SlideShare a Scribd company logo

02. input validation module v5

Download as pptx, pdf
Eoin Keary
Eoin Keary

Input validation is important to prevent attacks. User input should never be trusted and should be validated using a whitelist approach at the earliest stage. Layers of defense like regular expression validation and bounds checking should be used. Input can be validated using known good, known bad, or exact match approaches against expected values or formats. Escaping input is not enough--invalid input should be rejected rather than processed.

1 of 35
Downloaded 37 times
1
Input Validation Eoin Keary CTO BCC Risk Advisory www.bccriskadvisory.com www.edgescan.com
2
Where are we going? Don’t ever trust user input Where possible, use whitelist validation Perform input validation at earliest possible stage Layers of defense Use in-built validator routines
3
Data Validation Input that is not directly entered by the user is typically less prone to validation Attacks discussed in this section apply to external input from any client-side source Standard form input control Read-only HTML form controls (drop down lists, radio buttons, hidden fields, etc) HTTP Cookie Values HTTP Headers Embedded URL parameters (e.g., in the GET request)
Most read
4
Data Validation Known Bad Known Good Exact Match  Data Validation is typically done using one of three basic approaches  All input must be properly validated on the server (not the client) to ensure that malicious data is not accepted and processed by the application
Most read
5
Data is validated against a list of explicit known values Application footprint or “application attack surface” defined Provides the strongest level of protection against malicious data Often not feasible when a large number of possible good values are expected May require code modification any time input values are changed or updated Exact Match Validation Example: Acceptable input is yes or no if ($input eq“yes” or $input eq “no”)
6
Exact Match Validation Example Validates the variable gender against 2 known values (.NET) static bool validateGender(String gender) { if (gender.equals(“Female“)) return true; else if (gender.equals(“Male“)) return true; else return false; //attack SOUND THE ALARM! BEEP BEEP! }
7
Exact Match Validation Example Validates the variable gender against 2 known values (Java) static boolean validateGender (String gender) { if (gender.equals (“Female“)) return true; else if (gender.equals (“Male“)) return true; else return false; //attack }
8
Known Good Validation Often called "white list" validation Data is validated against a list of allowable characters and patterns Typically implemented using regular expressions to match known good data patterns Data type cast/convert functions can be used to verify data conforms to a certain data type (i.e. Int32) Expected input character values must be clearly defined for each input variable Care must be taken if complex regular expressions are used A common mistake is to forget to anchor the expression with ^ and $
9
Regular Expression Syntax Symbol Match ^ Beginning of input string $ End of input string * Zero or more occurrences of previous character, short for {0,} + One or more occurrences of previous character, short for {1,} ? Zero or one occurrences of previous character, short for {0,1} {n,m} At least n and at most m occurrences of previous character . Any single character, except ‘n’ [xyz] A character set (i.e. any one of the enclosed characters) [^xyz] A negative character set (i.e. any character except the enclosed) [a-z] A range of characters
10
Regular Expression Syntax - shortcuts Symbol Match d Any digit, short for [0-9] D A non-digit, short for [^0-9] s A whitespace character, short for [ tnx0brf] S A non-whitespace character, for short for [^s] w A word character, short for [a-zA-Z_0-9] W A non-word character [^w] S+ Several non-whitespace characters
11
Example 1 Validating SSN entry if ($input=~/^[0-9]{9}$/) Example 2 Validating entry of a last name if ($input=~/^[A-Za-z][-.'0-9A-Za-z]{1,256}$/) Example 3 Validating SSN entry (Short cut) if ($input=~/^d{9}$/) Examples 123-56-3454
Most read
12
Regular Expressions - Templates Field Expression Format Samples Description Name ^[a-zA-Z-'s]{1,40}$ John Doe Validates a name. Allows up to 40 uppercase and lowercase characters and a few special characters that are common to some names. You can modify this list. Social Security Number ^d{3}-d{2}-d{4}$ 111-11-1111 Validates the format, type, and length of the supplied input field. The input must consist of 3 numeric characters followed by a dash, then 2 numeric characters followed by a dash, and then 4 numeric characters. Phone Number ^[01]?[- .]?(([2-9]d{2})|[2- 9]d{2})[- .]?d{3}[- .]?d{4}$ (425) 555-0123 Validates a U.S. phone number. It must consist of 3 numeric characters, optionally enclosed in parentheses, followed by a set of 3 numeric characters and then a set of 4 numeric characters. E-mail ^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~- ]+@[a-zA-Z0-9-]+(?:.[a-zA-Z0-9- ]+)*$ someone@exampl e.com Validates an e-mail address. (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address). URL ^(ht|f)tp(s?)://[0-9a-zA-Z]([- .w]*[0-9a-zA-Z])*(:(0- 9)*)*(/?)([a-zA-Z0-9- .?,'/+&%$#_]*)?$ http://www.micros oft.com Validates a URL ZIP Code ^(d{5}-d{4}|d{5}|d{9})$|^([a- zA-Z]d[a-zA-Z] d[a-zA-Z]d)$ 12345 Validates a U.S. ZIP Code. The code must consist of 5 or 9 numeric characters. Password (?!^[0-9]*$)(?!^[a-zA-Z]*$)^([a- zA-Z0-9]{8,10})$ Validates a strong password. It must be between 8 and 10 characters, contain at least one digit and one alphabetic character, and must not contain special characters. Non- negative integer ^d+$ 0 Validates that the field contains an integer greater than zero. Currency (non- negative) ^d+(.dd)?$ 1 Validates a positive currency amount. If there is a decimal point, it requires 2 numeric characters after the decimal point. For example, 3.00 is valid but 3.1 is not. Currency (positive or negative) ^(-)?d+(.dd)?$ 1.2 Validates for a positive or negative currency amount. If there is a decimal point, it requires 2 numeric characters after the decimal point.
13
Regular Expressions Regular Expressions is a term used to refer to a pattern-matching technology for processing text Although there is no standards body governing the regular expression language, Perl 5, by virtue of its popularity, has set the standard for regular expression syntax A Regular Expression itself is a string that represents a pattern, encoded using the regular expression language and syntax
14
Regular Expression - Zend $validator = new Zend_Validate_Regex(array('pattern' => '/^Test/'); $validator->isValid("Test"); // returns true $validator->isValid("Testing"); // returns true $validator->isValid("Pest"); // returns false
15
Data Validation Techniques Validates against a regular expression representing the proper expected data format (10 alphanumeric characters) (.NET) using System.Text.RegularExpressions; static bool validateUserFormat(String userName) { bool isValid = false; //Fail by default // Verify that the UserName is 1-10 character alphanumeric isValid = Regex.IsMatch(userName, @"^[A-Za-z0-9]{10}$"); return isValid; }
16
Regular Expressions - assertions Assert a string is 8 or more characters: (?=.{8,}) Assert a string contains at least 1 lowercase letter (zero or more characters followed by a lowercase character): (?=.*[a-z]) Assert a string contains at least 1 uppercase letter (zero or more characters followed by an uppercase character): (?=.*[A-Z]) Assert a string contains at least 1 digit: (?=.*[d]) So if you want to match a string at least 6 characters long, with at least one lower case and at least one uppercase letter you could use something like: ^.*(?=.{6,})(?=.*[a-z])(?=.*[A-Z]).*$
17
Known Good Validation Example Validates against a regular expression representing the proper expected data format (10 alphanumeric characters) (Java) import java.util.regex.*; static boolean validateUserFormat(String userName){ boolean isValid = false; //Fail by default try{ // Verify that the UserName is 10 character alphanumeric if (Pattern.matches(“^[A-Za-z0-9]{10}$”, userName)) isValid=true; } catch(PatternSyntaxException e) { System.out.println(e.getDescription()); } return isValid; }
18
Known Good Example $validator = new Zend_Validate_Alnum(); if ($validator->isValid('Abcd12')) { // value contains only allowed chars } else { // false }
19
Known Good Example - Chains // Create a validator chain and add validators to it $validatorChain = new Zend_Validate(); $validatorChain->addValidator( new Zend_Validate_StringLength(array('min' => 6, 'max' => 12))) ->addValidator(new Zend_Validate_Alnum()); // Validate the username if ($validatorChain->isValid($username)) { // username passed validation } else { // username failed validation; print reasons or whatever….. foreach ($validatorChain->getMessages() as $message) { echo "$messagen"; }
20
Often called "BlackList" validation Data is validated against a list of characters that are deemed to be dangerous or unacceptable Useful for preventing specific characters from being accepted by the application Provides the weakest method of validation against malicious data Susceptible to bypass using various forms of character encoding Known Bad Validation Example: Validating entry into generic text field if ($input !~/[rtn><();+&%’”*|]/)
21
Known Bad Validation Example Validates against a regular expression of known bad input strings (.Net) using System.Text.RegularExpressions; static boolean checkMessage(string messageText){ bool isValid = false; //Fail by default // Verify input doesn’t contain any < , > isValid = !Regex.IsMatch(messageText, @"[><]"); return isValid; }
22
Known Bad Validation Example Validates against a regular expression of known bad input strings (Java) import java.util.regex.*; static boolean checkMessage (string messageText) { boolean isValid = false; //Fail by default try { Pattern P = Pattern.compile (“<|>”, Pattern.CASE_INSENSITIVE | Pattern.MULTILINE); Matcher M = p.matcher(messageText); if (!M.find()) isValid = true; } catch(Exception e) { System.out.println(e.toString()); } return isValid; }
23
