind interprets a particular situation or concept.
Courtesy
Google for Images….
Slide share for Slides…
Wikipedia for text…
Struts validation frameworkWEB Application Security
Structure
what why how - MVC ?Concept and OriginExecution Process
what why how - Web framework?Features
what why how Validation framework?
Attacker’s – why should I care..Applications are getting smarter
Applications are getting tougherOld strategy may not work..
Strategy – outside inn to inside out
Understanding of internals
Defenders
how to write/suggest defensive programming
1979
Formulated by Norwegian computer scientist Trygve Reenskaug
for Graphic User Interphase (GUI) software design, the MVC architecture was one of the primary outcomes of GUI development.
Fist Prototype of a Computer Mouse
Early Apple GUIIntroduction of graphic
“views” in computing
SOFTWARE EVOLUTION
Software Architecture Pattern
Separates representation of information from user interaction.
Promotes:
• Code Reusability
• Separation of Concerns
Separation of Concerns
• Shortens development
• Code Libraries
• Design Patterns
• Frameworks
Code Reusability
• Improves code clarity and organization
• Helps troubleshooting by isolating issues
• Allows for multiple teams to develop simultaneously
Big PictureDesign
Patterns
MVC
Frameworks
Struts
Validation Framework
Spring
Validation Framework
With framework
• XSS
• SQL injection
• Command Injection
• Xml injection
Without framework
Opportunity to attack
• XSS
• SQL injection
• Command Injection
• Xml injection
Types of MVC Frameworks
ASP.NET
PHP (Zend, Symfony, CakePHP, CodeIgniter)
Javascript ( Backbone.js, Ember.js, JavascriptMVC)
Java (Struts, Spring, Expresso, Stripes, JSF, Tapestry, Wicket…)
ASP.NET 4.0 Framework
MVC Execution Process
Controller – Mediates input
and commands for the model or view
Model – Application data,
business rules, logic, and functions.
View – Output and
representation of data
Advantages MVC
• Easier to Manage Complexity
• Does not use view state or server based forms
• Rich Routing Structure
• Support for Test-Driven Development
• Supports Large Teams Well
Data-validation Framework
Inputs Filters
• Headers
• Input form fields– Text, button, select, ratio, hidden, Browse
• URL
• Session / Cookie
Output filter
• Response object
• Automatic HTML entity encoding (spring)
Validation Strategy
• Centralize the data flow : Struts-config.xml
– List the address of the input form
• Control each piece of field(data) :Validation form
– List each Include all input fields
• Assign validation logic to each field:Validation.xml
– For each field, specify one or more validation rules
• Define validation logic : Validation-rules.xml
– Max length, min length, knowngood validation
• Bind each field to a Regular expression
Regex^[a-z0-9_-]{3,15}$
Characters alloweda to z (only small case)
Numbers allowed0 1 2 3 4 5 6 7 8 9
Special Chars allowedUnderscore and Hyphen
Max length 15
Min length 3
End..
Slides --- will be uploaded to null site and slide share…
Need hands on…
Scream for a bachaav session…
I am open to take a session…
Recommended