Bounds Checking All external input must also be properly validated to ensure that excessively large input is rejected Length checking: A maximum length check should be performed on all incoming application data. Careful about name length! Lokelani Keihanaikukauakahihuliheekahaunaele is a real person! Input that exceeds the appropriate length or size limits must be rejected and not processed by the application Size checking: A maximum size check should be performed on all incoming data files
24
The following code reads a String from a file. Because it uses the readLine() method, it will read an unbounded amount of input until a <newline> (n) charter is read. InputStream Input = inputfileFile.getInputStream(Entry); Reader inpReader = new InputStreamReader(Input); BufferedReader br = new BufferedReader(inpReader); String line = br.readLine(); This could be taken advantage of and cause an OutOfMemoryException or to consume a large amount of memory which shall affect performance and initiate costly garbage collection routines. Bounds Checking – Example Unbounded Reading of a file
25
Bounds checking $validator = new Zend_Validate_StringLength(array('max' => 6)); $validator->isValid("Test"); // returns true $validator->isValid("Testing"); // returns false
26
Bounds checking – File size $upload = new Zend_File_Transfer(); // Limit the size of all files to be uploaded to 40000 bytes $upload->addValidator('FilesSize', false, 40000); // Limit the size of all files to be uploaded to maximum 4MB and mimimum 10kB $upload->addValidator('FilesSize', false, array('min' => '10kB', 'max' => '4MB'));
27
.NET Validator Controls: RequiredFieldValidator, CompareValidator, RangeValidator, RegularExpressionValidator, CustomValidator, ValidateRequest Jakarta Commons Validator: required, mask, range, maxLength, minLength, datatype, date, creditCard, email, regularExpression Native Validation Controls Many development platforms have native validator controls, such as Jakarta and .NET
28
Escaping vs. Rejecting When validating data, one can either reject data failing to meet validation requirements or attempt to “clean” or escape dangerous characters Failed validation attempts should always reject the data to minimise the risk that sanitisation routines will be ineffective or can be bypassed Error messages displayed when rejecting data should specify the proper format for the user to enter appropriate data Error messages should not redisplay the input the user has entered
29
The Problem with Escaping --- Snip --- page_template = request.queryString("page") replace(page_template , "/", "") replace(page_template, "..", "") getFile(page_template) --- End Snip --- http://www.example.com/content/default.jsp?page=info.htm  Page_template = info.htm <- First Pass  Page_template = info.htm <- Second Pass http://www.example.com/content/default.jsp?page=../web.xml  Page_template = .. web.xml <- First Pass  Page_template = web.xml <- Second Pass http://www.example.com/content/default.jsp?page=....//web.xml  Page_template = ....web.xml <- First Pass  Page_template = ..web.xml <- Second Pass
30
Input Based Attacks Malicious user input can be used to launch a variety of attacks against an application. These attacks include, but are not limited to: Parameter Manipulation  Cookie poisoning  Hidden field manipulation Content injection  SQL  HTTP Response Splitting  Operating system calls  Command insertion  XPath Cross site scripting  … Buffer overflows  Format string attacks
31
Parameter Manipulation Applications typically pass parameters that determine what the user can do or see Unauthorised access to application data can be obtained by manipulating parameter values, if record-level authorisation checks are not performed within the application code Many applications tend to pass sensitive parameters back and forth rather than using server session variables to store the information Very common to see this in HTTP cookies “hidden” HTML form fields
32
Parameter Manipulation Database record index numbers are often passed as page parameters to view a specific record If there is a relatively small range of possible index values, sequential parameter values can by cycled to view other records Even-non sequential indexing can be attacked within a small range of potential values Manipulating parameter values can be trivial when other obvious valid Values exist: Username=joe (change to username=mary) Privilege=user (change to privilege=admin) Price=100.00 (change to price=1.00)
33
Testing for Parameter Manipulation Identify areas in the application where records appear to be displayed based on input parameters Attempt to access records using other known valid parameter values For parameter values that seem to fall within a variable range, cycle through the range to search for other valid records Identify all data being passed in hidden fields. Attempt to determine: What the data is being used for Whether use of a hidden field seems appropriate
34
Defenses Against Parameter Manipulation Data that should not be altered should never be passed to the client Always perform validation on the server Use the most restrictive input validation method possible Use Exact Match Validation to verify that parameters values are appropriate for the specific transaction or user’s permission level In situations where a query or hash table lookup is required, Known Good Validation should be used to validate the parameter before performing the lookup Retrieve the information from the client once, validate it and keep it on the server associated with that user’s session
35
Summary Don’t ever trust user input Where possible, use whitelist validation Perform input validation at earliest possible stage Layers of defense Use in-built validator routines
Input Validation Eoin Keary CTO BCC Risk Advisory www.bccriskadvisory.com www.edgescan.com
Where are we going? Don’t ever trust user input Where possible, use whitelist validation Perform input validation at earliest possible stage Layers of defense Use in-built validator routines
Data Validation Input that is not directly entered by the user is typically less prone to validation Attacks discussed in this section apply to external input from any client-side source Standard form input control Read-only HTML form controls (drop down lists, radio buttons, hidden fields, etc) HTTP Cookie Values HTTP Headers Embedded URL parameters (e.g., in the GET request)
Data Validation Known Bad Known Good Exact Match  Data Validation is typically done using one of three basic approaches  All input must be properly validated on the server (not the client) to ensure that malicious data is not accepted and processed by the application
Data is validated against a list of explicit known values Application footprint or “application attack surface” defined Provides the strongest level of protection against malicious data Often not feasible when a large number of possible good values are expected May require code modification any time input values are changed or updated Exact Match Validation Example: Acceptable input is yes or no if ($input eq“yes” or $input eq “no”)
Exact Match Validation Example Validates the variable gender against 2 known values (.NET) static bool validateGender(String gender) { if (gender.equals(“Female“)) return true; else if (gender.equals(“Male“)) return true; else return false; //attack SOUND THE ALARM! BEEP BEEP! }
Exact Match Validation Example Validates the variable gender against 2 known values (Java) static boolean validateGender (String gender) { if (gender.equals (“Female“)) return true; else if (gender.equals (“Male“)) return true; else return false; //attack }
Known Good Validation Often called "white list" validation Data is validated against a list of allowable characters and patterns Typically implemented using regular expressions to match known good data patterns Data type cast/convert functions can be used to verify data conforms to a certain data type (i.e. Int32) Expected input character values must be clearly defined for each input variable Care must be taken if complex regular expressions are used A common mistake is to forget to anchor the expression with ^ and $
Regular Expression Syntax Symbol Match ^ Beginning of input string $ End of input string * Zero or more occurrences of previous character, short for {0,} + One or more occurrences of previous character, short for {1,} ? Zero or one occurrences of previous character, short for {0,1} {n,m} At least n and at most m occurrences of previous character . Any single character, except ‘n’ [xyz] A character set (i.e. any one of the enclosed characters) [^xyz] A negative character set (i.e. any character except the enclosed) [a-z] A range of characters
Regular Expression Syntax - shortcuts Symbol Match d Any digit, short for [0-9] D A non-digit, short for [^0-9] s A whitespace character, short for [ tnx0brf] S A non-whitespace character, for short for [^s] w A word character, short for [a-zA-Z_0-9] W A non-word character [^w] S+ Several non-whitespace characters
Example 1 Validating SSN entry if ($input=~/^[0-9]{9}$/) Example 2 Validating entry of a last name if ($input=~/^[A-Za-z][-.'0-9A-Za-z]{1,256}$/) Example 3 Validating SSN entry (Short cut) if ($input=~/^d{9}$/) Examples 123-56-3454
Regular Expressions - Templates Field Expression Format Samples Description Name ^[a-zA-Z-'s]{1,40}$ John Doe Validates a name. Allows up to 40 uppercase and lowercase characters and a few special characters that are common to some names. You can modify this list. Social Security Number ^d{3}-d{2}-d{4}$ 111-11-1111 Validates the format, type, and length of the supplied input field. The input must consist of 3 numeric characters followed by a dash, then 2 numeric characters followed by a dash, and then 4 numeric characters. Phone Number ^[01]?[- .]?(([2-9]d{2})|[2- 9]d{2})[- .]?d{3}[- .]?d{4}$ (425) 555-0123 Validates a U.S. phone number. It must consist of 3 numeric characters, optionally enclosed in parentheses, followed by a set of 3 numeric characters and then a set of 4 numeric characters. E-mail ^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~- ]+@[a-zA-Z0-9-]+(?:.[a-zA-Z0-9- ]+)*$ someone@exampl e.com Validates an e-mail address. (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address). URL ^(ht|f)tp(s?)://[0-9a-zA-Z]([- .w]*[0-9a-zA-Z])*(:(0- 9)*)*(/?)([a-zA-Z0-9- .?,'/+&amp;%$#_]*)?$ http://www.micros oft.com Validates a URL ZIP Code ^(d{5}-d{4}|d{5}|d{9})$|^([a- zA-Z]d[a-zA-Z] d[a-zA-Z]d)$ 12345 Validates a U.S. ZIP Code. The code must consist of 5 or 9 numeric characters. Password (?!^[0-9]*$)(?!^[a-zA-Z]*$)^([a- zA-Z0-9]{8,10})$ Validates a strong password. It must be between 8 and 10 characters, contain at least one digit and one alphabetic character, and must not contain special characters. Non- negative integer ^d+$ 0 Validates that the field contains an integer greater than zero. Currency (non- negative) ^d+(.dd)?$ 1 Validates a positive currency amount. If there is a decimal point, it requires 2 numeric characters after the decimal point. For example, 3.00 is valid but 3.1 is not. Currency (positive or negative) ^(-)?d+(.dd)?$ 1.2 Validates for a positive or negative currency amount. If there is a decimal point, it requires 2 numeric characters after the decimal point.
Regular Expressions Regular Expressions is a term used to refer to a pattern-matching technology for processing text Although there is no standards body governing the regular expression language, Perl 5, by virtue of its popularity, has set the standard for regular expression syntax A Regular Expression itself is a string that represents a pattern, encoded using the regular expression language and syntax
Regular Expression - Zend $validator = new Zend_Validate_Regex(array('pattern' => '/^Test/'); $validator->isValid("Test"); // returns true $validator->isValid("Testing"); // returns true $validator->isValid("Pest"); // returns false
Data Validation Techniques Validates against a regular expression representing the proper expected data format (10 alphanumeric characters) (.NET) using System.Text.RegularExpressions; static bool validateUserFormat(String userName) { bool isValid = false; //Fail by default // Verify that the UserName is 1-10 character alphanumeric isValid = Regex.IsMatch(userName, @"^[A-Za-z0-9]{10}$"); return isValid; }
Regular Expressions - assertions Assert a string is 8 or more characters: (?=.{8,}) Assert a string contains at least 1 lowercase letter (zero or more characters followed by a lowercase character): (?=.*[a-z]) Assert a string contains at least 1 uppercase letter (zero or more characters followed by an uppercase character): (?=.*[A-Z]) Assert a string contains at least 1 digit: (?=.*[d]) So if you want to match a string at least 6 characters long, with at least one lower case and at least one uppercase letter you could use something like: ^.*(?=.{6,})(?=.*[a-z])(?=.*[A-Z]).*$
Known Good Validation Example Validates against a regular expression representing the proper expected data format (10 alphanumeric characters) (Java) import java.util.regex.*; static boolean validateUserFormat(String userName){ boolean isValid = false; //Fail by default try{ // Verify that the UserName is 10 character alphanumeric if (Pattern.matches(“^[A-Za-z0-9]{10}$”, userName)) isValid=true; } catch(PatternSyntaxException e) { System.out.println(e.getDescription()); } return isValid; }
Known Good Example $validator = new Zend_Validate_Alnum(); if ($validator->isValid('Abcd12')) { // value contains only allowed chars } else { // false }
Known Good Example - Chains // Create a validator chain and add validators to it $validatorChain = new Zend_Validate(); $validatorChain->addValidator( new Zend_Validate_StringLength(array('min' => 6, 'max' => 12))) ->addValidator(new Zend_Validate_Alnum()); // Validate the username if ($validatorChain->isValid($username)) { // username passed validation } else { // username failed validation; print reasons or whatever….. foreach ($validatorChain->getMessages() as $message) { echo "$messagen"; }
Often called "BlackList" validation Data is validated against a list of characters that are deemed to be dangerous or unacceptable Useful for preventing specific characters from being accepted by the application Provides the weakest method of validation against malicious data Susceptible to bypass using various forms of character encoding Known Bad Validation Example: Validating entry into generic text field if ($input !~/[rtn><();+&%’”*|]/)
Known Bad Validation Example Validates against a regular expression of known bad input strings (.Net) using System.Text.RegularExpressions; static boolean checkMessage(string messageText){ bool isValid = false; //Fail by default // Verify input doesn’t contain any < , > isValid = !Regex.IsMatch(messageText, @"[><]"); return isValid; }
Known Bad Validation Example Validates against a regular expression of known bad input strings (Java) import java.util.regex.*; static boolean checkMessage (string messageText) { boolean isValid = false; //Fail by default try { Pattern P = Pattern.compile (“<|>”, Pattern.CASE_INSENSITIVE | Pattern.MULTILINE); Matcher M = p.matcher(messageText); if (!M.find()) isValid = true; } catch(Exception e) { System.out.println(e.toString()); } return isValid; }
Bounds Checking All external input must also be properly validated to ensure that excessively large input is rejected Length checking: A maximum length check should be performed on all incoming application data. Careful about name length! Lokelani Keihanaikukauakahihuliheekahaunaele is a real person! Input that exceeds the appropriate length or size limits must be rejected and not processed by the application Size checking: A maximum size check should be performed on all incoming data files
The following code reads a String from a file. Because it uses the readLine() method, it will read an unbounded amount of input until a <newline> (n) charter is read. InputStream Input = inputfileFile.getInputStream(Entry); Reader inpReader = new InputStreamReader(Input); BufferedReader br = new BufferedReader(inpReader); String line = br.readLine(); This could be taken advantage of and cause an OutOfMemoryException or to consume a large amount of memory which shall affect performance and initiate costly garbage collection routines. Bounds Checking – Example Unbounded Reading of a file
Bounds checking $validator = new Zend_Validate_StringLength(array('max' => 6)); $validator->isValid("Test"); // returns true $validator->isValid("Testing"); // returns false
Bounds checking – File size $upload = new Zend_File_Transfer(); // Limit the size of all files to be uploaded to 40000 bytes $upload->addValidator('FilesSize', false, 40000); // Limit the size of all files to be uploaded to maximum 4MB and mimimum 10kB $upload->addValidator('FilesSize', false, array('min' => '10kB', 'max' => '4MB'));
.NET Validator Controls: RequiredFieldValidator, CompareValidator, RangeValidator, RegularExpressionValidator, CustomValidator, ValidateRequest Jakarta Commons Validator: required, mask, range, maxLength, minLength, datatype, date, creditCard, email, regularExpression Native Validation Controls Many development platforms have native validator controls, such as Jakarta and .NET
Escaping vs. Rejecting When validating data, one can either reject data failing to meet validation requirements or attempt to “clean” or escape dangerous characters Failed validation attempts should always reject the data to minimise the risk that sanitisation routines will be ineffective or can be bypassed Error messages displayed when rejecting data should specify the proper format for the user to enter appropriate data Error messages should not redisplay the input the user has entered
The Problem with Escaping --- Snip --- page_template = request.queryString("page") replace(page_template , "/", "") replace(page_template, "..", "") getFile(page_template) --- End Snip --- http://www.example.com/content/default.jsp?page=info.htm  Page_template = info.htm <- First Pass  Page_template = info.htm <- Second Pass http://www.example.com/content/default.jsp?page=../web.xml  Page_template = .. web.xml <- First Pass  Page_template = web.xml <- Second Pass http://www.example.com/content/default.jsp?page=....//web.xml  Page_template = ....web.xml <- First Pass  Page_template = ..web.xml <- Second Pass
Input Based Attacks Malicious user input can be used to launch a variety of attacks against an application. These attacks include, but are not limited to: Parameter Manipulation  Cookie poisoning  Hidden field manipulation Content injection  SQL  HTTP Response Splitting  Operating system calls  Command insertion  XPath Cross site scripting  … Buffer overflows  Format string attacks
Parameter Manipulation Applications typically pass parameters that determine what the user can do or see Unauthorised access to application data can be obtained by manipulating parameter values, if record-level authorisation checks are not performed within the application code Many applications tend to pass sensitive parameters back and forth rather than using server session variables to store the information Very common to see this in HTTP cookies “hidden” HTML form fields
Parameter Manipulation Database record index numbers are often passed as page parameters to view a specific record If there is a relatively small range of possible index values, sequential parameter values can by cycled to view other records Even-non sequential indexing can be attacked within a small range of potential values Manipulating parameter values can be trivial when other obvious valid Values exist: Username=joe (change to username=mary) Privilege=user (change to privilege=admin) Price=100.00 (change to price=1.00)
Testing for Parameter Manipulation Identify areas in the application where records appear to be displayed based on input parameters Attempt to access records using other known valid parameter values For parameter values that seem to fall within a variable range, cycle through the range to search for other valid records Identify all data being passed in hidden fields. Attempt to determine: What the data is being used for Whether use of a hidden field seems appropriate
Defenses Against Parameter Manipulation Data that should not be altered should never be passed to the client Always perform validation on the server Use the most restrictive input validation method possible Use Exact Match Validation to verify that parameters values are appropriate for the specific transaction or user’s permission level In situations where a query or hash table lookup is required, Known Good Validation should be used to validate the parameter before performing the lookup Retrieve the information from the client once, validate it and keep it on the server associated with that user’s session
Summary Don’t ever trust user input Where possible, use whitelist validation Perform input validation at earliest possible stage Layers of defense Use in-built validator routines
Ad

Recommended

Input Validation
Input ValidationInput Validation
Input Validation
primeteacher32
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & Metasploit
Raghav Bisht
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Sql injection
Sql injectionSql injection
Sql injection
Sasha-Leigh Garret
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
Prateek Jain
 
penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux ppt
AbhayNaik8
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
vishalgohel12195
 
Protection in general purpose operating system
Protection in general purpose operating systemProtection in general purpose operating system
Protection in general purpose operating system
Prachi Gulihar
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
How To Write A Test Case In Software Testing | Edureka
How To Write A Test Case In Software Testing | EdurekaHow To Write A Test Case In Software Testing | Edureka
How To Write A Test Case In Software Testing | Edureka
Edureka!
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Sql injection
Sql injectionSql injection
Sql injection
Nuruzzaman Milon
 
Data structures
Data structuresData structures
Data structures
Manaswi Sharma
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
8 Access Control
8 Access Control8 Access Control
8 Access Control
Alfred Ouyang
 
Solving Labs for Common Web Vulnerabilities
Solving Labs for Common Web VulnerabilitiesSolving Labs for Common Web Vulnerabilities
Solving Labs for Common Web Vulnerabilities
jatniwalafizza786
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Aditya Vikram Singhania
 
Program security
Program securityProgram security
Program security
Prachi Gulihar
 
C# Exceptions Handling
C# Exceptions Handling C# Exceptions Handling
C# Exceptions Handling
sharqiyem
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
Wajahat Rajab
 
Equivalence partinioning and boundary value analysis
Equivalence partinioning and boundary value analysisEquivalence partinioning and boundary value analysis
Equivalence partinioning and boundary value analysis
niharika5412
 
Security models
Security models Security models
Security models
LJ PROJECTS
 
SSL
SSLSSL
SSL
Badrul Alam bulon
 
Form Validation
Form ValidationForm Validation
Form Validation
Graeme Smith
 
Web forms and server side scripting
Web forms and server side scriptingWeb forms and server side scripting
Web forms and server side scripting
sawsan slii
 

More Related Content

What's hot (20)

penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux ppt
AbhayNaik8
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
vishalgohel12195
 
Protection in general purpose operating system
Protection in general purpose operating systemProtection in general purpose operating system
Protection in general purpose operating system
Prachi Gulihar
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
How To Write A Test Case In Software Testing | Edureka
How To Write A Test Case In Software Testing | EdurekaHow To Write A Test Case In Software Testing | Edureka
How To Write A Test Case In Software Testing | Edureka
Edureka!
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Sql injection
Sql injectionSql injection
Sql injection
Nuruzzaman Milon
 
Data structures
Data structuresData structures
Data structures
Manaswi Sharma
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
8 Access Control
8 Access Control8 Access Control
8 Access Control
Alfred Ouyang
 
Solving Labs for Common Web Vulnerabilities
Solving Labs for Common Web VulnerabilitiesSolving Labs for Common Web Vulnerabilities
Solving Labs for Common Web Vulnerabilities
jatniwalafizza786
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Aditya Vikram Singhania
 
Program security
Program securityProgram security
Program security
Prachi Gulihar
 
C# Exceptions Handling
C# Exceptions Handling C# Exceptions Handling
C# Exceptions Handling
sharqiyem
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
Wajahat Rajab
 
Equivalence partinioning and boundary value analysis
Equivalence partinioning and boundary value analysisEquivalence partinioning and boundary value analysis
Equivalence partinioning and boundary value analysis
niharika5412
 
Security models
Security models Security models
Security models
LJ PROJECTS
 
SSL
SSLSSL
SSL
Badrul Alam bulon
 
penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux ppt
AbhayNaik8
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
vishalgohel12195
 
Protection in general purpose operating system
Protection in general purpose operating systemProtection in general purpose operating system
Protection in general purpose operating system
Prachi Gulihar
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
How To Write A Test Case In Software Testing | Edureka
How To Write A Test Case In Software Testing | EdurekaHow To Write A Test Case In Software Testing | Edureka
How To Write A Test Case In Software Testing | Edureka
Edureka!
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Sql injection
Sql injectionSql injection
Sql injection
Nuruzzaman Milon
 
Data structures
Data structuresData structures
Data structures
Manaswi Sharma
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
8 Access Control
8 Access Control8 Access Control
8 Access Control
Alfred Ouyang
 
Solving Labs for Common Web Vulnerabilities
Solving Labs for Common Web VulnerabilitiesSolving Labs for Common Web Vulnerabilities
Solving Labs for Common Web Vulnerabilities
jatniwalafizza786
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Aditya Vikram Singhania
 
Program security
Program securityProgram security
Program security
Prachi Gulihar
 
C# Exceptions Handling
C# Exceptions Handling C# Exceptions Handling
C# Exceptions Handling
sharqiyem
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
Wajahat Rajab
 
Equivalence partinioning and boundary value analysis
Equivalence partinioning and boundary value analysisEquivalence partinioning and boundary value analysis
Equivalence partinioning and boundary value analysis
niharika5412
 
Security models
Security models Security models
Security models
LJ PROJECTS
 
SSL
SSLSSL
SSL
Badrul Alam bulon
 

Viewers also liked (20)

Form Validation
Form ValidationForm Validation
Form Validation
Graeme Smith
 
Web forms and server side scripting
Web forms and server side scriptingWeb forms and server side scripting
Web forms and server side scripting
sawsan slii
 
Form Validation in JavaScript
Form Validation in JavaScriptForm Validation in JavaScript
Form Validation in JavaScript
Ravi Bhadauria
 
1 - Designing A Site
1 - Designing A Site1 - Designing A Site
1 - Designing A Site
Graeme Smith
 
Flex security
Flex securityFlex security
Flex security
chengalva
 
Javascript validation assignment
Javascript validation assignmentJavascript validation assignment
Javascript validation assignment
H K
 
JavaScript
JavaScriptJavaScript
JavaScript
Bharti Gupta
 
Business Interfaces using Virtual Objects, Visual-Force Forms and JavaScript
Business Interfaces using Virtual Objects, Visual-Force Forms and JavaScriptBusiness Interfaces using Virtual Objects, Visual-Force Forms and JavaScript
Business Interfaces using Virtual Objects, Visual-Force Forms and JavaScript
Salesforce Developers
 
HTML5
HTML5HTML5
HTML5
Doncho Minkov
 
HTML5 Mullet: Forms & Input Validation
HTML5 Mullet: Forms & Input ValidationHTML5 Mullet: Forms & Input Validation
HTML5 Mullet: Forms & Input Validation
Todd Anglin
 
Authentication Protocols
Authentication ProtocolsAuthentication Protocols
Authentication Protocols
Trinity Dwarka
 
Javascript validating form
Javascript validating formJavascript validating form
Javascript validating form
Jesus Obenita Jr.
 
Validation rule, validation text and input masks
Validation rule, validation text and input masksValidation rule, validation text and input masks
Validation rule, validation text and input masks
fizahPhd
 
Ch3 server controls
Ch3 server controlsCh3 server controls
Ch3 server controls
Madhuri Kavade
 
HTML5 JavaScript APIs
HTML5 JavaScript APIsHTML5 JavaScript APIs
HTML5 JavaScript APIs
Remy Sharp
 
8 Authentication Security Protocols
8 Authentication Security Protocols8 Authentication Security Protocols
8 Authentication Security Protocols
guestfbf635
 
Java script ppt
Java script pptJava script ppt
Java script ppt
The Health and Social Care Information Centre
 
Javascript Best Practices
Javascript Best PracticesJavascript Best Practices
Javascript Best Practices
Christian Heilmann
 
Slideshare.Com Powerpoint
Slideshare.Com PowerpointSlideshare.Com Powerpoint
Slideshare.Com Powerpoint
guested929b
 
TEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkTEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of Work
Volker Hirsch
 
Form Validation
Form ValidationForm Validation
Form Validation
Graeme Smith
 
Web forms and server side scripting
Web forms and server side scriptingWeb forms and server side scripting
Web forms and server side scripting
sawsan slii
 
Form Validation in JavaScript
Form Validation in JavaScriptForm Validation in JavaScript
Form Validation in JavaScript
Ravi Bhadauria
 
1 - Designing A Site
1 - Designing A Site1 - Designing A Site
1 - Designing A Site
Graeme Smith
 
Flex security
Flex securityFlex security
Flex security
chengalva
 
Javascript validation assignment
Javascript validation assignmentJavascript validation assignment
Javascript validation assignment
H K
 
JavaScript
JavaScriptJavaScript
JavaScript
Bharti Gupta
 
Business Interfaces using Virtual Objects, Visual-Force Forms and JavaScript
Business Interfaces using Virtual Objects, Visual-Force Forms and JavaScriptBusiness Interfaces using Virtual Objects, Visual-Force Forms and JavaScript
Business Interfaces using Virtual Objects, Visual-Force Forms and JavaScript
Salesforce Developers
 
HTML5
HTML5HTML5
HTML5
Doncho Minkov
 
HTML5 Mullet: Forms & Input Validation
HTML5 Mullet: Forms & Input ValidationHTML5 Mullet: Forms & Input Validation
HTML5 Mullet: Forms & Input Validation
Todd Anglin
 
Authentication Protocols
Authentication ProtocolsAuthentication Protocols
Authentication Protocols
Trinity Dwarka
 
Javascript validating form
Javascript validating formJavascript validating form
Javascript validating form
Jesus Obenita Jr.
 
Validation rule, validation text and input masks
Validation rule, validation text and input masksValidation rule, validation text and input masks
Validation rule, validation text and input masks
fizahPhd
 
Ch3 server controls
Ch3 server controlsCh3 server controls
Ch3 server controls
Madhuri Kavade
 
HTML5 JavaScript APIs
HTML5 JavaScript APIsHTML5 JavaScript APIs
HTML5 JavaScript APIs
Remy Sharp
 
8 Authentication Security Protocols
8 Authentication Security Protocols8 Authentication Security Protocols
8 Authentication Security Protocols
guestfbf635
 
Java script ppt
Java script pptJava script ppt
Java script ppt
The Health and Social Care Information Centre
 
Javascript Best Practices
Javascript Best PracticesJavascript Best Practices
Javascript Best Practices
Christian Heilmann
 
Slideshare.Com Powerpoint
Slideshare.Com PowerpointSlideshare.Com Powerpoint
Slideshare.Com Powerpoint
guested929b
 
TEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkTEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of Work
Volker Hirsch
 
Ad

Similar to 02. input validation module v5 (20)

Ebu class edgescan-2017
Ebu class edgescan-2017Ebu class edgescan-2017
Ebu class edgescan-2017
Eoin Keary
 
Validation
ValidationValidation
Validation
Emaax Amjad
 
Manage Your Data In A B-Boy Stance
Manage Your Data In A B-Boy StanceManage Your Data In A B-Boy Stance
Manage Your Data In A B-Boy Stance
John Anderson
 
Regular expressions
Regular expressionsRegular expressions
Regular expressions
Brij Kishore
 
Defending against Injections
Defending against InjectionsDefending against Injections
Defending against Injections
Blueinfy Solutions
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago Henriques
Tiago Henriques
 
/Regex makes me want to (weep|give up|(╯°□°)╯︵ ┻━┻)\.?/i
/Regex makes me want to (weep|give up|(╯°□°)╯︵ ┻━┻)\.?/i/Regex makes me want to (weep|give up|(╯°□°)╯︵ ┻━┻)\.?/i
/Regex makes me want to (weep|give up|(╯°□°)╯︵ ┻━┻)\.?/i
brettflorio
 
File Security And Integrity 03 March 08
File Security And Integrity 03 March 08File Security And Integrity 03 March 08
File Security And Integrity 03 March 08
uzdee
 
Form validation server side
Form validation server side Form validation server side
Form validation server side
Mudasir Syed
 
regex_presentation.pptx
regex_presentation.pptxregex_presentation.pptx
regex_presentation.pptx
BeBetter4
 
JavaScript Regular Expression Match
JavaScript Regular Expression MatchJavaScript Regular Expression Match
JavaScript Regular Expression Match
raj upadhyay
 
Regular expression presentation for the HUB
Regular expression presentation for the HUBRegular expression presentation for the HUB
Regular expression presentation for the HUB
thehoagie
 
Quality Assurance for PHP projects - ZendCon 2012
Quality Assurance for PHP projects - ZendCon 2012Quality Assurance for PHP projects - ZendCon 2012
Quality Assurance for PHP projects - ZendCon 2012
Michelangelo van Dam
 
Don't Trust Your Users
Don't Trust Your UsersDon't Trust Your Users
Don't Trust Your Users
Chris Tankersley
 
Java Regular Expression PART II
Java Regular Expression PART IIJava Regular Expression PART II
Java Regular Expression PART II
Abdul Rahman Sherzad
 
Java Regular Expression PART II
Java Regular Expression PART IIJava Regular Expression PART II
Java Regular Expression PART II
OXUS 20
 
regex.ppt
regex.pptregex.ppt
regex.ppt
ansariparveen06
 
Regular Expressions 2007
Regular Expressions 2007Regular Expressions 2007
Regular Expressions 2007
Geoffrey Dunn
 
Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12
Michelangelo van Dam
 
/Regex makes me want to (weep_give up_(╯°□°)╯︵ ┻━┻)/i (for 2024 CascadiaPHP)
/Regex makes me want to (weep_give up_(╯°□°)╯︵ ┻━┻)/i (for 2024 CascadiaPHP)/Regex makes me want to (weep_give up_(╯°□°)╯︵ ┻━┻)/i (for 2024 CascadiaPHP)
/Regex makes me want to (weep_give up_(╯°□°)╯︵ ┻━┻)/i (for 2024 CascadiaPHP)
brettflorio
 
Ebu class edgescan-2017
Ebu class edgescan-2017Ebu class edgescan-2017
Ebu class edgescan-2017
Eoin Keary
 
Validation
ValidationValidation
Validation
Emaax Amjad
 
Manage Your Data In A B-Boy Stance
Manage Your Data In A B-Boy StanceManage Your Data In A B-Boy Stance
Manage Your Data In A B-Boy Stance
John Anderson
 
Regular expressions
Regular expressionsRegular expressions
Regular expressions
Brij Kishore
 
Defending against Injections
Defending against InjectionsDefending against Injections
Defending against Injections
Blueinfy Solutions
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago Henriques
Tiago Henriques
 
/Regex makes me want to (weep|give up|(╯°□°)╯︵ ┻━┻)\.?/i
/Regex makes me want to (weep|give up|(╯°□°)╯︵ ┻━┻)\.?/i/Regex makes me want to (weep|give up|(╯°□°)╯︵ ┻━┻)\.?/i
/Regex makes me want to (weep|give up|(╯°□°)╯︵ ┻━┻)\.?/i
brettflorio
 
File Security And Integrity 03 March 08
File Security And Integrity 03 March 08File Security And Integrity 03 March 08
File Security And Integrity 03 March 08
uzdee
 
Form validation server side
Form validation server side Form validation server side
Form validation server side
Mudasir Syed
 
regex_presentation.pptx
regex_presentation.pptxregex_presentation.pptx
regex_presentation.pptx
BeBetter4
 
JavaScript Regular Expression Match
JavaScript Regular Expression MatchJavaScript Regular Expression Match
JavaScript Regular Expression Match
raj upadhyay
 
Regular expression presentation for the HUB
Regular expression presentation for the HUBRegular expression presentation for the HUB
Regular expression presentation for the HUB
thehoagie
 
Quality Assurance for PHP projects - ZendCon 2012
Quality Assurance for PHP projects - ZendCon 2012Quality Assurance for PHP projects - ZendCon 2012
Quality Assurance for PHP projects - ZendCon 2012
Michelangelo van Dam
 
Don't Trust Your Users
Don't Trust Your UsersDon't Trust Your Users
Don't Trust Your Users
Chris Tankersley
 
Java Regular Expression PART II
Java Regular Expression PART IIJava Regular Expression PART II
Java Regular Expression PART II
Abdul Rahman Sherzad
 
Java Regular Expression PART II
Java Regular Expression PART IIJava Regular Expression PART II
Java Regular Expression PART II
OXUS 20
 
regex.ppt
regex.pptregex.ppt
regex.ppt
ansariparveen06
 
Regular Expressions 2007
Regular Expressions 2007Regular Expressions 2007
Regular Expressions 2007
Geoffrey Dunn
 
Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12
Michelangelo van Dam
 
/Regex makes me want to (weep_give up_(╯°□°)╯︵ ┻━┻)/i (for 2024 CascadiaPHP)
/Regex makes me want to (weep_give up_(╯°□°)╯︵ ┻━┻)/i (for 2024 CascadiaPHP)/Regex makes me want to (weep_give up_(╯°□°)╯︵ ┻━┻)/i (for 2024 CascadiaPHP)
/Regex makes me want to (weep_give up_(╯°□°)╯︵ ┻━┻)/i (for 2024 CascadiaPHP)
brettflorio
 
Ad

More from Eoin Keary (20)

IISF-March2023.pptx
IISF-March2023.pptxIISF-March2023.pptx
IISF-March2023.pptx
Eoin Keary
 
Validation of vulnerabilities.pdf
Validation of vulnerabilities.pdfValidation of vulnerabilities.pdf
Validation of vulnerabilities.pdf
Eoin Keary
 
Does a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdfDoes a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdf
Eoin Keary
 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics Report
Eoin Keary
 
Edgescan 2021 Vulnerability Stats Report
Edgescan 2021 Vulnerability Stats ReportEdgescan 2021 Vulnerability Stats Report
Edgescan 2021 Vulnerability Stats Report
Eoin Keary
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gates
Eoin Keary
 
Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020
Eoin Keary
 
edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
Eoin Keary
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019)
Eoin Keary
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scale
Eoin Keary
 
Vulnerability Intelligence - Standing Still in a world full of change
Vulnerability Intelligence - Standing Still in a world full of changeVulnerability Intelligence - Standing Still in a world full of change
Vulnerability Intelligence - Standing Still in a world full of change
Eoin Keary
 
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Eoin Keary
 
Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.
Eoin Keary
 
Online Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat ModelOnline Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat Model
Eoin Keary
 
Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.
Eoin Keary
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbers
Eoin Keary
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud version
Eoin Keary
 
Cybersecurity by the numbers
Cybersecurity by the numbersCybersecurity by the numbers
Cybersecurity by the numbers
Eoin Keary
 
Vulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbersVulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbers
Eoin Keary
 
14. html 5 security considerations
14. html 5 security considerations14. html 5 security considerations
14. html 5 security considerations
Eoin Keary
 
IISF-March2023.pptx
IISF-March2023.pptxIISF-March2023.pptx
IISF-March2023.pptx
Eoin Keary
 
Validation of vulnerabilities.pdf
Validation of vulnerabilities.pdfValidation of vulnerabilities.pdf
Validation of vulnerabilities.pdf
Eoin Keary
 
Does a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdfDoes a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdf
Eoin Keary
 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics Report
Eoin Keary
 
Edgescan 2021 Vulnerability Stats Report
Edgescan 2021 Vulnerability Stats ReportEdgescan 2021 Vulnerability Stats Report
Edgescan 2021 Vulnerability Stats Report
Eoin Keary
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gates
Eoin Keary
 
Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020
Eoin Keary
 
edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
Eoin Keary
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019)
Eoin Keary
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scale
Eoin Keary
 
Vulnerability Intelligence - Standing Still in a world full of change
Vulnerability Intelligence - Standing Still in a world full of changeVulnerability Intelligence - Standing Still in a world full of change
Vulnerability Intelligence - Standing Still in a world full of change
Eoin Keary
 
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Eoin Keary
 
Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.
Eoin Keary
 
Online Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat ModelOnline Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat Model
Eoin Keary
 
Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.
Eoin Keary
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbers
Eoin Keary
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud version
Eoin Keary
 
Cybersecurity by the numbers
Cybersecurity by the numbersCybersecurity by the numbers
Cybersecurity by the numbers
Eoin Keary
 
Vulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbersVulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbers
Eoin Keary
 
14. html 5 security considerations
14. html 5 security considerations14. html 5 security considerations
14. html 5 security considerations
Eoin Keary
 

Recently uploaded (17)

ARTIFICIAL INTELLIGENCE.pptx2565567765676
ARTIFICIAL INTELLIGENCE.pptx2565567765676ARTIFICIAL INTELLIGENCE.pptx2565567765676
ARTIFICIAL INTELLIGENCE.pptx2565567765676
areebaimtiazpmas
 
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
ICP -2 Review – What It Is, and How to Participate and Provide Your FeedbackICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
APNIC
 
MOBILE PHONE DATA presentation with all necessary details
MOBILE PHONE DATA presentation with all necessary detailsMOBILE PHONE DATA presentation with all necessary details
MOBILE PHONE DATA presentation with all necessary details
benamorraj
 
Vigilanti-Cura-Protecting-the-Faith.pptx
Vigilanti-Cura-Protecting-the-Faith.pptxVigilanti-Cura-Protecting-the-Faith.pptx
Vigilanti-Cura-Protecting-the-Faith.pptx
secretarysocom
 
Internet_of_Things_Presentation_by-Humera.pptx
Internet_of_Things_Presentation_by-Humera.pptxInternet_of_Things_Presentation_by-Humera.pptx
Internet_of_Things_Presentation_by-Humera.pptx
cshumerabashir
 
Google_Cloud_Computing_Fundamentals.pptx
Google_Cloud_Computing_Fundamentals.pptxGoogle_Cloud_Computing_Fundamentals.pptx
Google_Cloud_Computing_Fundamentals.pptx
ektadangwal2005
 
Inter-Mirifica-Navigating-Media-in-the-Modern-World.pptx
Inter-Mirifica-Navigating-Media-in-the-Modern-World.pptxInter-Mirifica-Navigating-Media-in-the-Modern-World.pptx
Inter-Mirifica-Navigating-Media-in-the-Modern-World.pptx
secretarysocom
 
10 Latest Technologies and Their Benefits to End.pptx
10 Latest Technologies and Their Benefits to End.pptx10 Latest Technologies and Their Benefits to End.pptx
10 Latest Technologies and Their Benefits to End.pptx
EphraimOOghodero
 
最新版西班牙加泰罗尼亚国际大学毕业证(UIC毕业证书)原版定制
最新版西班牙加泰罗尼亚国际大学毕业证(UIC毕业证书)原版定制最新版西班牙加泰罗尼亚国际大学毕业证(UIC毕业证书)原版定制
最新版西班牙加泰罗尼亚国际大学毕业证(UIC毕业证书)原版定制
Taqyea
 
What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...
What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...
What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...
CartCoders
 
Networking_Essentials_version_3.0_-_Module_7.pptx
Networking_Essentials_version_3.0_-_Module_7.pptxNetworking_Essentials_version_3.0_-_Module_7.pptx
Networking_Essentials_version_3.0_-_Module_7.pptx
elestirmen
 
Predicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdf
Predicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdfPredicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdf
Predicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdf
Behzad Hussain
 
3D Graphics an introduction and details .pptx
3D Graphics an introduction and details .pptx3D Graphics an introduction and details .pptx
3D Graphics an introduction and details .pptx
islamicknowledge5224
 
UV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animation
UV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animationUV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animation
UV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animation
17218
 
Cloud Computing - iCloud by Hamza Anwaar .pptx
Cloud Computing - iCloud by Hamza Anwaar .pptxCloud Computing - iCloud by Hamza Anwaar .pptx
Cloud Computing - iCloud by Hamza Anwaar .pptx
islamicknowledge5224
 
How to Make Money as a Cam Model – Tips, Tools & Real Talk
How to Make Money as a Cam Model – Tips, Tools & Real TalkHow to Make Money as a Cam Model – Tips, Tools & Real Talk
How to Make Money as a Cam Model – Tips, Tools & Real Talk
Cam Sites Expert
 
Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...
Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...
Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...
treyka
 
ARTIFICIAL INTELLIGENCE.pptx2565567765676
ARTIFICIAL INTELLIGENCE.pptx2565567765676ARTIFICIAL INTELLIGENCE.pptx2565567765676
ARTIFICIAL INTELLIGENCE.pptx2565567765676
areebaimtiazpmas
 
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
ICP -2 Review – What It Is, and How to Participate and Provide Your FeedbackICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
APNIC
 
MOBILE PHONE DATA presentation with all necessary details
MOBILE PHONE DATA presentation with all necessary detailsMOBILE PHONE DATA presentation with all necessary details
MOBILE PHONE DATA presentation with all necessary details
benamorraj
 
Vigilanti-Cura-Protecting-the-Faith.pptx
Vigilanti-Cura-Protecting-the-Faith.pptxVigilanti-Cura-Protecting-the-Faith.pptx
Vigilanti-Cura-Protecting-the-Faith.pptx
secretarysocom
 
Internet_of_Things_Presentation_by-Humera.pptx
Internet_of_Things_Presentation_by-Humera.pptxInternet_of_Things_Presentation_by-Humera.pptx
Internet_of_Things_Presentation_by-Humera.pptx
cshumerabashir
 
Google_Cloud_Computing_Fundamentals.pptx
Google_Cloud_Computing_Fundamentals.pptxGoogle_Cloud_Computing_Fundamentals.pptx
Google_Cloud_Computing_Fundamentals.pptx
ektadangwal2005
 
Inter-Mirifica-Navigating-Media-in-the-Modern-World.pptx
Inter-Mirifica-Navigating-Media-in-the-Modern-World.pptxInter-Mirifica-Navigating-Media-in-the-Modern-World.pptx
Inter-Mirifica-Navigating-Media-in-the-Modern-World.pptx
secretarysocom
 
10 Latest Technologies and Their Benefits to End.pptx
10 Latest Technologies and Their Benefits to End.pptx10 Latest Technologies and Their Benefits to End.pptx
10 Latest Technologies and Their Benefits to End.pptx
EphraimOOghodero
 
最新版西班牙加泰罗尼亚国际大学毕业证(UIC毕业证书)原版定制
最新版西班牙加泰罗尼亚国际大学毕业证(UIC毕业证书)原版定制最新版西班牙加泰罗尼亚国际大学毕业证(UIC毕业证书)原版定制
最新版西班牙加泰罗尼亚国际大学毕业证(UIC毕业证书)原版定制
Taqyea
 
What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...
What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...
What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...
CartCoders
 
Networking_Essentials_version_3.0_-_Module_7.pptx
Networking_Essentials_version_3.0_-_Module_7.pptxNetworking_Essentials_version_3.0_-_Module_7.pptx
Networking_Essentials_version_3.0_-_Module_7.pptx
elestirmen
 
Predicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdf
Predicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdfPredicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdf
Predicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdf
Behzad Hussain
 
3D Graphics an introduction and details .pptx
3D Graphics an introduction and details .pptx3D Graphics an introduction and details .pptx
3D Graphics an introduction and details .pptx
islamicknowledge5224
 
UV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animation
UV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animationUV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animation
UV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animation
17218
 
Cloud Computing - iCloud by Hamza Anwaar .pptx
Cloud Computing - iCloud by Hamza Anwaar .pptxCloud Computing - iCloud by Hamza Anwaar .pptx
Cloud Computing - iCloud by Hamza Anwaar .pptx
islamicknowledge5224
 
How to Make Money as a Cam Model – Tips, Tools & Real Talk
How to Make Money as a Cam Model – Tips, Tools & Real TalkHow to Make Money as a Cam Model – Tips, Tools & Real Talk
How to Make Money as a Cam Model – Tips, Tools & Real Talk
Cam Sites Expert
 
Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...
Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...
Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...
treyka
 

02. input validation module v5

  • 1. Input Validation Eoin Keary CTO BCC Risk Advisory www.bccriskadvisory.com www.edgescan.com
  • 2. Where are we going? Don’t ever trust user input Where possible, use whitelist validation Perform input validation at earliest possible stage Layers of defense Use in-built validator routines
  • 3. Data Validation Input that is not directly entered by the user is typically less prone to validation Attacks discussed in this section apply to external input from any client-side source Standard form input control Read-only HTML form controls (drop down lists, radio buttons, hidden fields, etc) HTTP Cookie Values HTTP Headers Embedded URL parameters (e.g., in the GET request)
  • 4. Data Validation Known Bad Known Good Exact Match  Data Validation is typically done using one of three basic approaches  All input must be properly validated on the server (not the client) to ensure that malicious data is not accepted and processed by the application
  • 5. Data is validated against a list of explicit known values Application footprint or “application attack surface” defined Provides the strongest level of protection against malicious data Often not feasible when a large number of possible good values are expected May require code modification any time input values are changed or updated Exact Match Validation Example: Acceptable input is yes or no if ($input eq“yes” or $input eq “no”)
  • 6. Exact Match Validation Example Validates the variable gender against 2 known values (.NET) static bool validateGender(String gender) { if (gender.equals(“Female“)) return true; else if (gender.equals(“Male“)) return true; else return false; //attack SOUND THE ALARM! BEEP BEEP! }
  • 7. Exact Match Validation Example Validates the variable gender against 2 known values (Java) static boolean validateGender (String gender) { if (gender.equals (“Female“)) return true; else if (gender.equals (“Male“)) return true; else return false; //attack }
  • 8. Known Good Validation Often called "white list" validation Data is validated against a list of allowable characters and patterns Typically implemented using regular expressions to match known good data patterns Data type cast/convert functions can be used to verify data conforms to a certain data type (i.e. Int32) Expected input character values must be clearly defined for each input variable Care must be taken if complex regular expressions are used A common mistake is to forget to anchor the expression with ^ and $
  • 9. Regular Expression Syntax Symbol Match ^ Beginning of input string $ End of input string * Zero or more occurrences of previous character, short for {0,} + One or more occurrences of previous character, short for {1,} ? Zero or one occurrences of previous character, short for {0,1} {n,m} At least n and at most m occurrences of previous character . Any single character, except ‘n’ [xyz] A character set (i.e. any one of the enclosed characters) [^xyz] A negative character set (i.e. any character except the enclosed) [a-z] A range of characters
  • 10. Regular Expression Syntax - shortcuts Symbol Match d Any digit, short for [0-9] D A non-digit, short for [^0-9] s A whitespace character, short for [ tnx0brf] S A non-whitespace character, for short for [^s] w A word character, short for [a-zA-Z_0-9] W A non-word character [^w] S+ Several non-whitespace characters
  • 11. Example 1 Validating SSN entry if ($input=~/^[0-9]{9}$/) Example 2 Validating entry of a last name if ($input=~/^[A-Za-z][-.'0-9A-Za-z]{1,256}$/) Example 3 Validating SSN entry (Short cut) if ($input=~/^d{9}$/) Examples 123-56-3454
  • 12. Regular Expressions - Templates Field Expression Format Samples Description Name ^[a-zA-Z-'s]{1,40}$ John Doe Validates a name. Allows up to 40 uppercase and lowercase characters and a few special characters that are common to some names. You can modify this list. Social Security Number ^d{3}-d{2}-d{4}$ 111-11-1111 Validates the format, type, and length of the supplied input field. The input must consist of 3 numeric characters followed by a dash, then 2 numeric characters followed by a dash, and then 4 numeric characters. Phone Number ^[01]?[- .]?(([2-9]d{2})|[2- 9]d{2})[- .]?d{3}[- .]?d{4}$ (425) 555-0123 Validates a U.S. phone number. It must consist of 3 numeric characters, optionally enclosed in parentheses, followed by a set of 3 numeric characters and then a set of 4 numeric characters. E-mail ^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~- ]+@[a-zA-Z0-9-]+(?:.[a-zA-Z0-9- ]+)*$ someone@exampl e.com Validates an e-mail address. (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address). URL ^(ht|f)tp(s?)://[0-9a-zA-Z]([- .w]*[0-9a-zA-Z])*(:(0- 9)*)*(/?)([a-zA-Z0-9- .?,'/+&amp;%$#_]*)?$ http://www.micros oft.com Validates a URL ZIP Code ^(d{5}-d{4}|d{5}|d{9})$|^([a- zA-Z]d[a-zA-Z] d[a-zA-Z]d)$ 12345 Validates a U.S. ZIP Code. The code must consist of 5 or 9 numeric characters. Password (?!^[0-9]*$)(?!^[a-zA-Z]*$)^([a- zA-Z0-9]{8,10})$ Validates a strong password. It must be between 8 and 10 characters, contain at least one digit and one alphabetic character, and must not contain special characters. Non- negative integer ^d+$ 0 Validates that the field contains an integer greater than zero. Currency (non- negative) ^d+(.dd)?$ 1 Validates a positive currency amount. If there is a decimal point, it requires 2 numeric characters after the decimal point. For example, 3.00 is valid but 3.1 is not. Currency (positive or negative) ^(-)?d+(.dd)?$ 1.2 Validates for a positive or negative currency amount. If there is a decimal point, it requires 2 numeric characters after the decimal point.
  • 13. Regular Expressions Regular Expressions is a term used to refer to a pattern-matching technology for processing text Although there is no standards body governing the regular expression language, Perl 5, by virtue of its popularity, has set the standard for regular expression syntax A Regular Expression itself is a string that represents a pattern, encoded using the regular expression language and syntax
  • 14. Regular Expression - Zend $validator = new Zend_Validate_Regex(array('pattern' => '/^Test/'); $validator->isValid("Test"); // returns true $validator->isValid("Testing"); // returns true $validator->isValid("Pest"); // returns false
  • 15. Data Validation Techniques Validates against a regular expression representing the proper expected data format (10 alphanumeric characters) (.NET) using System.Text.RegularExpressions; static bool validateUserFormat(String userName) { bool isValid = false; //Fail by default // Verify that the UserName is 1-10 character alphanumeric isValid = Regex.IsMatch(userName, @"^[A-Za-z0-9]{10}$"); return isValid; }
  • 16. Regular Expressions - assertions Assert a string is 8 or more characters: (?=.{8,}) Assert a string contains at least 1 lowercase letter (zero or more characters followed by a lowercase character): (?=.*[a-z]) Assert a string contains at least 1 uppercase letter (zero or more characters followed by an uppercase character): (?=.*[A-Z]) Assert a string contains at least 1 digit: (?=.*[d]) So if you want to match a string at least 6 characters long, with at least one lower case and at least one uppercase letter you could use something like: ^.*(?=.{6,})(?=.*[a-z])(?=.*[A-Z]).*$
  • 17. Known Good Validation Example Validates against a regular expression representing the proper expected data format (10 alphanumeric characters) (Java) import java.util.regex.*; static boolean validateUserFormat(String userName){ boolean isValid = false; //Fail by default try{ // Verify that the UserName is 10 character alphanumeric if (Pattern.matches(“^[A-Za-z0-9]{10}$”, userName)) isValid=true; } catch(PatternSyntaxException e) { System.out.println(e.getDescription()); } return isValid; }
  • 18. Known Good Example $validator = new Zend_Validate_Alnum(); if ($validator->isValid('Abcd12')) { // value contains only allowed chars } else { // false }
  • 19. Known Good Example - Chains // Create a validator chain and add validators to it $validatorChain = new Zend_Validate(); $validatorChain->addValidator( new Zend_Validate_StringLength(array('min' => 6, 'max' => 12))) ->addValidator(new Zend_Validate_Alnum()); // Validate the username if ($validatorChain->isValid($username)) { // username passed validation } else { // username failed validation; print reasons or whatever….. foreach ($validatorChain->getMessages() as $message) { echo "$messagen"; }
  • 20. Often called "BlackList" validation Data is validated against a list of characters that are deemed to be dangerous or unacceptable Useful for preventing specific characters from being accepted by the application Provides the weakest method of validation against malicious data Susceptible to bypass using various forms of character encoding Known Bad Validation Example: Validating entry into generic text field if ($input !~/[rtn><();+&%’”*|]/)
  • 21. Known Bad Validation Example Validates against a regular expression of known bad input strings (.Net) using System.Text.RegularExpressions; static boolean checkMessage(string messageText){ bool isValid = false; //Fail by default // Verify input doesn’t contain any < , > isValid = !Regex.IsMatch(messageText, @"[><]"); return isValid; }
  • 22. Known Bad Validation Example Validates against a regular expression of known bad input strings (Java) import java.util.regex.*; static boolean checkMessage (string messageText) { boolean isValid = false; //Fail by default try { Pattern P = Pattern.compile (“<|>”, Pattern.CASE_INSENSITIVE | Pattern.MULTILINE); Matcher M = p.matcher(messageText); if (!M.find()) isValid = true; } catch(Exception e) { System.out.println(e.toString()); } return isValid; }
  • 23. Bounds Checking All external input must also be properly validated to ensure that excessively large input is rejected Length checking: A maximum length check should be performed on all incoming application data. Careful about name length! Lokelani Keihanaikukauakahihuliheekahaunaele is a real person! Input that exceeds the appropriate length or size limits must be rejected and not processed by the application Size checking: A maximum size check should be performed on all incoming data files
  • 24. The following code reads a String from a file. Because it uses the readLine() method, it will read an unbounded amount of input until a <newline> (n) charter is read. InputStream Input = inputfileFile.getInputStream(Entry); Reader inpReader = new InputStreamReader(Input); BufferedReader br = new BufferedReader(inpReader); String line = br.readLine(); This could be taken advantage of and cause an OutOfMemoryException or to consume a large amount of memory which shall affect performance and initiate costly garbage collection routines. Bounds Checking – Example Unbounded Reading of a file
  • 25. Bounds checking $validator = new Zend_Validate_StringLength(array('max' => 6)); $validator->isValid("Test"); // returns true $validator->isValid("Testing"); // returns false
  • 26. Bounds checking – File size $upload = new Zend_File_Transfer(); // Limit the size of all files to be uploaded to 40000 bytes $upload->addValidator('FilesSize', false, 40000); // Limit the size of all files to be uploaded to maximum 4MB and mimimum 10kB $upload->addValidator('FilesSize', false, array('min' => '10kB', 'max' => '4MB'));
  • 27. .NET Validator Controls: RequiredFieldValidator, CompareValidator, RangeValidator, RegularExpressionValidator, CustomValidator, ValidateRequest Jakarta Commons Validator: required, mask, range, maxLength, minLength, datatype, date, creditCard, email, regularExpression Native Validation Controls Many development platforms have native validator controls, such as Jakarta and .NET
  • 28. Escaping vs. Rejecting When validating data, one can either reject data failing to meet validation requirements or attempt to “clean” or escape dangerous characters Failed validation attempts should always reject the data to minimise the risk that sanitisation routines will be ineffective or can be bypassed Error messages displayed when rejecting data should specify the proper format for the user to enter appropriate data Error messages should not redisplay the input the user has entered
  • 29. The Problem with Escaping --- Snip --- page_template = request.queryString("page") replace(page_template , "/", "") replace(page_template, "..", "") getFile(page_template) --- End Snip --- http://www.example.com/content/default.jsp?page=info.htm  Page_template = info.htm <- First Pass  Page_template = info.htm <- Second Pass http://www.example.com/content/default.jsp?page=../web.xml  Page_template = .. web.xml <- First Pass  Page_template = web.xml <- Second Pass http://www.example.com/content/default.jsp?page=....//web.xml  Page_template = ....web.xml <- First Pass  Page_template = ..web.xml <- Second Pass
  • 30. Input Based Attacks Malicious user input can be used to launch a variety of attacks against an application. These attacks include, but are not limited to: Parameter Manipulation  Cookie poisoning  Hidden field manipulation Content injection  SQL  HTTP Response Splitting  Operating system calls  Command insertion  XPath Cross site scripting  … Buffer overflows  Format string attacks
  • 31. Parameter Manipulation Applications typically pass parameters that determine what the user can do or see Unauthorised access to application data can be obtained by manipulating parameter values, if record-level authorisation checks are not performed within the application code Many applications tend to pass sensitive parameters back and forth rather than using server session variables to store the information Very common to see this in HTTP cookies “hidden” HTML form fields
  • 32. Parameter Manipulation Database record index numbers are often passed as page parameters to view a specific record If there is a relatively small range of possible index values, sequential parameter values can by cycled to view other records Even-non sequential indexing can be attacked within a small range of potential values Manipulating parameter values can be trivial when other obvious valid Values exist: Username=joe (change to username=mary) Privilege=user (change to privilege=admin) Price=100.00 (change to price=1.00)
  • 33. Testing for Parameter Manipulation Identify areas in the application where records appear to be displayed based on input parameters Attempt to access records using other known valid parameter values For parameter values that seem to fall within a variable range, cycle through the range to search for other valid records Identify all data being passed in hidden fields. Attempt to determine: What the data is being used for Whether use of a hidden field seems appropriate
  • 34. Defenses Against Parameter Manipulation Data that should not be altered should never be passed to the client Always perform validation on the server Use the most restrictive input validation method possible Use Exact Match Validation to verify that parameters values are appropriate for the specific transaction or user’s permission level In situations where a query or hash table lookup is required, Known Good Validation should be used to validate the parameter before performing the lookup Retrieve the information from the client once, validate it and keep it on the server associated with that user’s session
  • 35. Summary Don’t ever trust user input Where possible, use whitelist validation Perform input validation at earliest possible stage Layers of defense Use in-built validator routines

Editor's Notes

  • #2: 1
  • #9: ^ (Caret) Matches at the start of the string the regex pattern is applied to. $ (dollar) Matches at the end of the string the regex pattern is applied to.
  • #16: Set up a mask for certain types of fields
  • #21: It’s very difficult to list all known bad input – harder to protect against potential future problems.
  • #24: Strings – especially in C-based applications Numbers – negative numbers may have unintended consequences .NET Web.config <httpRuntime maxRequestLength="2048" /> C#   if (Upload.PostedFile.ContentLength < 1048576){… J2EE: struts-config.xml: <controller maxFileSize="2M" />